Sources & Sinks
Integrations
Customer-hosted S3 Storage

Customer-hosted AWS S3 Storage Integration

The S3 integration lets you connect to your S3 bucket for reading and writing data. This integration requires you to provide the name of the S3 bucket to use (only us-east-1 buckets are supported for now).

There are 2 ways to set up an S3 integration:

  1. Using Cloudformation which automatically creates all objects.
  2. By creating the resources manually.

Both of these options are available through the Grepr UI or API.

CloudFormation Setup (Recommended)

The CloudFormation deployment method is our recommended approach for most customers. It automates the entire process by:

  1. Creating a new S3 bucket specifically for your Grepr integration
  2. Configuring all necessary permissions and policies
  3. Granting access to an organization-specific role within Grepr

This organization-specific role is only assumed by Grepr jobs processing data for your organization, ensuring complete isolation between different Grepr customers.

Manual

If you want to use an existing bucket or want to make your changes using a system other than CloudFormation, please follow the below steps:

  1. If you don't yet have a bucket you want to use, you'll need to create one. Ensure it's in us-east-1.
  2. Attach the following resource policy, making sure to replace {YOUR_S3_BUCKET_NAME} with the bucket's name and {YOUR_ORG_NAME} with your organization name (e.g. if the URL you are using is https://name.app.grepr.ai/ (opens in a new tab), your org name is name.):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::992382778380:role/customer-role-{YOUR_ORG_NAME}"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::{YOUR_BUCKET_NAME}"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::992382778380:role/customer-role-{YOUR_ORG_NAME}"
            },
            "Action": [
                "s3:DeleteObjectTagging",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectTagging",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::{YOUR_BUCKET_NAME}/*"
        }
    ]
}
  1. Create the integration using the UI or API.

Note that this method gives a role within Grepr's account access to the bucket. This role is only assumed by Grepr jobs acting on behalf of the specific organization, ensuring isolation between tenants.

External role

It's possible to tell Grepr to assume a role that you have created in your account. Please contact support@grepr.ai for instructions.

Grepr-hosted StorageVendor Sources & Sinks