Connectors / Service / AWS S3

Amazon Web Services (AWS) Simple Storage Service (S3) (updated: 1522918158808)


AWS S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance.


AWS S3 provides simple object storage. It is useful for hosting website images and videos, data analytics, and both mobile and web applications. S3 object storage manages data as objects, meaning all data types are stored in their native formats.

AWS S3 templates

Please note that we have the following AWS S3 templates available:

These will give you pre-configured best practice ways of working with AWS S3 and integrating it with other connectors.

However, please continue to at least read the Authentication setup instructions on this page to enable you to get started with using AWS S3.

Note on testing S3

If you are testing an S3 bucket setup from scratch, an important point to bear in mind is that you need to have at least two buckets with subfolders in your S3 instance:


Each bucket should contain at least one folder:


It is also important to check that the public settings of your buckets do not block any of your actions.

If you try and test with only one bucket set up, no buckets will show when you attempt to use any of the Tray get or put operations.


When using the Tray S3 connector you must first create an authentication for a correctly configured user by clicking on 'New Authentication':


Then entering the Access Key and Secret Key for the user


Please see the instructions below for how to correctly configure a user with access to your S3 buckets.

Important note on s3 region

It is important that you set the Amazon region your buckets are hosted in correctly.

This is done by clicking on 'Show Advanced Settings'

You can then specify the region using the appropriate drop-down:


Leaving the region as 'auto' will lead to errors with some operations such as 'List Buckets' which will give:

"message": "getaddrinfo ENOTFOUND"

1 - Create a user

In order to authenticate with the S3 Connector, you must use the IAM console to set up a user with the correct permissions. The two steps required for this are:

  1. Create a user

  2. Create a permissions policy

The user must be created with programmatic access:


At the final stage you will be issued with the required Access key ID and Secret access key which you need to enter when authenticating with the Tray connector:


2 - Create a policy

Before using the Tray S3 connector, you will need to make sure the user is set with the correct IAM permissions.

S3 permissions policies can be managed on two levels and you can manage all at user level if desired:

  1. At the user level - the basic 'List Buckets' operation (which displays all buckets a user has access to) must be set at this level

  2. At the individual bucket level - you can specify the user as a 'Principal' when defining bucket access permissions. All other permissions can be set here

You can divide the permissions between user- and bucket-level policies, but you will always need to set a user-level policy to allow for the 'List Buckets' operation.

Setting a policy at user level

In the IAM console, when setting permissions for an AWS user you can create a policy to add the user to or you can add an 'inline policy' in the user's details screen:


You can add the policy using the visual editor:


Or click on the JSON tab to enter a policy such as the following which would give the user access to a bucket called 'bucket-name-1':

"Version": "2012-10-17",
"Statement": [
"Sid": "s3policy0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name-1"
"Sid": "s3policy1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name-1/*"
"Sid": "s3policy2",
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:s3:::bucket-name-1/*"
"Sid": "s3policy3",
"Effect": "Allow",
"Action": "s3:PutObjectAcl",
"Resource": "arn:aws:s3:::bucket-name-1/*"
"Sid": "s3policy4",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"

Note that the ARN (Amazon Resource Name) for the bucket/object has to be entered into the "Resource" for each permission, and how it is different for s3:ListBucket and s3:ListAllMyBuckets :

  • "Resource": "arn:aws:s3:::bucket-name-1/*" means that it applies to any invidual objects within a bucket (you could name specific objects e.g. arn:aws:s3:::bucket-name-1/picture1.jpg)

  • "Resource": "arn:aws:s3:::bucket-name-1" means that it applies to the bucket itself (note there is no trailing slash)

  • "Resource": "*" must be used for s3:ListAllMyBuckets as it does not apply to one particular bucket

Remember that s3:ListAllMyBuckets can only be set at user level.

Setting a policy at bucket level

In the S3 console, it is also possible to set an individual policy on a specific bucket:


Note that you must specify a user's ARN as a Principal and remember that s3:ListAllMyBuckets can only be set at user level, so cannot be entered as part of a bucket policy.

Table of required permissions

The following table sets out the permissions that are required for full use of the different operations available in the Tray s3 connector:

operation permissions resource
Delete Object s3:GetObject, s3:DeleteObject, s3:DeleteObjectVersion arn:aws:s3:::[bucket]/[object]
Get Object s3:GetObject arn:aws:s3:::[bucket]/[object]
Get Object Signed Url s3:GetObject arn:aws:s3:::[bucket]/[object]
Head Object s3:GetObject arn:aws:s3:::[bucket]/[object]
List Buckets s3:GetObject, s3:ListAllMyBuckets *
List Bucket Objects s3:ListBucket, s3:GetObject arn:aws:s3:::[bucket]
Put Object Acl s3:GetObject, s3:PutObjectAcl arn:aws:s3:::[bucket]/[object]
Put Object File s3:PutObject, s3:PutObjectAcl arn:aws:s3:::[bucket]/[object]
Put Object Text s3:PutObject, s3:PutObjectAcl arn:aws:s3:::[bucket]/[object]

All Operations

Latest version:


Delete Multiple Objects

Delete multiple objects in an S3 bucket.

Delete Object

Delete an object in an S3 bucket.

Get Object

Get an object from an S3 bucket.

Get Object's Signed URL

Get an object's signed url from an S3 bucket.

Get bucket location

Get the region of specified bucket.

Head Object

Get object metadata

List Bucket Objects

List objects in an S3 bucket.

List Buckets

List all the buckets available for your authentication.

List buckets DDL

Put Object (File)

Put an object in an S3 bucket from an existing file object.

Put Object (Text)

Put an object in an S3 bucket from some UTF-8 text content and a mime type.

Put Object ACL

Put an existing-object Access Control List