Skip to main content

Prerequisites

  • By default, S3 authentication uses role-based access. You will need the trust policy prepopulated with our identifier to grant access. It should look similar to the following JSON object with a proper service account identifier:
Trust policy
1

Set up destination S3 bucket

Create bucket

  1. Navigate to the S3 service page.
  2. Click Create bucket.
  3. Enter a Bucket name and modify any of the default settings as desired. Note: Object Ownership can be set to “ACLs disabled” and Block Public Access settings for this bucket can be set to “Block all public access” as recommended by AWS. Make note of the Bucket name and AWS Region.
  4. Click Create bucket.
Recommendation: dedicated bucket for data transfersUse a unique bucket for these transfers. This:
  • Prevents resource contention with other workloads
  • Avoids accidental data loss from mixed lifecycle or cleanup rules
  • Improves security by reducing surface area and enabling tighter, destination-scoped policies
2

Create policy and IAM role

Create policy

  1. Navigate to the IAM service page.
  2. Navigate to the Policies navigation tab, and click Create policy.
  3. Click the JSON tab, and paste the following policy, being sure to replace BUCKET_NAME with the name of the bucket chosen in Step 1.
IAM policy
Connection Test File Cleanup (Optional)By default, a connection test is performed against the destination during initial configuration. This test writes temporary artifacts under the prefix _test_connection/ (located at either the bucket root, or inside the custom folder prefix configured on the destination, if present).If you do not grant delete permissions (s3:DeleteObject), the connection test will still succeed, but these test files will remain in your bucket. To automatically clean them up and avoid clutter or minor storage charges, you can optionally configure an S3 Lifecycle Policy on your bucket to expire objects matching the _test_connection/ prefix (or <your_folder>/_test_connection/ if a custom folder was configured) after 1 day, or delete them manually.
KMS encryption (optional)S3 destinations support buckets with KMS encryption (CMK). Encryption with SSE-C is not currently supported. For KMS encryption, add the following statement to the Statement array of your IAM policy to allow data encryption/decryption with your KMS key:
KMS policy statement
Replace REGION_NAME, ACCOUNT_ID, and KEY_ID with your values.
  1. Click Next: Tags, click Next: Review.
  2. Name the policy, add a description, and click Create policy.
3

Add your destination

Use the following details to complete the connection setup: bucket name, bucket region, and role ARN.

Permissions checklist

  • IAM policy on the role allows:
    • s3:PutObject on arn:aws:s3:::BUCKET_NAME/*
    • (Optional) s3:DeleteObject on arn:aws:s3:::BUCKET_NAME/* (if you wish to let connection tests automatically clean up test files instead of using a lifecycle policy)
  • If using KMS encryption (CMK), IAM policy also allows:
    • kms:GenerateDataKey and kms:Decrypt on your CMK ARN
  • Bucket exists in the intended region; folder prefix (if any) is configured as desired
  • Trust policy allows the data transfer service to assume the role

FAQ

The recommended approach is role-based access using an IAM Role with a scoped permissions policy. The role is assumed via a trust policy and short-lived credentials, so no long-lived access keys are required. Optionally, access can be configured with HMAC access keys if your policies require it. For at-rest encryption, S3-managed encryption or KMS CMKs are supported (see the KMS callout above for required actions). Grant only the minimum permissions needed (PutObject, and DeleteObject for initial connection test).
These are identity claims used in the IAM trust policy when federating from GCP to AWS. sub uniquely identifies our Google principal in federation. oaud is an additional claim used to bind role assumption to your organization.
Data lands in Hive-style partitions per model: <folder>/<model_name>/dt=<transfer_date>/<file_part>_<transfer_timestamp>.<ext>. You can set <folder> during configuration.
Parquet (default/recommended), CSV, and JSON/JSONL.
Files are automatically split; multiple files may be written per model per transfer.
Each transfer writes a manifest file per model under _manifests. The _manifests folder is created automatically at the root of the bucket. Files are written per model per transfer in the following format: _manifests/<model_name>/dt=<transfer_date>/manifest_{transfer_id}.json.
Object storage is append-only. The change detection process uses a lookback window to ensure no data is missed, which can create duplicates. Downstream pipelines should deduplicate on primary keys prioritizing the most recent transfer window; manifest files can help bound the set of files to read.