OK, for this I got a workaround . After encypted (aws-kms server) the artifact is created and uploaded to s3 (as part of the aws code assembly), create a copy of the file with 'ACL':'public-read' . Following are the steps:
s3 = boto3.resource('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET ACCESS KEY>', region_name = 'ap-southeast-1', config=Config(signature_version='s3v4'))
The config=Config(signature_version='s3v4') is a trick to access the encrypted file.
copy_source = {'Bucket': 'SOURCE BUCKET','Key':'test/app-debug.apk'} s3.meta.client.copy(copy_source, 'DESTINATION BUCKET', 'app-debug.apk', {'ACL':'public-read'})
From S3 you will get a downloadable URL.
Alternatively, you can get a downloadable link directly from an encrypted S3 element without copying it to another bucket. However, the problem is that s3v4 encryption comes with a maximum expiration of 7 days. Thus, the link works with max in just 7 days. Below is the step for this:
s3_client = boto3.client('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET KEY>', region_name='ap-southeast-1', config=Config(signature_version='s3v4'))url = s3_client.generate_presigned_url(ClientMethod='get_object', Params={'Bucket':'SOURCE BUCKET', 'Key':'test/app-debug.apk'})