AWS CLI in S3

Last update: June 11 2026

AWS CLI (AWS Command Line Interface) is a command-line interface for working with AWS services.

Configure AWS CLI

1. Configure access to S3.
2. Install the client.
3. Create an AWS CLI configuration.
4. Install a certificate.

1. Configure access to S3

Access can be configured by the Account Owner or a user with the iam.admin role.

1. Create a service user with a role with S3 access. If you use a service user with the s3.user, object_storage_user, or s3.bucket.user role, an access policy must be configured for the bucket, and its rules must allow access to this user.
2. Issue an S3 key to the user.

2. Install the client

Use the instructions in the Install or update to the latest version of the AWS CLI Amazon documentation.

3. Create an AWS CLI configuration

1. Open the terminal.

2. Open configuration mode:

   aws configure

3. Enter AWS Access Key ID — the value of the Access key field from the S3 key.

4. Enter AWS Secret Access Key — the value of the Secret key field from the S3 key.

5. Enter Default region name — the pool where S3 is located (e.g., ru-1).

6. Enter Default output format or leave it blank.

7. Settings will be saved in the configuration files:

   • credentials in .aws/credentials:

     [default]
     aws_access_key_id = <access_key>
     aws_secret_access_key = <secret_key>

   • default pool in .aws/config:

     [default]
        region = <pool>

8. In the .aws/config configuration file, add the endpoint_url: parameter:

   [default]
       region = <pool>
       endpoint_url = https://<s3_domain>

   Specify <s3_domain> — the S3 API domain for the desired pool.

4. Install a certificate

Linux/macOS

1. Create a folder named ~/.selectels3/:

   mkdir -p ~/.selectels3/

2. Download the certificate and place it in the ~/.selectels3/ folder:

   wget https://secure.globalsign.net/cacert/root-r6.crt -O ~/.selectels3/root.crt
   openssl x509 -inform der -in ~/.selectels3/root.crt -out ~/.selectels3/root.crt
   chmod 600 ~/.selectels3/root.crt

3. In the .aws/config configuration file, add the following parameter:

   ca_bundle = ~/.selectels3/root.crt

Windows

1. Download the certificate.

2. Create a text file, for example, root.txt.

3. Add the certificate content in base64 format to the root.txt file.

4. In the .aws/config configuration file, add the following parameter:

   ca_bundle = <path>

   Specify <path> — the path to the root.txt file.

Working with AWS CLI

For command syntax, see the AWS Amazon documentation.

To work with S3 via AWS CLI, use:

• s3api — commands corresponding to operations in the REST API;
• s3 — additional commands that simplify working with a large number of objects.

List buckets

1. Open the CLI.

2. List the buckets:

   aws s3 ls

Create a bucket

1. Open the CLI.

2. Create a bucket:

   aws s3 mb s3://<bucket_name>

   Specify <bucket_name> — the name of the new bucket.

List objects

1. Open the CLI.

2. List the objects:

   aws s3 ls --recursive s3://<bucket_name>

   Specify <bucket_name> — the name of the bucket to list objects in.

Upload an object

Simple upload

1. Open the CLI.

2. Upload an object to a bucket:

   aws s3 cp <path_to_object> s3://<bucket_name>/

   Specify:

   • <path_to_object> — the path in the bucket where the object will be stored;
   • <bucket_name> — the name of the bucket where the object will be stored.

Upload with conditional request

You can use conditional requests when uploading objects via AWS CLI.

Match object existence condition

The object will be uploaded if an object with an ETag that matches the value from the If-Match header exists in the bucket. If an object with such an ETag is not found, a 412 Precondition Failed error will be returned.

1. Open the CLI.

2. Check the ETag of the object that must exist in the bucket for the new object to be uploaded:

   aws s3api head-object \
   --bucket <bucket_name_1> \
   --key <path_to_object_1>

   Specify:

   • <bucket_name_1> — the name of the bucket where the object is stored;
   • <path_to_object_1> — the path to the object in the bucket.

3. Upload an object with a condition:

   aws s3api put-object \
   --bucket <bucket_name_2> \ 
   --key <path_to_object_2> \
   --body <path_to_file> \
   --if-match "<etag>"

   Specify:

   • <bucket_name_2> — the name of the bucket to which the object will be uploaded;
   • <path_to_object_2> — the path in the bucket where the object will be stored;
   • <path_to_file> — the path to the file on the local device;
   • <etag> — the ETag of the object you checked in step 2.

Match object non-existence condition

The object will be uploaded if no object with a key that matches the value from the If-None-Match header exists in the bucket. This allows you to avoid overwriting the object. If an object with such a key already exists in the bucket, a 412 Precondition Failed error will be returned.

1. Open the CLI.

2. Upload an object with a condition:

   aws s3api put-object \
   --bucket <bucket_name> \
   --key <path_to_object> \
   --body <path_to_file> \
   --if-none-match "*"

   Specify:

   • <bucket_name> — the name of the bucket where the object will be stored;
   • <path_to_object> — the path in the bucket where the object will be stored;
   • <path_to_file> — the path to the file on the local device.

   Here, --if-none-match"*" means that the object will be uploaded only if there is no object at the specified path in the bucket yet.

Upload with Object Lock

If Object Lock is enabled in the bucket, you can upload an object with a temporary lock.

1. Open the CLI.

2. Upload an object with a temporary lock:

   aws s3api put-object \
     --bucket <bucket_name> \
     --key <path_to_object> \
     --body <path_to_file> \
     --object-lock-mode <lock_mode> \
     --object-lock-retain-until-date <date>

   Specify:

   • <bucket_name> — the name of the bucket;
   • <path_to_object> — the path in the bucket where the object will be stored;
   • <path_to_file> — the path to the file on the local device;
   • <lock_mode> — the lock mode. Possible values are GOVERNANCE or COMPLIANCE;
   • <date> — the date until which the object will be locked, in ISO 8601 format, for example 2025-09-06T00:00:00Z. The lock period cannot exceed 100 years or 36500 days.

Get a link to an object

You can get a link to an object in a public or private bucket via a signed URL (Presigned URL). Learn more about Presigned URLs in the Sharing objects with presigned URLs section of the AWS documentation.

1. Open the CLI.

2. Get the link:

   aws s3 presign s3://<bucket_name>/<path_to_object> --expires-in <time>

   Specify:

   • <bucket_name> — the name of the bucket where the object is stored;
   • <path_to_object> — the path to the object in the bucket;
   • optional: --expires-in <time> — link expiration time, where <time> is the time in seconds after which the link will stop working. If you do not add the --expires-in <time> parameter, the link will be valid for one hour.

Copy an object

Simple copy

1. Open the CLI.

2. Copy the object:

   aws s3 cp s3://<bucket_name_1>/<path_to_object_1> s3://<bucket_name_2>/<path_to_object_2>

   Specify:

   • <bucket_name_1> — the name of the bucket where the object to copy is stored;
   • <path_to_object_1> — the path to the object to copy in the bucket;
   • <bucket_name_2> — the name of the bucket to which the object will be copied;
   • <path_to_object_2> — the path in the bucket where the object will be stored.

Copy with condition

You can use conditional requests when copying objects via AWS CLI.

Object immutability condition

The object will be copied if its ETag matches the value you specify in the --copy-source-if-match header, meaning the object has not been modified. If the object's ETag does not match, a 412 Precondition Failed error will be returned.

1. Open the CLI.

2. Copy the object with a condition:

   aws s3api copy-object \
   --copy-source <bucket_name_1>/<path_to_object_1> \
   --bucket <bucket_name_2> \
   --key <path_to_object_2> \
   --copy-source-if-match "<etag>" 

   Specify:

   • <bucket_name_1> — the name of the bucket where the object to copy is stored;
   • <path_to_object_1> — the path to the object to copy in the bucket;
   • <bucket_name_2> — the name of the bucket to which the object will be copied;
   • <path_to_object_2> — the path in the bucket where the copied object will be stored;
   • <etag> — the ETag that must match the object's ETag.

Object modification condition

The object will be copied if its ETag does not match the value you specify in the --copy-source-if-none-match header, meaning the object has been modified. If the object's ETag matches, a 412 Precondition Failed error will be returned.

1. Open the CLI.

2. Copy the object with a condition:

   aws s3api copy-object \
   --copy-source <bucket_name_1>/<path_to_object_1> \
   --bucket <bucket_name_2> \
   --key <path_to_object_2> \
   --copy-source-if-none-match "<etag>" 

   Specify:

   • <bucket_name_1> — the name of the bucket where the object to copy is stored;
   • <path_to_object_1> — the path to the object to copy in the bucket;
   • <bucket_name_2> — the name of the bucket to which the object will be copied;
   • <path_to_object_2> — the path in the bucket where the copied object will be stored;
   • <etag> — the ETag that must not match the object's ETag.

Delete an object

Simple deletion

1. Open the CLI.

2. Delete the object:

   aws s3 rm s3://<bucket_name>/<object_name>

   Specify:

   • <bucket_name> — the name of the bucket;
   • <object_name> — the name of the object.

Deletion with condition

You can use conditional requests when deleting objects via AWS CLI — this helps reduce the risk of accidentally deleting a file.

The object will be deleted if an object with an ETag that matches the value from the If-Match header exists in the bucket. If an object with such an ETag is not found, a 412 Precondition Failed error will be returned.

1. Open the CLI.

2. Check the ETag of the object that must exist in the bucket for the required object to be deleted:

   aws s3api head-object \
   --bucket <bucket_name_1> \
   --key <path_to_object_1>

   Specify:

   • <bucket_name_1> — the name of the bucket where the object is stored;
   • <path_to_object_1> — the path to the object in the bucket.

3. Delete the object with a condition:

   aws s3api delete-object \
   --bucket <bucket_name_2> \
   --key <path_to_object_2> \
   --if-match "<etag>"

   Specify:

   • <bucket_name_2> — the name of the bucket where the object is stored;
   • <path_to_object_2> — the path to the object in the bucket;
   • <etag> — the ETag of the object you checked in step 2.