Public objects

Anonymous downloads, presigned URLs, the public URL format, and error semantics.

Public objects

A bucket is private by default: every request must be signed with the bucket's key, and anonymous requests are rejected. You can toggle a bucket to public from the dashboard, which lets anyone download an object by its direct URL. Listing the bucket is never allowed anonymously, on public or private buckets.

Public URL format

When a bucket is public, any object in it is downloadable by anyone who knows its key, using the path-style URL for the bucket's instance:

https://s3.hep.gg/<bucket>/<object-key>

For a bucket on the secondary instance, use https://ca-east-hydra-1.s3.hep.gg/<bucket>/<object-key>.

GEThttps://s3.hep.gg/<bucket>/<object-key>Public

Anonymous download of a public object.

Path

bucket

stringrequired

The bucket name. The bucket must have public visibility.

object-key

stringrequired

The full object key. The exact key must be known, there is no anonymous way to discover it.

Returns the object bytes with its stored Content-Type (200). A private bucket, or an unknown key, returns 403 or 404 respectively.

curl

curl -O https://s3.hep.gg/my-bucket/images/logo.png

Presigned URLs

For private buckets, or to share a time-limited link to a specific object without making the whole bucket public, generate a presigned URL with the bucket's key. The per-bucket credentials support SigV4 presigning, so any standard S3 client can produce one. The link works without further credentials until it expires.

aws-cli

# Valid for 1 hour
aws --endpoint-url https://s3.hep.gg --region ca-central-hydra-1 \
    s3 presign s3://my-bucket/reports/q2.pdf --expires-in 3600

@aws-sdk/client-s3

import { S3Client, GetObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
const s3 = new S3Client({
  endpoint: "https://s3.hep.gg",
  region: "ca-central-hydra-1",
  forcePathStyle: true,
  credentials: {
    accessKeyId: "<your-bucket-access-key>",
    secretAccessKey: "<your-bucket-secret-key>",
  },
});
 
const url = await getSignedUrl(
  s3,
  new GetObjectCommand({ Bucket: "my-bucket", Key: "reports/q2.pdf" }),
  { expiresIn: 3600 },
);

Errors

Object traffic returns standard S3 HTTP responses.

Status	Meaning
`200`	Success. Object body, or list result, returned.
`206`	Partial content. Returned for `Range` requests.
`403`	Forbidden. Anonymous request to a private bucket, anonymous LIST, bad signature, or a PUT that would exceed the bucket's quota.
`404`	The bucket or object key does not exist.

A PUT that would push your usage past your effective quota is rejected with 403. Quota is summed across all your buckets on an instance. See Connecting for tiers and limits.

Public objects

Public objects#

Public URL format#

Presigned URLs#

Errors#

Public objects

Public URL format

Presigned URLs

Errors