Amazon S3 Connector Setup Guide
This article describes how to set up the Amazon S3 connector.
Batch Limits
This connector uses batched requests to support high-volume data transfers to the vendor. For more information, see Batched Actions. Requests are queued until one of the following thresholds is met or the profile is published:
- Maximum number of requests: 100,000
- Maximum time since oldest request: 60 minutes
- Maximum size of requests: 100 MB
Configuration
Go to the Connector Marketplace and add a new connector. For general instructions on how to add a connector, see About Connectors.
After adding the connector, configure the following settings:
- Authentication Type
- Select the authentication type. Available options are: STS and Access Key.
- STS: Requires Assume Role: ARN and Assume Role: Session Name fields.
- Access Key: Requires AWS Access Key and AWS Secret Access Key fields.
- Select the authentication type. Available options are: STS and Access Key.
- Region
- Required. Select a region.
- STS - Assume Role: ARN
- Required for STS authentication. Provide the Amazon Resource Name (ARN) of the role to assume.
- For example,
arn:aws:iam:222222222222:role/myrole. - For more information, see AWS Identity and Access Management: Switch to an IAM role (AWS API).
- STS - Assume Role: Session Name
- The name of the session for the role to assume.
- Must be between 2 and 64 characters.
- STS - Assume Role: External ID
- Provide a third-party external identifier.
- For more information, see AWS Identity and Access Management: Access to AWS accounts owned by third parties.
- Access Key - AWS Access Key
- Required for Access Key authentication. Provide the AWS access key.
- Access Key - AWS Secret Access Key
- Required for Access Key authentication. Provide the AWS secret access key.
Create a connection to AWS S3
Tealium requires a connection to an AWS S3 instance to display a list of buckets and upload event and audience data into S3 objects. You have two options for authentication:
- Provide an Access Key and Access Secret.
- Provide STS (Security Token Service) credentials.
Access Key and Secret credentials
To find your AWS Access Key and Secret:
- Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
- Click Users and then click Add user.
- Enter a username. For example,
TealiumS3User. - Attach policies to the user you have just created.
- In the Permissions tab, click Attach existing policies directly.
- Search for and attach the
AmazonS3FullAccesspolicy for full access. To restrict access to a specific bucket, create a policy similar to the following example. In the example,YOUR_BUCKET_NAMEis the bucket that Tealium would use to upload event and audience data into S3 objects:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] } ] } - Create the keys.
- Go to the Security credentials tab and click Create Access Key.
- Copy the Access Key ID and Secret Access Key, and save them securely.
STS credentials
To find your STS credentials:
- Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
- Click Roles and then click Create role.
- For the Trusted entity type, select the AWS account.
- Select Another AWS account and enter the Tealium account ID:
757913464184. - Optional. Select the Require external ID checkbox and specify the external ID that you want to use. External IDs can be up to 256 characters long and can include alphanumeric characters (
A-Z,a-z,0-9) and symbols, such as hyphens (-), underscores (_), and periods (.). - Enter a name for the role. The role name must start with TealiumS3. For example:
TealiumS3-test. - Attach policies to the role.
- In the Permissions tab, click Attach existing policies directly.
- Search for and attach the
AmazonS3FullAccesspolicy for full access. To restrict access to a specific bucket, create a policy similar to the following example. In the example,YOUR_BUCKET_NAMEis the bucket that Tealium would use to upload event and audience data into S3 objects:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] } ] } - Create a trust policy.
- Go to the Trust relationships tab and click Edit trust relationship.
- Ensure that the trust policy allows the specific external ID to use the role you created and that the Tealium production account ID is
757913464184. - Set the
EXTERNAL_IDvalue for the connection to Tealium. The ID can be up to 256 characters long and can include alphanumeric characters (A-Z,a-z,0-9) and symbols, such as hyphens (-), underscores (_), and periods (.).
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::757913464184:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "EXTERNAL_ID" } } } ] }
Create a bucket
An S3 bucket is a storage container within AWS S3 used to store and organize data. In the connector configuration window, you can create a new bucket by clicking Create Bucket in the configuration step.
- In the connector configuration screen, click Create Bucket.
- Enter the bucket name.
- Click Create.
Actions
| Action Name | AudienceStream | EventStream |
|---|---|---|
| Send Entire Event Data | ✗ | ✓ |
| Send Custom Event Data | ✗ | ✓ |
| Send Entire Visitor Data | ✓ | ✗ |
| Send Custom Visitor Data | ✓ | ✗ |
Enter a name for the action and select the action type from the drop-down menu.
The following section describes how to set up parameters and options for each action.
Send Entire Event Data
Parameters
| Parameter | Description |
|---|---|
| Bucket | Select the Amazon S3 bucket or provide a custom value. |
| File Path | Specify the path to the S3 object where you want the data to be appended. |
| File Path Suffix | If you want to dynamically add a suffix to the file path, for example, an attribute with the current timestamp, select it here. If multiple suffix values are provided, they will be separated by an underscore character. |
| Record Suffix |
|
| Overwrite Existing File | If selected, replaces the existing S3 object with the current data. If not selected, appends the data instead. |
| Print Attribute Names | By default, the attribute keys are used. If you want to use the attribute names as keys instead, enable this checkbox. Consider that the payload names will reflect the update if the attribute names are updated. |
| Batch Time To Live | The time-to-live (TTL) in minutes. Must be between 1 and 60. The default is 60 minutes. |
Send Custom Event Data
Parameters
| Parameter | Description |
|---|---|
| Bucket | Select the Amazon S3 bucket or provide a custom value. |
| File Path | Specify the path to the S3 object where you want the data to be appended. |
Message Data
| Parameter | Description |
|---|---|
| File Path Suffix | If you want to dynamically add a suffix to the file path, for example, an attribute with the current timestamp, select it here. If multiple suffix values are provided, they will be separated by an underscore character. |
| Record Suffix |
|
| Overwrite Existing File | If selected, replaces the existing S3 object with the current data. If not selected, appends the data instead. |
| Batch Time To Live | The time-to-live (TTL) in minutes. Must be between 1 and 60. The default is 60 minutes. |
| Template Variables |
|
| Templates |
|
Send Entire Visitor Data
Parameters
| Parameter | Description |
|---|---|
| Bucket | Select the Amazon S3 bucket or provide a custom value. |
| File Path | Specify the path to the S3 object where you want the data to be appended. |
| File Path Suffix | If you want to dynamically add a suffix to the file path, for example, an attribute with the current timestamp, select it here. If multiple suffix values are provided, they will be separated by an underscore character. |
| Record Suffix |
|
| Overwrite Existing File | If selected, replaces the existing S3 object with the current data. If not selected, appends the data instead. |
| Print Attribute Names | By default, the attribute keys are used. If you want to use the attribute names as keys instead, enable this checkbox. Consider that the payload names will reflect the update if the attribute names are updated. |
| Batch Time To Live | The time-to-live (TTL) in minutes. Must be between 1 and 60. The default is 60 minutes. |
| Include All Visitor Events | Select to include current visit data with visitor data. |
Send Custom Visitor Data
Parameters
| Parameter | Description |
|---|---|
| Bucket | Select the Amazon S3 bucket or provide a custom value. |
| File Path | Specify the path to the S3 object where you want the data to be appended. |
Message Data
| Parameter | Description |
|---|---|
| File Path Suffix | If you want to dynamically add a suffix to the file path, for example, an attribute with the current timestamp, select it here. If multiple suffix values are provided, they will be separated by an underscore character. |
| Record Suffix |
|
| Overwrite Existing File | If selected, replaces the existing S3 object with the current data. If not selected, appends the data instead. |
| Batch Time To Live | The time-to-live (TTL) in minutes. Must be between 1 and 60. The default is 60 minutes. |
| Template Variables |
|
| Templates |
|
This page was last updated: March 3, 2025