diff --git a/pkgs/build-support/fetchs3/default.nix b/pkgs/build-support/fetchs3/default.nix
new file mode 100644
index 00000000000..a5cdbd150b8
--- /dev/null
+++ b/pkgs/build-support/fetchs3/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, runCommand, awscli }:
+
+{ s3url
+, sha256
+, region ? "us-east-1"
+, credentials ? null # Default to looking at local EC2 metadata service
+, executable ? false
+, recursiveHash ? false
+, postFetch ? null
+}:
+
+let
+  credentialAttrs = stdenv.lib.optionalAttrs (credentials != null) {
+    AWS_ACCESS_KEY_ID = credentials.access_key_id;
+    AWS_SECRET_ACCESS_KEY = credentials.secret_access_key;
+    AWS_SESSION_TOKEN = credentials.session_token ? null;
+  };
+in runCommand "foo" ({
+  buildInputs = [ awscli ];
+  outputHashAlgo = "sha256";
+  outputHash = sha256;
+  outputHashMode = if recursiveHash then "recursive" else "flat";
+} // credentialAttrs) (if postFetch != null then ''
+  downloadedFile="$(mktemp)"
+  aws s3 cp ${s3url} $downloadedFile
+  ${postFetch}
+'' else  ''
+  aws s3 cp ${s3url} $out
+'')
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ab9b8c2f3a1..9c7c652fac8 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -153,6 +153,8 @@ with pkgs;
 
   fetchpatch = callPackage ../build-support/fetchpatch { };
 
+  fetchs3 = callPackage ../build-support/fetchs3 { };
+
   fetchsvn = callPackage ../build-support/fetchsvn {
     sshSupport = true;
   };