Send data to Amazon S3¶
Note
This topic contains information about configuring a destination that sends query results to Amazon S3 using orchestrations. To configure a destination that sends audiences to Amazon S3 using campaigns see this topic .
Amazon Simple Storage Service (Amazon S3) can store data files of any size for any file format that is supported by Amperity.
Amperity can be configured to send Apache Parquet (recommended), CSV, JSON, NDJSON, PSV, or TSV files to any Amazon S3 bucket.
Get details¶
Review the following details before configuring credentials for Amazon S3 and before configuring Amperity to send Apache Parquet (recommended), CSV, JSON, NDJSON, PSV, or TSV files to any Amazon S3 bucket.
![]() |
Amazon S3 bucket details You will need to know the following details about the Amazon S3 bucket to which Amperity will send data.
|
![]() |
Credential types and settings Amperity supports the following credential types for Amazon S3:
|
![]() |
Required configuration settings
Note All other Amperity file format settings for Amazon S3 are optional. |
Configure credentials¶
Configure credentials for Amazon S3 before adding a destination.
Amperity supports the following credential types for Amazon S3:
An individual with access to Amazon S3 should use SnapPass to securely share “iam-credential” or “iam-role-to-role” details with the individual who will configure Amperity.
IAM role-to-role¶
Amperity prefers to pull data from and send data to customer-managed cloud storage.
Amperity recommends using cross-account role assumption to manage access to Amazon S3. This ensures that your brand manages the security policies that control access to your data.
Using cross-account role assumption helps ensures that customers can:
Directly manage the IAM policies that control access to data
Directly manage the files that are available within the Amazon S3 bucket
Modify access without requiring involvement by Amperity; access may be revoked at any time by either Amazon AWS account, after which data sharing ends immediately
Directly troubleshoot incomplete or missing files
Note
After setting up cross-account role assumption, a list of files (by filename and file type), along with any sample files, must be made available to allow for feed creation. These files may be placed directly into the shared location after cross-account role assumption is configured.
Can I use an Amazon AWS Access Point?
Yes, but with the following limitations:
The direction of access is Amperity access files that are located in a customer-managed Amazon S3 bucket
A credential-free role-to-role access pattern is used
Traffic is not restricted to VPC-only
To configure an S3 bucket for cross-account role assumption
The following steps describe how to configure Amperity to use cross-account role assumption to pull data from (or push data to) a customer-managed Amazon S3 bucket.
Important
These steps require configuration changes to customer-managed Amazon AWS accounts and must be done by users with administrative access.
![]() |
From the Settings page, select the Credentials tab, and then click the Add credential button. |
![]() |
In the Credentials settings dialog box, do the following: From the Plugin dropdown, select Amazon S3. Assign the credential a name and description that ensures other users of Amperity can recognize when to use this destination. From the Credential type drop-down, select iam-role-to-role. |
![]() |
The settings that are available for a credential are determined by the credential type. For the iam-role-to-role credential type, configure the following settings, and then click Save. ![]() You must provide the values for the Target Role ARN and S3 Bucket Name fields. Enter the target role ARN (Amazon Resource Name) for the IAM role that Amperity will use to access the customer-managed Amazon S3 bucket, and then enter the name of the Amazon S3 bucket.
|
![]() |
Review the following sample policy, and then add a similar policy to the customer-managed Amazon S3 bucket that allows Amperity access to the bucket. Add this policy as a trusted policy to the IAM role that is used to manage access to the customer-managed Amazon S3 bucket. The policy for the customer-managed Amazon S3 bucket is unique, but will be similar to: {
"Statement": [
{
"Sid": "AllowAmperityAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account:role/resource"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "01234567890123456789"
}
}
}
]
}
The value for the role ARN is similar to: arn:aws:iam::1234567890:role/prod/amperity-plugin
|
![]() |
Click Continue to test the configuration (and validate the connection) to the customer-managed Amazon S3 bucket, after which you will be able to continue the steps for adding a courier. |
IAM credentials¶
IAM credentials require an access key, which is in two parts:
An access key ID
A secret access key
Both parts are required to authenticate requests to Amazon AWS resources.
To configure an S3 bucket for IAM credentials
![]() |
From the Settings page, select the Credentials tab, and then click the Add credential button. |
![]() |
In the Credentials settings dialog box, do the following: From the Plugin dropdown, select Amazon S3. Assign the credential a name and description that ensures other users of Amperity can recognize when to use this destination. From the Credential type drop-down, select iam-credential. |
![]() |
The settings that are available for a credential are determined by the credential type. For the iam-credential credential type, configure the following settings, and then click Save. ![]()
|
Add destination¶
Use a sandbox to configure a destination for Amazon S3. Before promoting your changes, send a test audience, and then verify the the results in Amazon S3. After the end-to-end workflow has been verified, push the destination from the sandbox to production.
To add a destination for Amazon S3
![]() |
Open the Destinations page, and then click the Add destination button. ![]() To configure a destination for Amazon S3, do one of the following:
|
![]() |
Select the credential for Amazon S3 from the Credential drop-down, and then click Continue. Tip Click the “Test connection” link on the “Configure destination” page to verify that Amperity can connect to Amazon S3. |
![]() |
In the “Destination settings” dialog box, assign the destination a name and description that ensures other users of Amperity can recognize when to use this destination. Configure business user access By default a destination is available to all users who have permission to view personally identifiable information (PII). Enable the Admin only checkbox to restrict access to only users assigned to the Datagrid Operator and Datagrid Administrator policies. Enable the PII setting checkbox to allow users with limited access to PII access to this destination. Restricted PII access is enabled when the Restrict PII access policy option that prevents users who are assigned to that option from viewing data that is marked as PII anywhere in Amperity and from sending that data to any downstream workflow. |
![]() |
Configure the following settings, and then click “Save”.
|
![]() |
After this destination is configured, users may configure Amperity to:
to Amazon S3. |