S3 Dynamic Account

Overview

You can use this account type to connect Binary Snaps with data sources that use an S3 account.

Note:

Expression-enabled authentication fields, such as Username, Password, and Client Secret, support Secrets Management, a SnapLogic add-on that allows you to store endpoint credentials in a third-party secrets manager, such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault. During validation and execution, pipelines obtain the credentials directly from the secrets manager. Learn more: Configure endpoint accounts to use secrets.

Prerequisites

The s3:ListAllMyBuckets permission is required to successfully validate an S3 account. Refer to the Account Permissions section below for additional permissions required for the target resources based on the task to be performed.

Account settings

Legend:

Expression icon (): Allows using JavaScript syntax to access SnapLogic Expressions to set field values dynamically (if enabled). If disabled, you can provide a static value. Learn more.
SnapGPT (): Generates SnapLogic Expressions based on natural language using SnapGPT. Learn more.
Suggestion icon (): Populates a list of values dynamically based on your Snap configuration. You can select only one attribute at a time using the icon. Type into the field if it supports a comma-separated list of values.
Upload : Uploads files. Learn more.

Learn more about the icons in the Snap settings dialog.


Field / Field set	Type	Description
Label	String	Required. Specify a unique label for the account. Default value: None. Example: S3 Dynamic Account
Access-key ID	Dropdown list/Expression	Required. The Access key ID part of AWS authentication. Default value: None. Example: xyz876jhnJKBuya9730
Secret key	Dropdown list/Expression	Required. The Secret key part of AWS authentication. Default value: None. Example: bn098&^jhj34kxii0/?*
Security Token	Dropdown list/Expression	The Security token part of AWS Security Token Service (STS) credentials. Default value: None. Example: XZlkdf129LONmn65n=
Server-side encryption	Checkbox	The type of encryption to use for the objects stored in S3. For Snaps that write objects to S3, this field defines how the objects will be encrypted. For Snaps that read objects from S3, this field is not required. Default status: Deselected
KMS Encryption type	Dropdown list	The AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. The available options are: None: The files do not get encrypted using KMS encryption. Server side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with Amazon S3 generated KMS key. Client side KMS Encryption: The output files on Amazon S3 are encrypted using this encryption with client generated KMS key. Note: For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region. For Snaps that read objects from S3, this field is not required. Default value: None. Example: Server-Side KMS Encryption
KMS key	String/Expression	The AWS Key Management Service key used to encrypt S3 objects. It can be the key ID or ARN. For Snaps that write objects to S3, this is required for encryption types Server-Side encryption with AWS KMS-Managed Keys and Client-Side encryption with AWS KMS-Managed Keys. For Server-Side encryption, the key must be in the same region as the S3 bucket. For Client-Side encryption, a key from any region can be used by using the key ARN value. If a key ID is used for Client-Side encryption, it defaults to the us-east-1 region. For Snaps that read objects from S3, this field is not required. Default value: N/A Example: cvcv866kALm920
KMS region	String/Expression/ Suggestion	The AWS region where the KMS key is located. Default value: None. Example: us-east-1
Cross Account IAM Role	Use this field set to configure the cross account access. Learn more about setting up Cross Account IAM Role..
Role ARN	Dropdown list/Expression	The Amazon Resource Name of the role to assume. Default value: None.
External ID	Dropdown list/Expression	An optional external ID that might be required by the role to assume. Default value: None.
Support IAM role max session duration	Checkbox	Select this checkbox when you want to extend the maximum session duration of an IAM role defined in AWS. On selecting this checkbox, the cross account IAM role is assumed with the maximum session duration defined for the IAM role. Warning: This checkbox is deselected by default. The default maximum session duration for an IAM role is one hour; however, you can define a custom duration between 1-12 hours. Learn how to increase the IAM role maximum session duration limit. We recommend that you select this checkbox if the maximum session duration of the IAM role is greater than an hour. Default status: Deselected

Account Permissions


Snap	Snap Operation	Minimum S3 Permissions
S3 Account	Validate the S3 account.	s3:ListAllMyBuckets
S3 File Writer	Write file only with 'File action'=OVERWRITE. Use user-defined object metadata.	s3:PutObject
	File write only with 'File action'=IGNORE or ERROR. Validate the file after writing.	s3:PutObject, s3:ListBucket
	Write object tags	s3:PutObject, s3:PutObjectTagging
	Update the Access Control List (ACL).	s3:PutObject, s3:ListAllMyBuckets, s3:PutObjectAcl
	Suggest list of buckets in the File name field.	s3:ListAllMyBuckets
	Suggest S3 objects in File name field.	s3:ListBucket
S3 File Reader	Read files	s3:GetObject
	Read versioning-enabled files.	s3:GetObject, s3:GetObjectVersion
	Suggest list of buckets in the File field.	s3:ListAllMyBuckets
	Suggest S3 objects in the File field.	s3:ListBucket
	Suggest list of Version IDs.	s3:ListBucketVersions
	Read object tags.	s3:GetObject, s3:GetObjectTagging
File Writer	Write a file with 'File action'=OVERWRITE. Create directory if not present.	s3:PutObject
File Writer	Write file with 'File action'=IGNORE or ERROR. Validate after writing.	s3:PutObject, s3:ListBucket
ZipFile Writer	Write file with 'File action'=OVERWRITE.	s3:PutObject
ZipFile Writer	Write file with 'File action'=IGNORE or ERROR.	s3:PutObject, s3:ListBucket
File Reader	Read files	s3:GetObject
ZipFile Reader	Read files	s3:GetObject
Multi File Reader	Read one file only without wildcards	s3:GetObject
Multi File Reader	Read files. Use wildcards. Include sub-folders	s3:GetObject, s3:ListBucket
Directory Browser	List files and directories.	s3:ListBucket
File Delete	Delete files	s3:DeleteObject, s3:ListBucket
File Operation	Copy files.	s3:GetObject, s3:PutObject, s3:ListBucket
File Operation	Move files	s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject
File Poller	Poll files	s3:GetObject, s3:ListBucket

Learn more about Setting Permissions and Permissions for the Amazon S3 Bucket.