Amazon S3 connection s3-connection
Destination changelog changelog
table 0-row-3 1-row-3 2-row-3 layout-auto | ||
---|---|---|
Release month | Update type | Description |
January 2024 | Functionality and documentation update | The Amazon S3 destination connector now supports a new assumed role authentication type. Read more about it in the authentication section. |
July 2023 | Functionality and documentation update |
With the July 2023 Experience Platform release, the Amazon S3 destination provides new functionality, as listed below:
|
Connect to your Amazon S3 storage through API or UI connect-api-or-ui
- To connect to your Amazon S3 storage location using the Platform user interface, read the sections Connect to the destination and Activate audiences to this destination below.
- To connect to your Amazon S3 storage location programmatically, read the guide on how to activate audiences to file-based destinations by using the Flow Service API tutorial.
Supported audiences supported-audiences
This section describes which types of audiences you can export to this destination.
Export type and frequency export-type-frequency
Refer to the table below for information about the destination export type and frequency.
Export datasets export-datasets
This destination supports dataset exports. For complete information on how to set up dataset exports, read the tutorials:
File format of the exported data file-format
When exporting audience data, Platform creates a .csv
, parquet
, or .json
file in the storage location that you provided. For more information about the files, see the supported file formats for export section in the audience activation tutorial.
When exporting datasets, Platform creates a .parquet
or .json
file in the storage location that you provided. For more information about the files, see the verify successful dataset export section in the export datasets tutorial.
Connect to the destination connect
To connect to this destination, follow the steps described in the destination configuration tutorial. In the destination configuration workflow, fill in the fields listed in the two sections below.
Authenticate to destination authenticate
To authenticate to the destination, fill in the required fields and select Connect to destination. The Amazon S3 destination supports two authentication methods:
- Access key and secret key authentication
- Assumed role authentication
Access key and secret key authentication
Use this authentication method when you want to input your Amazon S3 access key and secret key to allow Experience Platform to export data to your Amazon S3 properties.
-
Amazon S3 access key and Amazon S3 secret key: In Amazon S3, generate an
access key - secret access key
pair to grant Platform access to your Amazon S3 account. Learn more in the . -
Encryption key: Optionally, you can attach your RSA-formatted public key to add encryption to your exported files. View an example of a correctly formatted encryption key in the image below.
Assumed role assumed-role-authentication
Use this authentication type if you prefer not to share account keys and secret keys with ÃÛ¶¹ÊÓƵ. Instead, Experience Platform connects to your Amazon S3 location using role-based access.
To do this, you need to create in the AWS console an assumed user for ÃÛ¶¹ÊÓƵ with the right required permissions to write to your Amazon S3 buckets. Create a Trusted entity in AWS with the ÃÛ¶¹ÊÓƵ account 670664943635. For more information, refer to the .
- Role: Paste the ARN of the role that you created in AWS for the ÃÛ¶¹ÊÓƵ user. The pattern is similar to
arn:aws:iam::800873819705:role/destinations-role-customer
. - Encryption key: Optionally, you can attach your RSA-formatted public key to add encryption to your exported files. View an example of a correctly formatted encryption key in the image below.
Fill in destination details destination-details
To configure details for the destination, fill in the required and optional fields below. An asterisk next to a field in the UI indicates that the field is required.
-
Name: Enter a name that will help you identify this destination.
-
Description: Enter a description of this destination.
-
Bucket name: Enter the name of the Amazon S3 bucket to be used by this destination.
-
Folder path: Enter the path to the destination folder that will host the exported files.
-
File type: Select the format Experience Platform should use for the exported files. When selecting the CSV option, you can also configure the file formatting options.
-
Compression format: Select the compression type that Experience Platform should use for the exported files.
-
Include manifest file: Toggle this option on if you’d like the exports to include a manifest JSON file that contains information about the export location, export size, and more. The manifest is named using the format
manifest-<<destinationId>>-<<dataflowRunId>>.json
. View a sample manifest file. The manifest file includes the following fields:flowRunId
: The dataflow run which generated the exported file.scheduledTime
: The time in UTC when the file was exported.exportResults.sinkPath
: The path in your storage location where the exported file is deposited.exportResults.name
: The name of the exported file.size
: The size of the exported file, in bytes.
Enable alerts enable-alerts
You can enable alerts to receive notifications on the status of the dataflow to your destination. Select an alert from the list to subscribe to receive notifications on the status of your dataflow. For more information on alerts, see the guide on subscribing to destinations alerts using the UI.
When you are finished providing details for your destination connection, select Next.
Required Amazon S3 permissions required-s3-permission
To successfully connect and export data to your Amazon S3 storage location, create an Identity and Access Management (IAM) user for Platform in Amazon S3 and assign permissions for the following actions:
s3:DeleteObject
s3:GetBucketLocation
s3:GetObject
s3:ListBucket
s3:PutObject
s3:ListMultipartUploadParts
Minimum required permissions for IAM assumed role authentication minimum-permissions-iam-user
When configuring the IAM role as a customer, make sure that the permission policy associated with the role includes the required actions to the target folder in the bucket and the s3:ListBucket
action for the root of the bucket. View below an example of the minimum permissions policy for this authentication type:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::bucket/folder/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket"
}
]
}
Activate audiences to this destination activate
-
To activate data, you need the View Destinations, Activate Destinations, View Profiles, and View Segments access control permissions. Read the access control overview or contact your product administrator to obtain the required permissions.
-
To export identities, you need the View Identity Graph access control permission.
{width="100" modal="regular"}
See Activate audience data to batch profile export destinations for instructions on activating audiences to this destination.
Validate successful data export exported-data
To verify if data has been exported successfully, check your Amazon S3 storage and make sure that the exported files contain the expected profile populations.
IP address allowlist ip-address-allow-list
Refer to the IP address allowlist article if you need to add ÃÛ¶¹ÊÓƵ IPs to an allowlist.