AWS S3 Connection
Connect to Amazon S3 to manage objects (files) in your buckets.
Configuration
| Field | Description | Required |
|---|---|---|
| Access Key ID | AWS IAM access key ID | Yes |
| Secret Access Key | AWS IAM secret access key | Yes |
| Region | AWS region (e.g., us-east-1) | Yes |
| Custom Endpoint | Override the S3 endpoint URL | No |
Custom Endpoint is only needed when connecting to S3-compatible services instead of AWS S3. Leave it empty for standard AWS S3. Examples of S3-compatible services and their endpoints:
| Service | Endpoint Format |
|---|---|
| MinIO | http://localhost:9000 (or your MinIO server URL) |
| DigitalOcean Spaces | https://{region}.digitaloceanspaces.com |
| Cloudflare R2 | https://{account_id}.r2.cloudflarestorage.com |
| Backblaze B2 | https://s3.{region}.backblazeb2.com |
Getting Your Credentials
Step 1: Create an IAM User
- Log in to the AWS Console
- Go to IAM > Users > Create user
- Enter a username (e.g.,
workflow-automation-s3) - Click Next
Step 2: Set Permissions
On the Set permissions page, choose Attach policies directly and attach one of the following:
| Policy | Access Level | Use When |
|---|---|---|
AmazonS3FullAccess | Full read/write to all buckets | Quick setup, testing, or when workflows need broad S3 access |
AmazonS3ReadOnlyAccess | Read-only to all buckets | Workflows only list and download objects |
| Custom policy | Scoped to specific buckets/actions | Production use — recommended for least-privilege access |
Custom policy example — scoped to a single bucket
Replace my-bucket with your actual bucket name:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}To use a custom policy: click Create policy, switch to the JSON tab, paste the policy above, save it, then return to the user creation flow and attach it.
Step 3: Create Access Key
- After creating the user, go to the user's detail page
- Click the Security credentials tab
- Under Access keys, click Create access key
- For use case, select Third-party service
- Check the acknowledgment checkbox and click Next
- Click Create access key
- Copy both the Access Key ID and Secret Access Key — the secret is only shown once
Step 4: Create an S3 Bucket
If you don't already have a bucket, create one:
- Go to the S3 Console
- Click Create bucket
- Enter a Bucket name — must be globally unique (e.g.,
mycompany-workflow-data) - Select the AWS Region — use the same region you'll enter in the connection settings
- Leave Object Ownership as default (ACLs disabled)
- Under Block Public Access settings, keep Block all public access checked (recommended)
- Leave the remaining options as default and click Create bucket
WARNING
The Region you select when creating the bucket must match the Region you configure in the connection settings, otherwise requests will fail.
Usage
Once created, this connection becomes available in:
- S3 List Objects — list objects in a bucket
- S3 Download — download objects
- S3 Upload — upload objects
- S3 Delete — delete objects
TIP
Never use your AWS root account credentials. Always create a dedicated IAM user with only the permissions your workflows need.