What is an S3 Connection?
When you place large files that are hard to upload through the browser in an Amazon S3 bucket, OneSight reads them directly at query time. Files are not copied or stored, so replacing the original takes effect starting with the next query.Only users with Admin privileges can register a data source. The AWS-side setup (Step 1) must be handled by the person who manages that bucket.
What You’ll Need
- The bucket name and region to connect (e.g.,
ap-northeast-2) - AWS permissions to set up one of the two authentication methods below
Two Authentication Methods
S3-compatible storage (MinIO, Cloudflare R2, etc.) does not support role delegation. In that case, use the Access Key method.
Step 1: Prepare Read-Only Permissions (AWS)
OneSight only needs the two permissions below. Do not grant permissions to upload or delete files, since they are not used.1
Create a Policy
In the AWS Console, go to IAM → Policies → Create policy, select the JSON tab, and paste the content below.
Replace both instances of The two statements are shaped differently on purpose. Listing applies to the bucket itself, while reading files applies to the objects inside the bucket (
my-bucket with your actual bucket name./*).Give the policy a clear name, such as onesight-readonly.Role Delegation (Recommended)
1
Check Two Values in the OneSight Console
In the console, open Data Sources → Add → Storage → Amazon S3 and switch the authentication method to Role Delegation. The Principal ARN and External ID will be displayed. Copy both values.
2
Create a Role and Specify the Trust Policy
In IAM → Roles → Create role, select Custom trust policy and paste the content below. Replace both angle-bracket placeholders with the values you copied in the previous step.You must include the
sts:ExternalId condition. Without it, a third party who discovers the role ARN could use that role through OneSight.3
Attach Permissions and Copy the Role ARN
In the permissions step, attach the
onesight-readonly policy you created earlier, then create the role. Copy the ARN of the created role.The External ID is fixed per organization. It doesn’t change even if you register multiple data sources or re-register one, so once you set up the trust policy, it remains valid.
Access Key Method
1
Create a User and Attach the Policy
Create a user dedicated to OneSight under IAM → Users → Create user, and during the permissions step, choose Attach policies directly to attach the policy you created earlier.Since this isn’t an account a person will log in with, you don’t need to grant console login access.
2
Issue an Access Key
In the created user’s Security credentials tab, select Create access key, and choose Application running outside AWS (third-party service) as the use case.Copy the issued access key and secret key and store them somewhere safe.
Step 2: Connect to OneSight
1
Select Storage
Choose Data Sources → Add → Storage → Amazon S3.
2
Enter Connection Details and Connect
Choose the authentication method you selected in Step 1, enter the items below, and verify the connection.
The secret key entered with the Access Key method is encrypted with AES-256-GCM before being stored at registration, and is never shown on screen again. The Role Delegation method has no long-lived secret to store.
3
Select a File
Click a folder to navigate, then select the file to use. For SQLite (
.db) files, next choose the table to query.4
Review and Register
Check the data in the preview, review the automatically suggested mapping, then give it a name and register it.
S3-Compatible Storage
S3-compatible storage such as MinIO, Cloudflare R2, Wasabi, and NAVER/NHN/KT Cloud connects the same way. Enter that storage’s address as the Endpoint, and enable the path-style option if needed. This also applies if you’re running MinIO on a NAS. Role delegation is an AWS-specific feature, so it isn’t available on S3-compatible storage. Connect using the Access Key method instead.Supported File Types and Size Limits
Excel, JSON, and SQLite have size limits because their formats require the entire file to be downloaded before it can be opened. A notice is shown at the registration step if the limit is exceeded.
Next Steps
SFTP Connection
Connect files on an SFTP server
Contact Us
Contact us if you can’t get connected