# Amazon S3 Connection

# How to connect to Amazon S3 on Workato

The Amazon S3 connector uses the AWS Signature Version 4 (opens new window) to authenticate to Amazon S3. There are two ways to connect:

ACCESS KEY LEGACY AUTHENTICATION

Access key authentication is a legacy authentication format and we highly recommend IAM role authentication.

# Connect to Amazon S3 using Access Key

You can connect to S3 with an access key, however, the simplest method is to use an IAM role. You must provision a Workato IAM user (opens new window) and provide user credentials (opens new window) for this authentication method. Refer to Amazon documentation (opens new window) to learn how to create an IAM User.

Refer to Amazon's documentation for instructions on how to set up and manage access keys (opens new window).

# Input fields for Access Key

Field Description
Connection name Give this connection a unique name that identifies which S3 instance it is connected to.
Authorization type Select Access Key.
Access key ID The ID of the user.
Secret access key The secret of the user.
Restrict to bucket Define which bucket this connection is restricted to.
Restrict to path Use to restrict your connection to a specific bucket and object or path. This is required when the user has only limited s3:ListBucket (opens new window) access.
Region Provide the region for this S3 account.
Download threads The default is one thread.

# Connect to Amazon S3 using IAM Role

Provisioning a dedicated IAM profile allows the owner of the S3 instance to grant Workato access to AWS resources without sharing AWS security credentials. It also helps to maintain permission boundaries, including controlled access to specific AWS folders and actions that are permitted by the third-party application (for example, Workato).

Workato will perform operations in your Amazon S3 as this IAM role. To use the full set of triggers and actions, the IAM role should have List/Write permission to specific buckets and folders. Workato recommends to grant only the required permissions and avoid using AmazonS3AllAccess whenever possible.

# Input fields for IAM role

Field Description
Connection name Give this connection a unique name that identifies which S3 instance it is connected to.
Authorization type Select IAM role.
IAM role ARN The IAM role ARN.

Note: Workato will generate a unique external id (for example, workato-user-84762). This value is different for every Workato user and must be provided when creating an IAM role in S3.
Restrict to bucket Define which bucket this connection is restricted to.
Restrict to path Use to restrict your connection to a specific bucket and object or path. This is required when the user has only limited s3:ListBucket (opens new window) access.
Region Provide the region for this S3 account.
Download threads The default is one thread.

# Create IAM role and ARN retrieval

Refer to the IAM role-based authentication for AWS page for instructions on how to create an IAM role for Workato and retrieve your Amazon resource name (ARN).

# Permissions

Action Role
Create connection S3:ListAllMyBuckets
Create bucket S3:CreateBucket
Delete file/folder S3:DeleteObject, S3:ListAllMyBuckets
Download file contents S3:ListAllMyBuckets, S3:GetObject
Generate resigned URL S3:GetObject
Get bucket location S3:GetBucketLocation
List files in bucket S3:ListBucket, S3:ListAllMyBuckets
Upload file S3:PutObject, S3:ListAllMyBuckets
Upload file streaming S3:PutObject, S3:ListAllMyBuckets
All triggers S3:ListBucket, S3:ListAllMyBuckets
Use S3 as an audit log streaming destination S3:ListAllMyBuckets, S3:PutObject


Last updated: 11/22/2024, 9:17:41 PM