AWS Kinesis Firehose
Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon OpenSearch Service, Splunk, and HTTP endpoints. The AWS Kinesis Firehose connector enables you to create and manage delivery streams, send data records to streams, and retrieve stream information, allowing you to integrate real-time data streaming into your data workflows.
Power end-to-end data operations for your AWS Kinesis Firehose API with Nexla. Our bi-directional AWS Kinesis Firehose connector is purpose-built for AWS Kinesis Firehose, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to AWS Kinesis Firehose or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your AWS Kinesis Firehose workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Before creating an AWS Kinesis Firehose credential, you'll need to obtain AWS credentials with appropriate permissions for Kinesis Data Firehose operations. AWS uses signature-based authentication that requires access keys and region information.
AWS Account Setup
To obtain the required AWS credentials for Kinesis Data Firehose:
-
Sign in to AWS Console: Navigate to https://aws.amazon.com/console/ and sign in to your AWS account. If you don't have an account, you can create one by clicking Create an AWS Account and following the registration process.
-
Access IAM Service: Once signed in, navigate to the IAM (Identity and Access Management) service from the AWS Services menu. IAM allows you to manage users, groups, and permissions for your AWS account.
-
Create IAM User or Use Existing: Choose one of the following approaches:
Option A: Create a New IAM User
-
In the IAM dashboard, click Users in the left navigation pane, then click Add users.
-
Enter a username for the new user (e.g.,
nexla-kinesis-firehose-user). -
Select Provide user access to the AWS Management Console if you want console access, or leave it unchecked for programmatic access only.
-
Click Next to proceed to permissions.
-
Click Attach policies directly and search for
AmazonKinesisFirehoseFullAccessin the policy search box. This managed policy provides full access to all Kinesis Data Firehose operations. Alternatively, you can create a custom policy with only the specific permissions you need. If creating a custom policy, include the following actions:firehose:CreateDeliveryStream- Required for creating new delivery streamsfirehose:DeleteDeliveryStream- Required for deleting delivery streamsfirehose:DescribeDeliveryStream- Required for retrieving delivery stream detailsfirehose:ListDeliveryStreams- Required for listing all delivery streams in your accountfirehose:PutRecord- Required for sending individual records to delivery streamsfirehose:PutRecordBatch- Required for sending batches of records to delivery streamsfirehose:UpdateDestination- Required for updating delivery stream destination configurationsfirehose:ListTagsForDeliveryStream- Required for retrieving tags associated with delivery streamsfirehose:StartDeliveryStreamEncryption- Required for enabling encryption on delivery streamsfirehose:StopDeliveryStreamEncryption- Required for disabling encryption on delivery streams
-
Click Next to review, then click Create user.
Option B: Use Existing IAM User
-
In the IAM dashboard, click Users in the left navigation pane.
-
Select the existing user you want to use for Nexla.
-
Click the Permissions tab and ensure the user has the necessary Kinesis Data Firehose permissions listed above.
-
-
Create Access Keys: After selecting or creating a user:
-
Click on the user name to open the user details page.
-
Click the Security credentials tab.
-
Scroll to the Access keys section and click Create access key.
-
Select Application running outside AWS as the use case, then click Next.
-
Optionally add a description tag, then click Create access key.
-
Important: Copy both the Access key ID and Secret access key immediately. The secret key will not be shown again. Store these securely.
-
The Access key ID and Secret access key are sensitive credentials that should be kept secure. Store them in a secure location, as you'll need them when creating the credential in Nexla. Never share these credentials publicly or commit them to version control systems.
-
Determine AWS Region: Identify the AWS region where your Kinesis Data Firehose delivery streams are located or where you want to create them. The region determines which AWS data center will handle your API requests. Common regions include:
us-east-1(US East - N. Virginia)us-west-2(US West - Oregon)eu-west-1(Europe - Ireland)ap-southeast-1(Asia Pacific - Singapore)
You can find your region in the AWS Console header (top right corner) or by checking your existing Kinesis Data Firehose stream configuration. The region you select should match the region where your delivery streams are located or where you plan to create them.
-
Determine Service Name: The service name for Kinesis Data Firehose is
firehose. This value is used as part of the AWS Signature Version 4 authentication process. The service name tells AWS which service you're authenticating to and is required for proper request signing. -
Determine Base URL: The base URL for Kinesis Data Firehose API follows the pattern
https://firehose.{region}.amazonaws.com, where{region}is your AWS region identifier. For example:- For
us-east-1region:https://firehose.us-east-1.amazonaws.com - For
us-west-2region:https://firehose.us-west-2.amazonaws.com - For
eu-west-1region:https://firehose.eu-west-1.amazonaws.com
This base URL is the endpoint that will receive all your Kinesis Data Firehose API requests. Ensure the region in the URL matches the region where your resources are located.
- For
For complete information about AWS IAM and managing access keys, see the AWS IAM User Guide. For Kinesis Data Firehose API authentication details, see the AWS Kinesis Data Firehose API Reference.
API Access Requirements
AWS Kinesis Data Firehose API access requires:
- Valid AWS Account: You must have an active AWS account
- IAM User with Access Keys: An IAM user with programmatic access and appropriate permissions
- AWS Access Key ID: The access key identifier for your IAM user
- AWS Secret Access Key: The secret key for your IAM user
- AWS Region: The AWS region where your Kinesis Data Firehose resources are located
- Service Name: The AWS service name (
firehosefor Kinesis Data Firehose) - Base URL: The regional endpoint URL for the Kinesis Data Firehose API
- Optional Session Token: If using temporary credentials (e.g., from AWS STS), a session token may be required
The AWS Kinesis Data Firehose API uses AWS Signature Version 4 authentication, which requires signing each request with your access keys. Nexla handles this signature process automatically when you provide your credentials.
Authenticate
Credentials required
A secure authentication method that signs API requests using AWS access keys
| Field | Required | Secret | Description |
|---|---|---|---|
| AWS Access Key | Yes | No | The access key id of the Access Key pair that is used for verifying the identity of the requesting user. |
| AWS Secret Key | Yes | Yes | The access secret of the Access Key pair that is used for verifying the identity of the requesting user. |
| AWS Region | Yes | No | The region that is receiving the request. |
| Service Name | Yes | No | The service that is receiving the request. |
| Session Token | Yes | Yes | Optional session token if the request requires temporary security credentials. This is added to the request as x-amz-access-token request header. |
| AWS Kinesis Data Firehose Base URL | Yes | No | Specifies the HTTPS endpoint for Firehose API operations. Required for authenticating requests. |
Create a credential in Nexla
- After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
New Credential Overlay – AWS Kinesis Data Firehose API

-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
AWS Access Key: Enter your AWS Access Key ID in the AWS Access Key field. This unique identifier authenticates your IAM user with AWS services. You can find this value in your IAM user's security credentials section.
-
AWS Secret Key: Enter your AWS Secret Access Key in the AWS Secret Key field. This confidential key is used to securely sign API requests using AWS Signature Version 4. The secret key should be kept secure and never shared.
-
AWS Region: Enter the AWS region where your Kinesis Data Firehose delivery streams are located in the AWS Region field. Common regions include
us-east-1,us-west-2,eu-west-1,ap-southeast-1, etc. The region determines which AWS endpoint will be used for API requests. -
Service Name: Enter the AWS service name in the Service Name field. For Kinesis Data Firehose, this should be
firehose. This value is used as part of the AWS signature authentication process. -
Session Token: If you are using temporary credentials (e.g., from AWS STS or assumed roles), enter the session token in the Session Token field. For permanent IAM user credentials, this field can be left empty. Session tokens are required when using temporary security credentials and are added to requests as the
x-amz-access-tokenheader. -
AWS Kinesis Data Firehose Base URL: Enter the base URL for the Kinesis Data Firehose API in the AWS Kinesis Data Firehose Base URL field. The URL should follow the pattern
https://firehose.{region}.amazonaws.com, where{region}is your AWS region (e.g.,https://firehose.us-east-1.amazonaws.com). This URL is required for authenticating requests to the Kinesis Data Firehose API.The AWS credentials are sensitive information that should be kept secure. Nexla will store these credentials securely and use them only for API authentication purposes. Ensure your IAM user has the minimum required permissions for the operations you need to perform. For production environments, consider using IAM roles with temporary credentials instead of permanent access keys when possible.
-
Click the Save button at the bottom of the overlay to save the configured credential. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.
Use as a data source
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the AWS Kinesis Firehose connector tile, then select the credential that will be used to connect to the AWS Kinesis Firehose instance, and click Next; or, create a new AWS Kinesis Firehose credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common AWS Kinesis Firehose endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Manual configuration
AWS Kinesis Firehose data sources can also be manually configured to ingest data from any valid AWS Kinesis Firehose API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
AWS Kinesis Firehose API endpoints follow the pattern https://firehose.{region}.amazonaws.com/?Action={ActionName} and use query string parameters to specify the action. When setting the path to data, use JSON path notation (e.g., $.DeliveryStreamNames[*]) for JSON responses or XPath (e.g., /ListDeliveryStreamsResponse/DeliveryStreamNames/string) for XML responses. The API uses headers such as Content-Type:application/x-amz-json-1.1 and X-Amz-Target for versioning, which are typically handled automatically based on your credential configuration.
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new AWS Kinesis Firehose data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the AWS Kinesis Firehose destination, and select the Send to Destination option from the menu. Select the AWS Kinesis Firehose connector from the list of available destination connectors, then select the credential that will be used to connect to the AWS Kinesis Firehose organization, and click Next; or, create a new AWS Kinesis Firehose credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common AWS Kinesis Firehose endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Once the selected endpoint template has been configured, click the Test button to send a test payload to the AWS Kinesis Firehose API and verify that the destination is configured correctly before saving.
Manual configuration
AWS Kinesis Firehose destinations can also be manually configured to send data to any valid AWS Kinesis Firehose API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, attribute exclusions, record batching, and response webhooks.
AWS Kinesis Firehose API endpoints follow the pattern https://firehose.{region}.amazonaws.com/?Action={ActionName}. For update/upsert operations, include the ID of the object to be updated at the end of the URL. The API uses headers such as Content-Type:application/x-amz-json-1.1 and X-Amz-Target for versioning, which are typically handled automatically. When batching records, AWS Kinesis Firehose supports up to 500 records per batch (the default batch size is 100).
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured AWS Kinesis Firehose delivery stream, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the AWS Kinesis Firehose delivery stream until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.