In this article

Overview

You can use the AWS S3 account to connect the Binary Snaps with data sources that are in AWS S3.

Prerequisites

Valid permissions based on the Snap and intended operation.
EC2 instance as a Groundplex. The IAM role is valid only in Groundplex nodes hosted in the EC2 environment. Learn more about Configuring an EC2 role for IAM Role in AWS S3 Account.
JCC with the following global property set:jcc.jvm_options=-DIAM_CREDENTIAL_FOR_S3=TRUE

If you do not have an EC2 instance groundplex, then you can authenticate your account by using the Access Key ID and Secret Key. You can assume roles using the Cross account IAM role, that uses the IAM role specified in the settings. The Access Key ID and Secret Key need to have the ability to assume in the user specifications.

Account Settings

Asterisk (*): Indicates a mandatory field.
Suggestion icon (): Indicates a list that is dynamically populated based on the configuration.
Expression icon (): Indicates whether the value is an expression (if enabled) or a static value (if disabled). Learn more about Using Expressions in SnapLogic.
Add icon (): Indicates that you can add fields in the field set.
Remove icon (): Indicates that you can remove fields from the field set.

Field Name		Field Type	Description

Field Name		Field Type	Description
Label* Default Value: None Example: AWS S3 Account		String	Specify a unique name for the account instance
Access-key ID Default value: [None] Example: <Encrypted>		String	Specify a unique access key ID part of AWS authentication. The Access-key ID is required when the IAM role is disabled.
Secret key Default value: [None] Example: <Encrypted>		String	Specify the secret key part of AWS authentication
Server-side encryption Default Value: Deselected		Checkbox	If selected, the S3 file is written and encrypted using the 256-bit Advanced Encryption Standard AAES256. For Snaps that read objects from S3, this field is not required, as encrypted data is automatically decrypted when data is read from S3.
KMS Encryption type Default Value: None Example: Server-Side KMS Encryption		String	Choose the encryption type from the following list. This field represents the AWS Key Management Service key used to encrypt S3 objects—it can be the key ID or ARN. None: The files do not get encrypted using KMS encryption. Server-Side KMS Encryption: The output files on Amazon S3 are encrypted with Amazon S3 generated KMS key. Client-Side KMS Encryption: The output files on Amazon S3 are encrypted with client generated KMS key.
KMS key Default Value: N/A Example: <Encrypted>		String	Specify the AWS Key Management Service (KMS) key ID or ARN to be used for the S3 encryption. This is only required if the KMS Encryption type property is configured to use the encryption with KMS. Learn more about the KMS key: AWS KMS Overview and Using Server Side Encryption.
KMS region Default Value: N/A Example: s3.us-east-2		String	Specify or select a name of the region to which the KMS key belongs.
IAM role Default Value: Deselected		Checkbox	Select this checkbox to use the Groundplex EC2 instance stored in the IAM role, instead of the normal AWS authentication to access the S3 bucket. The Access-key ID and Secret key fields are ignored in this case. Learn more about Configuring an EC2 role for IAM Role in AWS S3 Account.
Cross Account IAM Role	Use this field set to configure the cross account access. Learn more about setting up Cross Account IAM Role.
	Role ARN Default Value: None Example: arn:aws:s3::test-bucket-sa-sl/*	String/Expression	Specify the Amazon Resource Name of the role to assume.
	External ID Default Value: None Example: 321f248c-8f4a-21be-87c4-184c9f8e2d03	String/Expression	Specify an external ID that might be required by the role to assume.
Support IAM role max session duration Default Value: Deselected		Checkbox	Select this checkbox when you want to extend the maximum session duration of an IAM role defined in AWS. On selecting this checkbox, the cross-account IAM role is assumed with the maximum session duration defined for the IAM role.

Troubleshooting

Account Permissions

Snap	Snap Operation	Minimum S3 Permissions
S3 Account	Validate the S3 account.	s3:ListAllMyBuckets
S3 File Writer	Write file only with 'File action'=OVERWRITE. Use user-defined object metadata.	s3:PutObject
	File write only with 'File action'=IGNORE or ERROR. Validate the file after writing.	s3:PutObject, s3:ListBucket
	Write object tags.	s3:PutObject, s3:PutObjectTagging
	Update the Access Control List (ACL).	s3:PutObject, s3:ListAllMyBuckets, s3:PutObjectAcl
	Suggest list of buckets in the File name field.	s3:ListAllMyBuckets
	Suggest S3 objects in File name field.	s3:ListBucket
S3 File Reader	Read files.	s3:GetObject
	Read versioning-enabled files.	s3:GetObject, s3:GetObjectVersion
	Suggest list of buckets in the File field.	s3:ListAllMyBuckets
	Suggest S3 objects in the File field.	s3:ListBucket
	Suggest list of Version IDs.	s3:ListBucketVersions
	Read object tags.	s3:GetObject, s3:GetObjectTagging
File Writer	Write a file with 'File action'=OVERWRITE. Create directory if not present.	s3:PutObject
File Writer	Write file with 'File action'=IGNORE or ERROR. Validate after writing.	s3:PutObject, s3:ListBucket
ZipFile Writer	Write file with 'File action'=OVERWRITE.	s3:PutObject
ZipFile Writer	Write file with 'File action'=IGNORE or ERROR.	s3:PutObject, s3:ListBucket
File Reader	Read files.	s3:GetObject
ZipFile Reader	Read files.	s3:GetObject
Multi File Reader	Read one file only without wildcards.	s3:GetObject
Multi File Reader	Read files. Use wildcards. Include sub-folders.	s3:GetObject, s3:ListBucket
Directory Browser	List files and directories.	s3:ListBucket
File Delete	Delete files.	s3:DeleteObject, s3:ListBucket
File Operation	Copy files.	s3:GetObject, s3:PutObject, s3:ListBucket
File Operation	Move files.	s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject
File Poller	Poll files.	s3:ListBucket

Learn more about Setting Permissions and Permissions for the Amazon S3 Bucket.

ACL permissions

ACL permission	Corresponding access policy permissions when the ACL permission is granted on a bucket	Corresponding access policy permissions when the ACL permission is granted on an object

ACL permission	Corresponding access policy permissions when the ACL permission is granted on a bucket	Corresponding access policy permissions when the ACL permission is granted on an object
`READ`	`s3:ListBucket`, `s3:ListBucketVersions`, and `s3:ListBucketMultipartUploads`	`s3:GetObject` and `s3:GetObjectVersion`
`WRITE`	`s3:PutObject` Bucket owner can create, overwrite, and delete any object in the bucket. Object owner has `FULL_CONTROL` over their objects. In addition, when the grantee is the bucket owner, granting `WRITE` permission in a bucket ACL allows the `s3:DeleteObjectVersion` action to be performed on any version in that bucket.	Not applicable.
`READ_ACP`	`s3:GetBucketAcl`	`s3:GetObjectAcl` and `s3:GetObjectVersionAcl`
`WRITE_ACP`	`s3:PutBucketAcl`	`s3:PutObjectAcl` and `s3:PutObjectVersionAcl`
`FULL_CONTROL`	Equivalent to granting `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` ACL permissions. Accordingly, this ACL permission maps to a combination of corresponding access policy permissions.	Equivalent to granting `READ`, `READ_ACP`, and `WRITE_ACP` ACL permissions. Accordingly, this ACL permission maps to a combination of corresponding access policy permissions.