Skip to main content

Linking Amazon S3 as a Source

This guide walks through connecting an S3 bucket to Actioneer. The setup creates a dedicated IAM user with a read-only policy scoped to your specific bucket.
  
  Prerequisites  AWS account with an S3 bucket, Actioneer account
  Access granted  ListBucket and GetObject on specified bucket
  Estimated time  ~15–20 minutes
Actioneer cannot upload, overwrite, delete, or modify any files or bucket settings.
1

Note your S3 bucket name and region

Two values are needed from the AWS Console.
  1. Sign in at console.aws.amazon.com and open the S3 service.
  2. Locate your bucket in the list. Copy the exact Bucket Name — it is case-sensitive.
  3. Click the bucket name. The AWS Region is shown at the top of the overview page (e.g., us-east-1).
  Field  Location  Value Example
  Bucket Name  S3 bucket list  my-company-data
  AWS Region  Bucket overview page  us-east-1
2

Create a read-only IAM policy

This policy grants Actioneer permission to list and read objects in your bucket. Nothing else.
  1. In the AWS Console, open IAMPoliciesCreate policy.
  2. Click the JSON tab and paste the following. Replace YOUR-BUCKET-NAME with the bucket name from Step 1.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}
  1. Click Next, name the policy ActioneerS3ReadOnly, and click Create policy.
The JSON above grants two permissions: one to browse the list of files in your bucket, and another to read their contents. Neither allows writing, deleting, or modifying anything.
If you only want Actioneer to access a specific folder (e.g., reports/2025/), replace the /* at the end of the second resource line with /your-folder/*. This limits access to that folder and everything inside it.
3

Create a dedicated IAM user and generate access keys

A dedicated user keeps Actioneer’s credentials separate from personal accounts and makes it straightforward to revoke access later.
  1. In IAM, click UsersCreate user.
  2. Name it actioneer-readonly. Leave console access unchecked — this user only needs programmatic access.
  3. Click Next, select Attach policies directly, search for ActioneerS3ReadOnly, select it, and click Create user.
  4. Click the new user’s name → Security credentials tab → Create access key.
  5. Select Application running outside AWS, click Next, then Create access key.
  6. Copy both the Access Key ID and the Secret Access Key.
AWS displays the Secret Access Key exactly once. If you close the page without copying it, you will need to delete the key and create a new one. Store both values in a password manager.
4

Connect Amazon S3 in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select Amazon S3 from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  A descriptive label, e.g. Analytics Bucket
  Bucket Name  From Step 1 (e.g., my-data-bucket)
  AWS Region  From Step 1 (e.g., us-east-1)
  AWS Access Key ID  From Step 3 (starts with AKIA)
  AWS Secret Access Key  From Step 3
  1. Click Connect.

Common questions

No. The IAM policy grants only ListBucket and GetObject. Actioneer cannot upload, overwrite, delete, rename, or modify any files or bucket settings.
Your Secret Access Key is encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. It is never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.