In this article

Overview

You can use this account type to connect S3 Snaps with data sources that use an Amazon S3 account.

Prerequisites

EC2 instance as a Groundplex. Learn more about Configuring an EC2 role for IAM Role in AWS S3 Account.
JCC with the following global property set:jcc.jvm_options=-DIAM_CREDENTIAL_FOR_S3=TRUE

If you do not have an EC2 instance groundplex, then you can authenticate your account by using the Access Key ID and Secret Key. You can assume roles using the Cross account IAM role, that uses the IAM role specified in the settings. The Access Key ID and Secret Key need to have the ability to assume in the user specifications.

Limitations and Known Issues

None.

Account Settings

Asterisk (*): Indicates a mandatory field.
Suggestion icon (): Indicates a list that is dynamically populated based on the configuration.
Expression icon (): Indicates whether the value is an expression (if enabled) or a static value (if disabled). Learn more about Using Expressions in SnapLogic.
Add icon (): Indicates that you can add fields in the fieldset.
Remove icon (): Indicates that you can remove fields from the fieldset.

Field Name	Field Type	Description
Label* Default Value: None Example: S3 Account	String	Specify a unique label for the account.
Access Key ID Default Value: N/A Example: CKIA2EP4BT3EYCWBKC	String/Expression	Specify a unique access key ID part of AWS authentication. This field is required if the IAM role is disabled.
Secret Key Default Value: N/A Example: G9Hm2h5+PtSI7CnZO9KLVgyFPAc5ZTqC9uV94uPr	String/Expression	Specify the secret key part of AWS authentication. This field is required if the IAM role is disabled.
Security Token Default Value: N/A Example: Djh198SnOKIA2	String/Expression	Specify the security token that is part of AWS Security Token Services (STS) credentials. Note that only global STS regions are supported.
IAM Role Default value: Deselected	Checkbox	Select this checkbox to use the EC2 instance stored in the IAM role, instead of the normal AWS authentication to access the S3 bucket. The Access-key ID and Secret key fields are ignored in this case. Learn more about Configuring an EC2 role for IAM Role in AWS S3 Account. The Amazon S3 Snaps automatically detect the Maximum session duration value for the Cross-Account IAM role (1 through 12 hours). The Snaps round down the value to the nearest hour. So, if the Snap administrator sets the Maximum session duration at 3 hours and 45 minutes, the Snaps read it as 3 hours. The Snaps also refresh the session before it expires. However, the automatic session refresh does not support the case of very large file upload or download that takes longer than the maximum session duration. The IAM role is valid only in Groundplex nodes hosted in the EC2 environment, and also requires specific configuration. Set the global.properties file on the Groundplex as shown below and restart the JCC: `jcc.jvm_options = -DIAM_CREDENTIAL_FOR_S3=TRUE` The List, Read and Write permissions are required as per the attached S3 policy for the IAM role stored on the EC2 instance. When you select the IAM Role checkbox and validate the account, an error is displayed, and the account is not validated. To be able to use the account, provide valid Role ARN and External ID values, and then click Apply button.
Cross Account IAM Role	Configure the properties required to perform cross-account access. Learn more about setting up Cross Account IAM Role. When you use the Cross Account IAM Role in the Amazon S3 account, the `ownerDisplayName` and `ownerID` fields in the output document of the S3 Browser Snap may be empty.
Role ARN Default Value: N/A Example: arn:aws:s3:::sandbox-test-snap	String/Expression	Specify the Amazon Resource Name of the role to assume.
External ID Default Value: N/A Example: 321f248c-8f4a-21be-87c4-184c9f8e2d03	String/Expression	Specify an optional external ID that might be required by the role to assume.
Encryption	Configure the properties required for encryption.
Encryption Type Default value: None Example: Server-Side Encryption	Dropdown list	Specify the AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. The available options are: None: The files do not get encrypted using KMS encryption. Server-Side Encryption: The S3 file is written and encrypted using the 256-bit Advanced Encryption Standard AAES256. For Snaps that read objects from S3, this field is not required, because encrypted data is automatically decrypted when data is read from S3. Server-Side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with an Amazon S3-generated KMS key. Client-Side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with a client-generated KMS key. For Snaps that read objects from S3, this field is not required. For Snaps that write objects to S3, this is required for encryption types—Server-Side encryption and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the `us-east-1` region.
KMS key Default value: None Example: 28e3c2b6-74e2-4a3e-9890-6cd8e1c03661	String	Specify the AWS Key Management Service (KMS) key ID or ARN to be used for the S3 encryption. This is required only if the KMS Encryption type property is configured to use the encryption with KMS. Learn more about AWS KMS Overview and Using Server Side Encryption. For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the `us-east-1` region.
KMS Region Default Value: N/A Example: s3.us-east-2	String/Expression/Suggestion	Specify the AWS region where the KMS key is located.

Troubleshooting

Error

Reason

Resolution

When authorizing an S3 account, if the IAM role checkbox is selected, the following error is displayed on clicking the Validate button.

"Failed to validate account."

When validating the S3 account if the IAM role checkbox is selected, an error is displayed.

Account validation is not supported when you select the IAM Role checkbox.
Ensure that you provide valid Role ARN and External ID values and then click Apply instead of Validate (on the account settings dialog) to authorize and use the account.

Snap Pack History

Click here to expand...

Release	Snap Pack Version	Date	Type	Updates
May 2024	main26341	08 May 2024	Stable	Enhanced the S3 Select Snap to capture metadata and lineage information from the input document.
February 2024	436patches25360	07 Mar 2024	Latest	Fixed an issue with the Amazon S3 Snaps that displayed a `null pointer exception` when the Access Key ID or Secret Key field was empty while utilizing the S3 Express Bucket in the S3 Account. The Snaps now throw the `configuration exception` if either field is empty.
February 2024	main25112	14 Feb 2024	Stable	Updated and certified against the current Snaplogic Platform release.
November 2023	435patches24238	21 Dec 2023	Latest	Added support for Amazon S3 Express One Zone in the Amazon S3 Snap Pack.
November 2023	main23721	08 Nov 2023	Stable	Updated and certified against the current Snaplogic Platform release.
August 2023	main22460	16 Aug 2023	Stable	Updated and certified against the current SnapLogic Platform release.
May 2023	433patches21816	14 Jul 2023	Latest	The Amazon S3 Snaps automatically detect the Maximum session duration value for the Cross-Account IAM role (1 through 12 hours). The Snaps round down the value to the nearest hour. So, if the Snap administrator sets the Maximum session duration at 3 hours and 45 minutes, the Snaps read it as 3 hours. The Snaps also refresh the session before it expires. However, the automatic session refresh does not support the case of very large file upload or download that takes longer than the maximum session duration.
May 2023	main21015	10 May 2023	Stable	Upgraded with the latest SnapLogic Platform release.
February 2023	432patches20385	05 Apr 2023	Latest	Added support for Ultra Task Pipelines.
February 2023	main19844	09 Feb 2023	Stable	Upgraded with the latest SnapLogic Platform release.
November 2022	main18944	10 Nov 2022	Stable	The S3 Browser Snap output now includes the Storage Class field, which indicates the archived status of the S3 object. The S3 Download Snap no longer fails even when the pipeline has multiple Snaps after 430patches18348.
October 2022	430patches18674	24 Oct 2022	Latest	Introduced the following Snaps: S3 Archive enables you to archive an S3 object and change its storage class. S3 Restore enables you to restore an archived S3 object. S3 Select enables you to retrieve a subset of data from an S3 object. The S3 Download, S3 Archive, S3 Copy, S3 Delete, S3 Restore, and S3 Upload Snaps do not have the increased number of active threads accumulated, as they are now released immediately after the execution. The S3 Download Snap now does not fail even when the pipeline has multiple Snaps after 430patches18348. The S3 Browser Snap output now includes the Storage Class field, which indicates the archived status of the S3 object.
August 2022	430patches17354	25 Aug 2022	Latest	The KMS Region field in the S3 Account now suggests the regions when you click the suggestion icon.
August 2022	main17386	11 Aug 2022	Stable	Introduced the Amazon S3 Snap Pack, which enables you to browse, copy, delete, download, or upload objects in S3. This Snap Pack contains the following Snaps: S3 Browser: Lists the attributes of Amazon S3 objects in a specific bucket matching the prefix. S3 Copy: Sends a copy request to the AWS S3 service to copy an Amazon S3 object from a source bucket to a target bucket. S3 Delete: Removes an object from the specified bucket. S3 Download: Downloads Amazon S3 objects from the S3 bucket. S3 Upload: Uploads binary data to Amazon S3 objects. S3 Presigned: Generates a presigned URL in the output document to access an Amazon S3 object.

S3