# Amazon S3 Connection

# How to connect to Amazon S3 on Workato

The Amazon S3 connector uses the AWS Signature Version 4 (opens new window) to authenticate to Amazon S3. There are 2 ways to connect:

  1. Using Access Key
  2. Using IAM role

# Connect to Amazon S3 using Access Key

The simplest way to connect to Amazon S3 is to provision a Workato IAM user. For this authentication method, you will need to provide the user credentials (opens new window).

Workato will perform operations in your Amazon S3 as this IAM User. To use the full set of triggers and actions, the IAM User should have List/Read/Write permission to specific buckets & folders.

Refer to Amazon documentation (opens new window) to learn how to create an IAM User.

Authorization method - Access key Authorization method - Access key

# Input fields for Access Key

Field Description
Connection name Give this connection a unique name that identifies which S3 instance it is connected to.
Authorization type Select Access Key.
Access key ID The ID of the IAM user.
Secret access key The secret of the IAM user.
Restrict to bucket Define which bucket this connection is restricted to.
Region Provide the region for this S3 account.
Download threads The default is one thread.

# Connect to Amazon S3 using IAM Role

If you prefer not to share your Amazon S3 access key, you can connect using IAM Role (opens new window).

By provisioning a dedicated IAM profile, the owner of the S3 instance can grant Workato access to AWS resources without sharing AWS security credentials. It also helps to maintain permission boundaries, including controlled access to specific AWS folders and actions that are permitted by the third-party application (for example, Workato).

Workato recommends to grant only the required permissions and avoid using AmazonS3AllAccess whenever possible.

In this method, you will create an IAM Role for an external Workato's Amazon S3 account to access your Amazon S3. Learn more about IAM Role and granting access to third-party in this Amazon documentation (opens new window).

Authorization method - IAM role Authorization method - IAM role

# Input fields for IAM role

Field Description
Connection name Give this connection a unique name that identifies which S3 instance it is connected to.
Authorization type Select IAM role.
IAM role ARN The IAM role ARN. Find out how to retrieve this here.

Note: Workato will generate a unique external id (for example, workato-user-84762). This value is different for every Workato user and must be provided when creating an IAM role in S3.
Restrict to bucket Define which bucket this connection is restricted to.
Region Provide the region for this S3 account.
Download threads The default is one thread.

# How to retrieve IAM role ARN

Follow these steps to retrieve the Role ARN required for the connection setup. Remember to use the Workato generated external ID found in the connection page.

Steps Description
1. Navigate to My Security Credentials.
My Security Credentials
2. Select Roles > Create role.
Create role
3. Select Another AWS account. Input Workato's Amazon S3 Account ID (353360065216).
Workato Amazon S3 Account ID
4. Select Require external ID and provide the Workato generated External ID.

Every Workato user will have a unique External id (for example, workato-user-84762). You can find this value in the IAM role ARN portion of the connection setup.
Require External ID
5. Select proper permissions for Workato to run automation in your Amazon S3. At the minimum, Workato should have List/Read/Write access to specific buckets or folders. In this tutorial, we will select AmazonS3FullAccess. Workato recommends granting only the required permissions and avoid using AmazonS3AllAccess whenever possible.
Select permissions
6. (optional) If you are using object taggings, select an appropriate tag for this IAM role.
Add tag
7. Give this IAM Role an appropriate name & description.
Workato recommends that role name avoids using a non-guessable resource-id in the urn and does not include the external id.
Review role
8. The IAM Role is now created. Select the role.
Select IAM role
9. Copy the Role ARN. You will need to use this in the connection setup when creating an Amazon S3 connection in Workato.
Copy role ARN