In this section
  • Rendering Links ...
  • Rendering Links ...

Accessing NSIDC DAAC S3 Data with Temporary AWS Credentials

NSIDC DAAC datasets in the Earthdata Cloud are stored in protected S3 buckets.

  • If you’re downloading files through HTTPS links (for example, in a browser, with wget or curl, or using tools like earthaccess, Harmony, or DAAC-provided APIs), you typically do not need AWS credentials—your Earthdata Login is enough.
  • If you want to access files directly in Amazon S3 (for example, using the AWS CLI, Python boto3, or cloud workflows that reference s3://... paths), you will need temporary AWS credentials tied to your Earthdata Login.

This guide explains what temporary credentials are, how to obtain them, and how they work with NSIDC DAAC S3 data.

What Are Temporary AWS Credentials?

Temporary credentials are short-lived AWS keys generated by the AWS Security Token Service (STS). They grant you permission to access specific S3 buckets.

They consist of three parts:

  • AWS Access Key ID
  • AWS Secret Access Key
  • AWS Session Token
{
  accessKeyId: "AKIAIOSFODNN7EXAMPLE",
  secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  sessionToken: "LONGSTRINGOFCHARACTERS.../HJLgV91QJFCMlmY8slIEOjrOChLQYmzAqrb5U1ekoQAK6f86HKJFTT2dONzPgmJN9ZvW5DBwt6XUxC9HAQ0LDPEYEwbjGVKkzSNQh/",
  expiration: "2021-01-27 00:50:09+00:00"
}

Unlike permanent credentials, these expire after a short period (typically 1 hour). You can refresh them whenever needed.

How to Obtain Temporary Credentials

You can request credentials from the NSIDC DAAC /s3credentials endpoint in several ways:

Option 1: Browser

  1. Open: NSIDC DAAC /s3credentials endpoint
  2. Log in with your Earthdata Login if prompted
  3. Copy the JSON response values (Access Key ID, Secret Access Key, Session Token) into your environment.

Option 2: Command Line with curl

curl -n -c ~/.urs_cookies -b ~/.urs_cookies -L <https://data.nsidc.earthdatacloud.nasa.gov/s3credentials>
  • n → use .netrc for login
  • c ~/.urs_cookies → save cookies
  • b ~/.urs_cookies → send cookies on redirects
  • L → follow redirects

See: Creating .netrc for Earthdata Login

Option 3: Earthdata Search (UI-based)

  1. Visit Earthdata Search.
  2. Sign in with your Earthdata Login account.
  3. Search NSIDC DAAC datasets.
  4. Select the AWS S3 Access tab → Get AWS S3 Credentials

Option 4: earthaccess (Python)

The earthaccess Python library simplifies login and temporary credential retrieval.

import earthaccess

# Log in and persist credentials
auth = earthaccess.login(strategy="interactive", persist=True)

# Get temporary AWS credentials for NSIDC DAAC
credentials = earthaccess.get_s3_credentials(daac="NSIDC")
print(credentials)

Tips

  • strategy controls how Earthdata credentials are found:
    • "interactive" → prompts for username/password if nothing is saved; if a .netrc file already exists, it reuses that silently
    • "netrc" → always uses your ~/.netrc (or _netrc on Windows)
    • "environment" → looks for EARTHDATA_USERNAME and EARTHDATA_PASSWORD in environment variables
  • persist=True saves credentials to .netrc for reuse; False keeps them for the session only.

Refresh credentials by repeating get_s3_credentials when they expire (~1 hour).

See: Downloading NSIDC DAAC Earthdata Cloud Data Using earthaccess for instructions on getting started with earthaccess and how to run it both interactively and in saved scripts.

Working with Temporary Credentials

Once you have credentials:

  • Lifetime: ~1 hour
  • Refresh: Request new credentials when they expire
  • Best practices:
    • Use environment variables instead of hard-coding credentials
    • Never store Earthdata Login username/password directly in scripts
    • Automate credential refresh for long-running jobs

Commands That Work vs. Fail

Because of NSIDC DAAC’s security design, some AWS CLI and API commands will work while others will fail:

Expected to work:

  • aws s3 cp s3://... <local> (single file copy)
  • aws s3api get-object

Expected to fail:

  • aws s3 ls
  • aws s3 sync
  • aws s3api list* commands

If you try these, you’ll see a 403 Access Denied response.

Note on Browsing Buckets

NSIDC DAAC S3 buckets (both public and protected) are non-listable—you cannot browse bucket contents.

  • You must know the exact object key (path) to the file you want.
  • Use discovery tools such as Earthdata Search, CMR APIs, or collection-specific documentation to determine file paths.

What “non‑listable” looks like

  • AWS CLI

    # Listing the bucket (or a high‑level prefix) will fail
aws s3 ls s3://nsidc-cumulus-prod-protected/
# => An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

  • Direct download still works when you provide the full key

    aws s3 cp s3://nsidc-cumulus-prod-protected/SMAP/SPL3SMP_E/006/2025/09/04/SMAP_L3_SM_P_E_20250904_R19240_001.h5 .

Other DAACs in the Earthdata Cloud

Other DAACs in the Earthdata Cloud also provide temporary credential endpoints.

DAAC Nameearthaccess DAAC parameterS3 Credentials EndpointTypical Use Case
PO.DAAC"PODAAC"https://archive.podaac.earthdata.nasa.gov/s3credentialsOceanography data
LP DAAC"LPDAAC"https://data.lpdaac.earthdatacloud.nasa.gov/s3credentialsLand Processes
LAADS DAAC"LAADS"https://data.laadsdaac.earthdatacloud.nasa.gov/s3credentialsSatellite atmospherics

Final Thoughts

  • Choose the method that fits your workflow: browser for quick checks, curl or Earthdata Search for UI-guided workflows, or earthaccess for Python scripts.
  • Temporary credentials are short-lived and read-only. Keep them secure and plan around expiration.
  • Remember: NSIDC S3 buckets are non-listable. Always work with known file paths.
  • For multi-DAAC workflows, reference the table above for correct endpoints.

Related Data Collections

NASA Earthdata Cloud