Amazon S3
Nexla's bi-directional connectors can both send data to and receive data from any data system. This means that once a user has created or gained access to a credential for any data system, building any data flow to ingest data from or send data to a location within that data system requires only a few simple steps.
1. Credentials
This section provides information about and step-by-step instructions for creating a new Amazon S3 credential in Nexla.
1.1 Add a New Amazon S3 Credential
After selecting the data source/destination type, in the screen, click . This will open the Add New Credential window.
Enter a name for the new credential in the Credential Name field.
Optional: Enter a description of the credential in the Credential Description field.
Select the appropriate API type from the API Type dropdown menu.
Complete the steps in the following section corresponding to the selected API Type.
- AWS Meter Usage – Section 1.2
- Generic Amazon S3 – Section 1.3
- Odoo ERP Credential – Section 1.4
1.2 AWS Meter Usage
For credentials that use the AWS Meter Usage API type, no additional settings are required once "AWS Meter Usage" has been selected from the API Type pulldown menu.
- Continue to Section 1.6.
1.3 Generic Amazon S3 API
Credentials for used with the generic Amazon S3 API type can be configured to coordinate Nexla access to Amazon S3 via different AWS permissions mechanisms. This section provides instructions for configuring the Amazon S3 credential to use each of the available permissions mechanisms.
Select the authentication method that should be used with the new source from the Authenticate Using dropdown menu.
Access Key – This option configures Nexla to use AWS Access and secret keys to access S3.
ARN & External ID – This option configures Nexla to use IAM ARN to access S3.
Instance Role – This option configures Nexla to use an IAM instance role to access S3.
When "Access Key" is selected:
Enter the AWS access key for the S3 account in the AWS Access Key field.
Enter the AWS secret key for the S3 account in the AWS Secret Key field.
When "ARN & External ID" is selected:
Enter the external ID that will be used to coordinate Nexla access to S3 in the External ID field.
For more information about using an external ID to coordinate third-party access to Amazon S3 and other AWS recources, see this AWS document.
When "Instance Role" is selected:
No further information is needed when configuring the credential to use an instance role to connect to S3.
Section 1.5 provides information about advanced settings available for Amazon S3 credentials along with step-by-step instructions for configuring each setting.
To configure any desired additional advanced settings for this credential, continue to Section 1.5, and complete the relevant steps.
To create this credential without configuring any advanced settings, continue to Section 1.6.
1.4 Odoo ERP Credential
For credentials that use the Odoo ERP Credential API type, this section provides instructions for configuring additional required settings.
Enter the URL of the Odoo server that will be used with this credential in the Odoo Server URL field.
The Odoo server URL is the domain of the Odoo instance, e.g.,
https://mycompany.odoo.com
.Enter the name of the Odoo database that will be accessed using this credential in the Odoo Database Name field.
The Odoo database name is the name of the Odoo instance, e.g.,
my company
.Enter the username that will be used to access S3 with this credential in the Username field.
This setting should be the username configured for the user's S3 login credentials and can be viewed in the Amazon S3 "Change Password" screen.
Enter the password or API key associated with the username entered in Step 3 in the Password field.
Continue to Section 1.6.
1.5 Advanced Settings (Generic Amazon S3 API)
This section provides information about the optional advanced settings available for Amazon S3 credentials that use the Generic Amazon S3 API type, along with step-by-step instructions for configuring each of these settings.
Click to access additional available settings for the credential.
The available Amazon S3 advanced credential settings are listed below, with information and instructions provided for each. Once all desired advanced settings have been configured, continue to Section 1.6.
IAM Amazon Resource Name
To designate the IAM Amazon Resource Name (ARN) for which the credential permissions are applicable, enter the ARN in the IAM ARN field.
Enter the IAM ARN in the format
arn:partition:service:region:account:resource
.
S3 Path for Restricted Access
If the AWS admin has restricted access for this credential to a specific bucket or path inside a bucket, enter the corresponding S3 path in the "S3 Path list is limited to" field.
Client-Side Encryption
Nexla can be configured to encrypt/decrypt S3 objects that require client-side encryption using the AWS Key Management System (KMS).
If client-side KMS encryption is applicable for the S3 objects to which this credential will have access, check the box next to "Enable Client-Side Encryption?".
Select the type of KMS encryption mode that is applicable for this credential from the Client-Side Encryption Mode pulldown menu.
Enter the KMS key that should be used to encrypt/decrypt objects in the Amazon KMS Key for Encryption field.
Please ensure that the user associated with this credential has appropriate KMS permissions. For more information about setting up client-side encryption through AWS KMS and the corresponding user permissions in AWS, see this AWS document.
Server-Side Encryption
Nexla can be configured to encrypt/decrypt S3 objects that require server-side encryption using either Amazon S3-managed encryption keys (SSE-S3) or AWS Key Management Service (SSE-KMS).
If server-side encryption is applicable for the S3 objects to which this credential will have access, check the box next to "Enable Server-Side Encryption?".
Optional: If server-side encryption should be performed using the AWS Key Management System, enter the corresponding Key ARN in the "Key ARN for SSE with KMS" field.
To use Amazon S3-managed encryption keys for server-side encryption, leave this field blank.
File Encryption/Decryption
Nexla can be configured to process encrypted files such that a data source connected to this credential will decrypt files before ingestion, and a data destination connected to this credential will encrypt generated files before uploading to the S3 storage location.
To configure Nexla to encrypt/decrypt files when accessing S3 via this credential, check the box next to "Handle File Encryption/Decryption?".
Select the type of file-encryption protocol that should be used to encrypt/decrypt files from the list of available protocols in the File Encryption Protocol pulldown menu.
PGP Encryption
Enter the ID of the user whose public key will be used for file encryption/decryption in the External User ID field.
Enter the public key will be used for file encryption/decryption in the External User's Public Key field.
Enter the user ID that was used to generate the PGP private key in the Your User ID for Private Key field.
Enter the password for the user ID in Step 5 in the Your Password for Private Key field.
Enter the PGP private key that will be used to encrypt/decrypt files in the Your Private Key field.
1.6 Save and Create the Amazon S3 Credential
Once all of the relevant steps in the above sections have been completed, click at the bottom of the Add New Credential screen to save the credential and all entered information.
The newly added credential will now appear in a tile on the screen and can be selected for use with a new data source or destination.
2. Data Source
To ingest data from an Amazon S3 location, follow the instructions in Section 2 of Common Setup for File-Based Storage Systems.
3. Data Destination
To send data to an Amazon S3 location, follow the instructions in Section 3 of Common Setup for File-Based Storage Systems.