In this article

Overview

You can use this account type to connect Binary Snaps with data sources that use an S3 account.

note

Expression-enabled authentication fields, such as Username, Password, and Client Secret, support Secrets Management, a SnapLogic add-on that allows you to store endpoint credentials in a third-party secrets manager, such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. During validation and execution, pipelines obtain the credentials directly from the secrets manager. Learn more: Configure Accounts to use secrets.

Expression-enabled authentication fields, such as Username, Password, and Client Secret, support Secrets Management, a SnapLogic add-on that allows you to store endpoint credentials in a third-party secrets manager, such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. During validation and execution, pipelines obtain the credentials directly from the secrets manager. Learn more: Configure Accounts to use secrets.

Prerequisites

The s3:ListAllMyBuckets permission is required to successfully validate an S3 account. Refer to the Account Permissions section below for additional permissions required for the target resources based on the task to be performed.

Account Settings

  • Asterisk (*): Indicates a mandatory field.

  • Suggestion icon ((blue star)): Indicates a list that is dynamically populated based on the configuration.

  • Expression icon ((blue star)): Indicates whether the value is an expression (if enabled) or a static value (if disabled). Learn more about Using Expressions in SnapLogic.

  • Add icon ((blue star)): Indicates that you can add fields in the fieldset.

  • Remove icon ((blue star)): Indicates that you can remove fields from the fieldset.

Field Name

Field Type

Description

Label

Default Value: None
Example: S3 Dynamic Account

String

Specify a unique label for the account.

Access-key ID

Default Value: None
Example: xyz876jhnJKBuya9730

String/Expression

The Access key ID part of AWS authentication.

Secret key

Default Value: [None]
Example: bn098&^*jhj34kxii0/?

String/Expression

The Secret key part of AWS authentication.

Security Token

Default value: [None
Example: XZlkdf129LONmn65n=

String/Expression

The Security token part of AWS Security Token Service (STS) credentials.

Server-side encryption

Default value: Not Selected
Example:

Checkbox

The type of encryption to use for the objects stored in S3. For Snaps that write objects to S3, this field defines how the objects will be encrypted. For Snaps that read objects from S3, this field is not required.

KMS Encryption type

Default value: None
Example: Server side KMS Encryption

Dropdown list

The AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. The available options are:

  • None: The files do not get encrypted using KMS encryption.

  • Server side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with Amazon S3 generated KMS key.

  • Client side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with client generated KMS key.

note

For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region.

For Snaps that read objects from S3, this field is not required. 

For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region.

For Snaps that read objects from S3, this field is not required. 

KMS key

Default value: None
Example: cvcv866kALm920

String/Expression

The AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. 

For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region.

For Snaps that read objects from S3, this field is not required.

KMS region

Default value: None
Example: us-east-1

String/Expression

The AWS region where the KMS key is located.

Cross Account IAM Role

Use this field set to manage account access. Learn more about setting up Cross Account IAM Role.

Role ARN

Default value: None

String/Expression

The Amazon Resource Name of the role to assume.

External ID

Default value: None

String/Expression

An optional external ID that might be required by the role to assume.

Support IAM role max session duration

Checkbox

Select this checkbox when you want to extend the maximum session duration of an IAM role defined in AWS. On selecting this checkbox, the cross account IAM role is assumed with the maximum session duration defined for the IAM role.

note

This checkbox is deselected by default. The default maximum session duration for an IAM role is one hour; however, you can define a custom duration between 1-12 hours. Learn how to increase the IAM role maximum session duration limit.
We recommend that you select this checkbox if the maximum session duration of the IAM role is greater than an hour.

This checkbox is deselected by default. The default maximum session duration for an IAM role is one hour; however, you can define a custom duration between 1-12 hours. Learn how to increase the IAM role maximum session duration limit.
We recommend that you select this checkbox if the maximum session duration of the IAM role is greater than an hour.