On this page
You can create an account from Designer or Manager. In Designer, when working on pipelines, every Snap that needs an account prompts you to create a new account or use an existing account. The accounts can be created in or used from:
- Your private project folder: This folder contains the pipelines that will use the account.
- Your Project Space’s shared folder: This folder is accessible to all the users that belong to the Project Space.
- The global shared folder: This folder is accessible to all the users within an organization in the SnapLogic instance.
Prerequisites
The s3:ListAllMyBuckets
permission is required to successfully validate an S3 account. Refer to the Account Permissions section below for additional permissions required for the target resources based on the task to be performed.
Account Configuration
In Manager, you can navigate to the required folder and create an account in it (see Accounts). To create an account for binary files:
- Click Create, then select Binary, then AWS S3.
- Supply an account label.
Supply the necessary information.
- (Optional) Supply additional information on this account in the Notes field of the Info tab.
- Click Apply.
Account Settings
Label | Required. User provided label for the account instance | |
---|---|---|
Access-key ID | Required when IAM role is disabled. Unique access key ID part of AWS authentication. Default value: [None] | |
Secret key | Required when IAM role is disabled. Secret key part of AWS authentication Default value: [None] | |
Server-side encryption | If selected, the S3 file is written and encrypted using the 256-bit Advanced Encryption Standard AAES256. For Snaps that read objects from S3, this field is not required, as encrypted data is automatically decrypted when data is read from S3. Default value: Not Selected | |
KMS Encryption type | This field represents the AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region. For Snaps that read objects from S3, this field is not required. The available options are:
Default value: [None] | |
KMS key | Specifies the AWS Key Management Service (KMS) key ID or ARN to be used for the S3 encryption. This is only required if the KMS Encryption type property is configured to use the encryption with KMS. For more information about the KMS key refer to AWS KMS Overview and Using Server Side Encryption. For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region. For Snaps that read objects from S3, this field is not required. Default value: [None] | |
KMS region | Name of the region to which the KMS key belongs. Example: s3.us-east-2 | |
IAM role | If selected, the IAM role stored in the EC2 instance is used, instead of the normal AWS authentication, to access the S3 bucket. The Access-key ID and Secret key fields are ignored in this case. The List, Read and Write permissions are required as per the attached S3 policy for the IAM role stored on the EC2 instance. This property is valid only in Groundplex nodes hosted in the EC2 environment. In the Groundplex, add the following line to global.properties and restart the JCC: Validation does not work when the property is enabled. |
Account Encryption
Standard Encryption | If you are using Standard Encryption, the High sensitivity settings under Enhanced Encryption are followed. | |
---|---|---|
Enhanced Encryption | If you have the Enhanced Account Encryption feature, the following describes which fields are encrypted for each sensitivity level selected per each account.
|
Account Permissions
In addition to the s3:ListAllMyBuckets
permission, you must configure the following permissions in the AWS Console for the account based on the task to be performed:
Action to perform on S3 | Permission required |
---|---|
Read an S3 file using the File Reader (S3 protocol) or the S3 File Reader Snap |
|
Read the object tags added to an S3 object along with reading the file |
|
Write files to S3 |
|
Add object tags to the S3 object using the S3 File Writer Snap |
|
Delete files from S3 using the File Delete Snap |
|
Browse an S3 bucket using the Directory Browser Snap |
|
See Setting Permissions and Permissions for the Amazon S3 Bucket for more information.