Getting a pre-signed URL to download an object
If you have a bucket, its objects are always available even with no website hosting configured. You can get a link by following this guide or generate one yourself. Learn more about the link format here.
If you have a bucket with restricted access, Object Storage enables you to generate a pre-signed URL to an object. Anyone with this link can download the object, even from a bucket with restricted access. You can read more about pre-signed URLs, their generation, and their use here.
Note
If the bucket has an access policy in place which bans creating pre-signed URLs, you will not be able to create a link.
- In the management console, select the folder.
- Select Object Storage.
- Click the name of the bucket you need.
- Click the object name.
- Click Get link in the top-right corner.
- For a bucket with restricted access, specify the link Lifetime in hours or days (the maximum time is 30 days).
- Click Get link.
- Copy the link.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
View the description of the CLI command to get an object pre-signed URL:
yc storage s3 presign --help -
Get a list of buckets in the default folder:
yc storage bucket listResult:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+ -
View a list of objects in the bucket by specifying its name:
yc storage s3api list-objects \ --bucket <bucket_name>Result:
contents: - key: sample.txt last_modified: "2025-09-04T06:02:16.884Z" etag: '"7bd56d2f6096d582420e8a01********"' size: "17" owner: id: ajeol2afu1js******** display_name: ajeol2afu1js******** storage_class: STANDARD name: first-bucket max_keys: "1000" key_count: "1" request_id: 338862e1******** -
Generate a pre-signed URL. You can do this either via the Yandex Cloud API on behalf of the account currently authenticated in the Yandex Cloud CLI profile, or locally on behalf of the service account, providing its static access key in the command.
Using the Yandex Cloud APILocallyTo generate a pre-signed URL to download an object on behalf of the account currently authenticated in the Yandex Cloud CLI profile, run this command:
yc storage s3 presign \ s3://<bucket_name>/<object_key> \ --expires-in <link_validity> \ --as-attachmentWhere:
<bucket_name>: Name of the bucket containing the object you need, e.g.,first-bucket.<object_key>: Object key in the bucket to generate a pre-signed URL for, e.g.,sample.txt.--expires-in: URL validity period in seconds.--as-attachment: For a forced download of an object when opening the URL you got in a browser. This is an optional parameter. If the option is not set, when opening a URL, the browser may try to display the contents of the text object instead of downloading it.
Result:
https://storage.yandexcloud.net/first-bucket/sample.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=YCAJEIUp_5V5nBFDgIgh-NLc2%2F20250904%2Fru-central1%2Fs3%2Faws4_request&X-Amz-Date=20250904T063033Z&X-Amz-Expires=36000&X-Amz-Signature=d661b64566753dba1ef66b467e56db0e7f7c69581b0ddd2c8a0a7b505bc3ff61&X-Amz-SignedHeaders=host&response-content-disposition=attachmentTo generate a pre-signed URL to download an object locally on behalf of a service account, run this command:
yc storage s3 presign \ s3://<bucket_name>/<object_key> \ --expires-in <link_validity> \ --as-attachment \ --local \ --access-key <key_ID> \ --secret-key <secret_key>Where:
<bucket_name>: Name of the bucket containing the object you need, e.g.,first-bucket.<object_key>: Object key in the bucket to generate a pre-signed URL for, e.g.,sample.txt.--expires-in: URL validity period in seconds.--as-attachment: For a forced download of an object when opening the URL you got in a browser. This is an optional parameter. If the option is not set, when opening a URL, the browser may try to display the contents of the text object instead of downloading it.
--access-key: Static access key ID of the service account.--secret-key: Secret key of the service account static access key.
Result:
https://storage.yandexcloud.net:443/first-bucket/sample.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=YCAJE98uTrKJwAtqwrHJXNh5L%2F20250904%2Fdefault%2Fs3%2Faws4_request&X-Amz-Date=20250904T072650Z&X-Amz-Expires=36000&X-Amz-SignedHeaders=host&response-content-disposition=attachment&x-id=GetObject&X-Amz-Signature=e60562ef242588eec44916ad9e97d2864b250a73f4e5a70e29bb2bd8926249b0
Note
You cannot extend the validity period of a pre-signed URL to an object in a bucket with restricted access. If the URL has expired, generate a new one.