{ lib, runCommand, awscli }: { s3url, name ? builtins.baseNameOf s3url, sha256, region ? "us-east-1" , credentials ? null # Default to looking at local EC2 metadata service , recursiveHash ? false, postFetch ? null }: let mkCredentials = { access_key_id, secret_access_key, session_token ? null }: { AWS_ACCESS_KEY_ID = access_key_id; AWS_SECRET_ACCESS_KEY = secret_access_key; AWS_SESSION_TOKEN = session_token; }; credentialAttrs = lib.optionalAttrs (credentials != null) (mkCredentials credentials); in runCommand name ({ nativeBuildInputs = [ awscli ]; outputHashAlgo = "sha256"; outputHash = sha256; outputHashMode = if recursiveHash then "recursive" else "flat"; preferLocalBuild = true; AWS_DEFAULT_REGION = region; } // credentialAttrs) (if postFetch != null then '' downloadedFile="$(mktemp)" aws s3 cp ${s3url} $downloadedFile ${postFetch} '' else '' aws s3 cp ${s3url} $out '')