Authorization

When you add an AWS S3 card to a flow for the first time, you'll be prompted to configure the connection. This will enable you to connect your AWS S3 account, save your account information, and reuse the connection for future AWS S3 flows.

Tip

Tip

You can create multiple connections and manage them from your Connections page.

To create a new connection from an action card:

  1. Click New Connection.

  2. Enter a Connection Nickname. This is useful if you plan to create multiple AWS S3 connections to share with your team.

  3. Copy the ID from Account ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  4. Copy the ID from External ID the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  5. Enter a Role Amazon Resource Name (ARN). See IAM Identifiers.

  6. Click Create.

Note

The role you create for AWS S3 operations must have an IAM policy attached to it. The IAM policy allows you to manage access to your AWS resources by specifying actions that the AWS S3 connector may run. You can attach an AWS managed policy or a customer managed policy. The following code is a customer managed AWS policy example:

Copy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectRetention",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:PutBucketOwnershipControls",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetObjectLegalHold",
                "s3:BypassGovernanceRetention",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:GetObjectTagging",
                "s3:PutBucketAcl",
                "s3:PutObjectTagging",
                "s3:PutBucketObjectLockConfiguration",
                "s3:DeleteObject",
                "s3:DeleteBucket",
                "s3:PutBucketVersioning",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "*"
        }
    ]
}

Related topics

AWS S3 connector

About the elements of Okta Workflows

AWS S3 Rest API overview