S3 Dynamic Account

On this Page

You can create an account from Designer or Manager. In Designer, when working on pipelines, every Snap that needs an account prompts you to create a new account or use an existing account. The accounts can be created in or used from:

  • Your private project folder: This folder contains the pipelines that will use the account.
  • Your Project Space’s shared folder: This folder is accessible to all the users that belong to the Project Space.
  • The global shared folder: This folder is accessible to all the users within an organization in the SnapLogic instance.

Prerequisites

The s3:ListAllMyBuckets permission is required to successfully validate an S3 account. Refer to the Account Permissions section below for additional permissions required for the target resources based on the task to be performed.

Account Configuration

In Manager, you can navigate to the required folder and create an account in it (see Accounts). To create an account for binary files:

  1. Click Create, then select Binary, then S3 Dynamic.
  2. Supply an account label.
  3. Supply the necessary information.

  4. (Optional) Supply additional information on this account in the Notes field of the Info tab.
  5. Click Apply.

Account Settings

Label

Required. User provided label for the account instance

Access-key ID

Required. Access key ID part of AWS authentication

Default value: [None]

Secret key

Required. Secret key part of AWS authentication

Default value: [None]

Security Token

Required. Security token part of AWS Security Token Service (STS) credentials
Default value: [None]

Server-side encryption

This represents the type of encryption to use for the objects stored in S3. For Snaps that write objects to S3, this field defines how the objects will be encrypted. For Snaps that read objects from S3, this field is not required.

Default value: Not Selected

KMS Encryption type

This field represents the AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. 

For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region.

For Snaps that read objects from S3, this field is not required. 

The available options are:

  • None: The files do not get encrypted using KMS encryption.
  • Server side KMS Encryption: If selected, the output files on Amazon S3 are encrypted using this encryption with Amazon S3 generated KMS key.
  • Client side KMS Encryption: If selected, the output files on Amazon S3 are encrypted using this encryption with client generated KMS key.

Default value: None

KMS key

This field represents the AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. 

For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region.

For Snaps that read objects from S3, this field is not required.

Default value: [None]

Cross Account IAM Role

This field set helps in granting cross account access, with two fields:

  • Role ARN
  • External ID

These fields helps you in setting up Cross Account IAM Role.

Role ARN

The Amazon Resource Name of the role to assume.

Default value: [None]

External ID

An optional external ID that might be required by the role to assume.

Default value: [None]

Account Encryption

Standard Encryption

If you are using Standard Encryption, the High sensitivity settings under Enhanced Encryption are followed.


Enhanced Encryption

If you have the Enhanced Account Encryption feature, the following describes which fields are encrypted for each sensitivity level selected per each account.

Account:

  • High: <None>
  • Medium + High: <None>
  • Low + Medium + High<None>

Account Permissions

SnapSnap OperationMinimum S3 Permissions
S3 Account
  • Validate the S3 account.
s3:ListAllMyBuckets
S3 File Writer
  • Write file only with 'File action'=OVERWRITE.
  • Use user-defined object metadata.
s3:PutObject

  • File write only with 'File action'=IGNORE or ERROR.
  • Validate the file after writing.
s3:PutObject, s3:ListBucket

Write object tags.

s3:PutObject, s3:PutObjectTagging

Update the Access Control List (ACL).

s3:PutObject, s3:ListAllMyBuckets, s3:PutObjectAcl

Suggest list of buckets in the File name field.

s3:ListAllMyBuckets

Suggest S3 objects in File name field.

s3:ListBucket
S3 File ReaderRead files.s3:GetObject

Read versioning-enabled files.s3:GetObject, s3:GetObjectVersion

Suggest list of buckets in the File field.s3:ListAllMyBuckets

Suggest S3 objects in the File field. s3:ListBucket

Suggest list of Version IDs.s3:ListBucketVersions

Read object tags.s3:GetObject, s3:GetObjectTagging
File Writer
  • Write a file with 'File action'=OVERWRITE.
  • Create directory if not present.
s3:PutObject

  • Write file with 'File action'=IGNORE or ERROR.
  • Validate after writing.
s3:PutObject, s3:ListBucket
ZipFile WriterWrite file with 'File action'=OVERWRITE.s3:PutObject

Write file with 'File action'=IGNORE or ERROR.s3:PutObject, s3:ListBucket
File ReaderRead files.s3:GetObject
ZipFile ReaderRead files.s3:GetObject
Multi File ReaderRead one file only without wildcards.s3:GetObject

  • Read files.
  • Use wildcards.
  • Include sub-folders.
s3:GetObject, s3:ListBucket
Directory BrowserList files and directories.s3:ListBucket
File DeleteDelete files.s3:DeleteObject, s3:ListBucket
File OperationCopy files.s3:GetObject, s3:PutObject, s3:ListBucket

Move files.s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject
File PollerPoll files.s3:ListBucket

See Setting Permissions and Permissions for the Amazon S3 Bucket for more information.