It turns out that I needed the secure link module in nginx. In the blog there is an article with specific examples and an example for generating a link to node.js.
https://www.nginx.com/blog/securing-urls-secure-li...

1. open source solution

Well, write a backend, implement access to S3 and open the code. What is the problem?
Link generation with access: S3 presigned URL
Access rights are controlled by the application itself. There are plenty of articles on the internet on how to do this.
To generate a one-time link
, the Storage can be visible to everyone, and access to the files is only for whom the link is generated.
Let's say you need to distribute 1 file to 10 people. 10 people will have 10 different links pointing to the same file in S3 storage.
If you do not want expensive AWS S3, then take a compatible MinIO solution that you can install on your own facilities and manage yourself.

open source solution

It could be a Lambda you wrote.

the end user should not see the original repository link

CloudFront is required, the more you give a lot and a lot of static. Customizes and marries with a touch-in bucket.

link must be single use

It could be a Lambda you wrote plus an Edge service.

some files may only be visible to some user roles

S3 supports a role-based (if I may say so) model of data access, only here you will get tired of resolving all this even with Lambda for a couple.
If everything is generalized and expanded to future possible Wishlist, then a small wordpress project emerges. There and authorization, and authentication, and what else will come out to the heap. WP Diskbox works with S3 and CloudFront. I think plugins for generating one-time links to be not in a single instance.