Ataccama ONE Agentic ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Amazon S3 Connection

This article describes how to connect to Amazon S3.

Availability

Data processing & catalog Edge processing Lineage Exceptions

  • Supports CSV, Apache Parquet, Microsoft Excel files.

  • Doesn’t support creating SQL catalog items.

Prerequisites

  • Review how sources and connections work.

  • Create a source to add this connection to.

  • Configure the following permissions on the target bucket for your IAM user (AWS Access Key) or IAM role (AWS Assume Role):

    • s3:ListBucket: Allows retrieving all content from a bucket.

    • s3:GetObject: Allows downloading files to ONE when browsing or importing data.

  • For AWS Assume Role authentication, also register the Ataccama OIDC provider in your AWS account and create an IAM role that trusts it. See Set Up AWS OIDC Provider.

Add a connection

  1. Go to [your source] > Connections and select Add Connection.

  2. In Connection type, select Amazon S3.

  3. Fill in the following:

    • Name: A meaningful name for your connection. Used to indicate the location of catalog items.

    • Description (Optional): A short description of the connection.

    • Bucket name: The name of the Amazon S3 bucket.

    • Region: The region where the bucket is hosted.

Add credentials

  1. Select Add Credentials.

  2. Choose an authentication method and continue with the corresponding step:

    • AWS Access Key: Static access key and secret key issued in your AWS account.

    • AWS Assume Role: Short-lived credentials obtained on-demand by assuming an Identity and Access Management (IAM) role in your AWS account. No static credentials are stored.

Always use the dedicated credential fields for authentication details such as passwords, secrets, and tokens. This ensures credentials are handled with the appropriate level of protection and reliably preserved across environments.
One set of credentials must be defined as default for each connection. Otherwise, DQ evaluation fails and previewing data in the catalog is not possible.

AWS Access Key

To authenticate using AWS Access Key:

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Access key: The AWS access key ID.

    • Secret key: The AWS secret access key.

      For details, see Manage access keys for IAM users.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

AWS Assume Role

Instead of providing long-lived access keys, you create an IAM role in your AWS account that Ataccama can assume on demand.

The role assumption uses OpenID Connect (OIDC) federation. The Ataccama identity provider is registered as a trusted provider in your AWS account, and Ataccama exchanges a short-lived identity token for temporary AWS credentials by assuming the role.

  1. Fill in the following:

    • Name: Provide a clear name for this set of credentials.

    • Description (Optional): Explain what the credentials are used for or provide other useful information.

    • Amazon Resource Name (ARN): The ARN of the IAM role to assume in your AWS account. Format: arn:aws:iam::<account-id>:role/<role-name>.

    • AWS region: The AWS region used as the Security Token Service (STS) endpoint for the AssumeRoleWithWebIdentity call. Matching the bucket’s region is recommended to minimize latency, but not required.

  2. To use this set of credentials by default when connecting to the data source, select Set as default.

Add write credentials

If you want to export data to this source, add write credentials. Select Add Credentials and follow the instructions in Add credentials.

Next steps

Test and save your connection to complete setup.

Was this page useful?