13.7 S3 Requester Pays Buckets

Right, so you’ve got a bucket full of data. Maybe it’s a massive public dataset, like satellite imagery or a genome database. The problem? That data costs you money to store, sure, but the real wallet-murderer is the data transfer (egress) costs when thousands of people start downloading it. You’re basically running a charity for bandwidth. This is where S3 Requester Pays buckets come in. It’s the AWS equivalent of saying, “Sure, you can have a soda, but you’re putting a dollar in the jar.”

The concept is beautifully simple: you, the bucket owner, still pay for storage, but the requester (the person or application downloading the data) pays for the data egress and request costs. It shifts the financial burden of access to the consumer. It’s not for every bucket, but when you need it, it’s a lifesaver.

How It Actually Works (The Nitty-Gritty)

Enabling Requester Pays isn’t just a checkbox; it’s a bucket-level setting that fundamentally changes the authentication model for accessing that bucket. When it’s on, anonymous requests (where the requester isn’t specifying who they are) are a no-go. They will fail. Every request must be made by an authenticated AWS entity (an IAM User or Role) because AWS needs to know who to bill.

Here’s the crucial part: the requester must include a specific header in their request: x-amz-request-payer. Its value must be set to requester. This is their way of saying, “I acknowledge that I will be charged for this.” No header, no data. It’s the bouncer checking your ID at the door.

You can turn this on via the console, CLI, or infrastructure-as-code. Here’s how you do it with the AWS CLI for a bucket named my-massive-dataset-bucket:

# Enable Requester Pays
aws s3api put-bucket-request-payment \
    --bucket my-massive-dataset-bucket \
    --request-payment-configuration Payer=Requester

# Verify it's on
aws s3api get-bucket-request-payment \
    --bucket my-massive-dataset-bucket

The Requester’s Responsibility

Okay, so you’re on the other side of this equation. You want to download something from a Requester Pays bucket. Your first duty is not technical, it’s financial: make sure the AWS account you’re using has enough of a budget to cover the egress fees. Downloading a 10TB dataset is not free for you anymore.

Technically, you need to ensure every single command or SDK call includes that magic header. The standard aws s3 cp command helpfully does this for you automatically if it detects the bucket has Requester Pays enabled. But if you’re crafting raw API calls or using the SDK, you must include it explicitly.

Here’s an example using the Python SDK (boto3) to list objects in a Requester Pays bucket:

import boto3

s3 = boto3.client('s3')

# Notice the extra parameter in the API call
response = s3.list_objects_v2(
    Bucket='some-requester-pays-bucket',
    Prefix='path/to/data/',
    RequestPayer='requester'  # This is the crucial part
)

for obj in response.get('Contents', []):
    print(obj['Key'])

And to download a file:

import boto3

s3 = boto3.client('s3')

# Downloading also requires the payer parameter
s3.download_file(
    Bucket='some-requester-pays-bucket',
    Key='path/to/data/myfile.zip',
    Filename='./myfile.zip',
    ExtraArgs={'RequestPayer': 'requester'}
)

Gotchas and Questionable Design Choices

This feature is powerful, but AWS didn’t exactly make it foolproof.

The Silent Console Problem: Here’s a real head-scratcher. Try to browse a Requester Pays bucket in the AWS S3 console while logged in as an IAM User. It will fail silently. The console UI doesn’t have a mechanism to send the x-amz-request-payer header. It’s bizarre. You simply cannot browse these buckets visually. You must use the CLI or SDK. It feels like an embarrassing oversight.
It’s All or Nothing: You enable Requester Pays on the entire bucket. You can’t have it on for one prefix and off for another. This lack of granularity can be a real architectural limitation.
Authentication is Non-Negotiable: This is a feature, not a bug, but it trips people up. You can’t use pre-signed URLs to allow anonymous users to download from a Requester Pays bucket. The pre-signed URL authenticates the creator of the URL, not the downloader. If the creator paid the bills, you’ve just created a massive financial liability for yourself. The downloader must be an authenticated AWS entity.

Best Practices and When to Use It

Use Requester Pays when:

You are distributing large datasets to other AWS users (e.g., scientific, financial, or open data).
Your architecture involves cross-account data sharing where the consumer should bear the access costs.
You’re legitimately worried about a runaway process or a malicious actor racking up a huge egress bill from your public bucket.

And the golden rule: Communication. If you’re making a bucket Requester Pays, you absolutely must document this clearly for your users. Tell them what they need to do (use CLI/SDK, be authenticated) and warn them that their account will be charged. Nothing will anger a colleague faster than a surprise AWS bill.