Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Getting a pre-signed URL to download an object

Written by
Improved by
Updated at March 17, 2026

If you have a bucket, its objects are always available even with no website hosting configured. You can get a link by following this guide or generate one yourself. Learn more about the link format here.

If you have a bucket with restricted access, Object Storage enables you to generate a pre-signed URL to an object. Anyone with this link can download the object, even from a bucket with restricted access. You can read more about pre-signed URLs, their generation, and their use here.

Note

If the bucket has an access policy in place which bans creating pre-signed URLs, you will not be able to create a link.

  1. In the management console, select a folder.
  2. Go to Object Storage.
  3. Click the name of the bucket you need.
  4. Click the object name.
  5. Click Get link in the top-right corner.
  6. For a bucket with restricted access, specify the link Lifetime in hours or days (the maximum time is 30 days).
  7. Click Get link.
  8. Copy the link.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View the description of the CLI command to get an object pre-signed URL:

    yc storage s3 presign --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. View a list of objects in the bucket by specifying its name:

    yc storage s3api list-objects \
  --bucket <bucket_name>

    Result:

    contents:
  - key: sample.txt
    last_modified: "2025-09-04T06:02:16.884Z"
    etag: '"7bd56d2f6096d582420e8a01********"'
    size: "17"
    owner:
      id: ajeol2afu1js********
      display_name: ajeol2afu1js********
    storage_class: STANDARD
name: first-bucket
max_keys: "1000"
key_count: "1"
request_id: 338862e1********

  4. Generate a pre-signed URL. You can do this either via the Yandex Cloud API on behalf of the account currently authenticated in the Yandex Cloud CLI profile, or locally on behalf of the service account, providing its static access key in the command.

    To generate a pre-signed URL to download an object on behalf of the account currently authenticated in the Yandex Cloud CLI profile, run this command:

    yc storage s3 presign \
  s3://<bucket_name>/<object_key> \
  --expires-in <link_validity> \
  --as-attachment

    Where:

    • <bucket_name>: Name of the bucket containing the object you need, e.g., first-bucket.
    • <object_key>: Object key in the bucket to generate a pre-signed URL for, e.g., sample.txt.
    • --expires-in: URL validity period in seconds.
    • --as-attachment: For a forced download of an object when opening the URL you got in a browser. This is an optional parameter. If the option is not set, when opening a URL, the browser may try to display the contents of the text object instead of downloading it.

    Result:

    https://storage.yandexcloud.net/first-bucket/sample.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=YCAJEIUp_5V5nBFDgIgh-NLc2%2F20250904%2Fru-central1%2Fs3%2Faws4_request&X-Amz-Date=20250904T063033Z&X-Amz-Expires=36000&X-Amz-Signature=d661b64566753dba1ef66b467e56db0e7f7c69581b0ddd2c8a0a7b505bc3ff61&X-Amz-SignedHeaders=host&response-content-disposition=attachment

    To generate a pre-signed URL to download an object locally on behalf of a service account, run this command:

    yc storage s3 presign \
  s3://<bucket_name>/<object_key> \
  --expires-in <link_validity> \
  --as-attachment \
  --local \
  --access-key <key_ID> \
  --secret-key <secret_key>

    Where:

    • <bucket_name>: Name of the bucket containing the object you need, e.g., first-bucket.
    • <object_key>: Object key in the bucket to generate a pre-signed URL for, e.g., sample.txt.
    • --expires-in: URL validity period in seconds.
    • --as-attachment: For a forced download of an object when opening the URL you got in a browser. This is an optional parameter. If the option is not set, when opening a URL, the browser may try to display the contents of the text object instead of downloading it.
    • --access-key: Static access key ID of the service account.
    • --secret-key: Secret key of the service account static access key.

    Result:

    https://storage.yandexcloud.net:443/first-bucket/sample.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=YCAJE98uTrKJwAtqwrHJXNh5L%2F20250904%2Fdefault%2Fs3%2Faws4_request&X-Amz-Date=20250904T072650Z&X-Amz-Expires=36000&X-Amz-SignedHeaders=host&response-content-disposition=attachment&x-id=GetObject&X-Amz-Signature=e60562ef242588eec44916ad9e97d2864b250a73f4e5a70e29bb2bd8926249b0

You can use the AWS CLI to generate a pre-signed URL for downloading an object. To do this, run this command:

aws s3 presign s3://<bucket_name>/<object_key> \
  --expires-in <link_lifetime> \
  --endpoint-url "https://storage.yandexcloud.net/"

To generate the link properly, make sure to provide the --endpoint-url parameter pointing to the Object Storage hostname. For detailed information, see this section covering the AWS CLI specifics.

The example generates a pre-signed URL for downloading object-for-share from bucket-with-objects. The URL is valid for 100 seconds.

# coding=utf-8

import boto3
from botocore.client import Config


ENDPOINT = "https://storage.yandexcloud.net"

ACCESS_KEY = "JK38EXAMP********"
SECRET_KEY = "ExamP1eSecReTKeykdo********"

session = boto3.Session(
     aws_access_key_id=ACCESS_KEY,
     aws_secret_access_key=SECRET_KEY,
     region_name="ru-central1",
)
s3 = session.client(
     "s3", endpoint_url=ENDPOINT, config=Config(signature_version="s3v4")
)

presigned_url = s3.generate_presigned_url(
     "get_object",
     Params={"Bucket": "bucket-with-objects", "Key": "object-for-share"},
     ExpiresIn=100,
)

print(presigned_url)

The example generates a pre-signed URL for downloading object-for-share from bucket-with-objects. The URL is valid for 100 seconds.

This example uses the @aws-sdk/client-s3 and @aws-sdk/s3-request-presigner libraries.

import { S3Client, GetObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const S3_ENDPOINT = "https://storage.yandexcloud.net";

const ACCESS_KEY_ID = "JK38EXAMP********";
const SECRET_ACCESS_KEY = "ExamP1eSecReTKeykdo********";

const s3Client = new S3Client({
  region: "ru-central1",
  endpoint: S3_ENDPOINT,
  credentials: {
     accessKeyId: ACCESS_KEY_ID,
     secretAccessKey: SECRET_ACCESS_KEY,
  },
});

const command = new GetObjectCommand({
  Bucket: "bucket-with-objects",
  Key: "object-for-share",
});
const objectPresignedUrl = await getSignedUrl(s3Client, command, {
  expiresIn: 100,
});

console.log(objectPresignedUrl);

Note

You cannot extend the validity period of a pre-signed URL to an object in a bucket with restricted access. If the URL has expired, generate a new one.

See also

Previous
Copying objects
Next
Uploading an object using a pre-signed URL