Page tree




Feature Availability: This feature may not be available in all product editions. For more information on available features, see Compare Editions.

In the AWS Account page, you can review and modify your credentials to access the S3 default storage layer. In the Connections page, click AWS Account.

NOTE: This section applies to using S3 as the default storage layer. Before you begin, some information must be gathered from AWS. See Enable Access to S3 and AWS Resources.

Authentication method

The following methods can be used to manage authentication with AWS. 

Credential ProviderDescription
Use a cross-account role (IAM role)

The Designer Cloud Powered by Trifacta platform can use any IAM roles that have been defined for workspace members to access AWS data sources, such as S3 and Redshift.

Tip: This credential provider method is recommended.

Use access keysYou can apply key and secret access key combinations to gate access to AWS data sources. These access keys can be applied in workspace mode or in per-user mode by individual members.

Use a Cross-Account Role - Create an IAM Policy

After you select a cross-account role, you must specify an IAM policy and apply it to the workspace.

Copy policy

Choose an S3 bucket: Enter the name of your S3 bucket.

Tip: This value specifies your default S3 bucket and referenced in the IAM policy that is displayed.

Follow the instructions to copy the specified policy to the clipboard.

Create IAM role

You can follow the instructions on-screen to define an IAM role that uses your new policy.


Account ID

This value is pre-populated when the workspace is created.

NOTE: Do not modify.

External ID

This value is pre-populated when the workspace is created.

NOTE: Do not modify.

Copy the IAM role ARN from the AWS console and paste it into the textbox.

Use Access Keys - Provide Your AWS Credentials

For key-secret authentication to AWS, please specify the following settings.

NOTE: The AWS key and secret must provide read/write access to the default S3 bucket at least.

The account must have the ListAllMyBuckets ACL among its permissions.

AWS access keyThe AWS access key to use.
AWS secret keyThe AWS secret associated with the access key.

Storage and encryption

S3 Buckets

For key-secret authentication to AWS, please specify the following settings.

Default S3 bucket for uploaded files, temporary files, and job results

Specify the name of the default S3 bucket.

NOTE: Specify the top-level bucket name only. There should not be any backslashes in your entry.

Additional S3 bucketsYou can specify any additional S3 buckets in a comma-separated list of names.

Encryption type

The Designer Cloud Powered by Trifacta platform supports the use of server-side encryption when writing results.

NOTE: When encryption is enabled, all buckets to which you are writing must share the same encryption policy.

Encryption Type

Supported encryption types:

NOTE: If None  is selected here, AWS S3 still applies server-side encryption to the bucket without impact to cost or performance. For more information, see

  • None
  • SSE-S3
KMS key IDIf SSE-KMS has been selected, you can paste the KMS Key ID value in this field.

This page has no comments.