Skip to content

Amazon S3 Authentication

S3 access is not performed by Qualytics directly. Every API call carries an IAM identity, and AWS uses that identity to decide whether the call is allowed. The Authentication section of the connection form is where you tell Qualytics which IAM identity to use.

Two options are available:

Access Key

With Access Key authentication, you create an IAM user in your AWS account and supply Qualytics with that user's Access Key (the AWS Access Key ID) and Secret Key (the AWS Secret Access Key). Every read or write Qualytics performs uses these credentials, so the IAM user behind them needs the S3 permissions listed in Amazon S3 Permissions.

This is the simplest setup. It works well when:

  • You are testing S3 connectivity or running it in a development environment.
  • Your security policy allows storing static AWS credentials.
  • You do not need cross-account access.

The trade-off is that the credentials are static. You are responsible for replacing them when they expire or get leaked, and you must update them in both AWS and Qualytics each time.

Generating an Access Key in AWS

The Access Key ID and Secret Access Key come from an IAM user in your AWS account.

  1. Open the IAM console.
  2. From the navigation menu, select Users.
  3. Pick the IAM user you want to use.
  4. Open the Security credentials tab.
  5. Under Access keys, choose Create access key.
  6. Download the credentials or copy them to a secrets manager. The Secret Access Key is visible only once at creation time.

Warning

Store the Secret Access Key securely. AWS does not let you retrieve it again. If it is lost, create a new key pair and replace the existing one.

IAM Role

AWS-only

IAM Role authentication is offered only on AWS-hosted and local Qualytics deployments. On Azure and GCP deployments, only Access Key is available.

With IAM Role authentication, you do not share any static credentials with Qualytics. Instead, you create an IAM role in your AWS account and let Qualytics assume it. When Qualytics needs to read or write a file, it asks AWS STS for temporary credentials for that role, then uses them to call S3. AWS issues temporary credentials with a limited lifetime, and Qualytics requests new ones automatically before the current ones expire.

This is the recommended option for production. It works well when:

  • Your security policy disallows storing static AWS credentials.
  • Your bucket lives in a different AWS account from Qualytics.
  • You want every connection logged and auditable in AWS CloudTrail.

How the assume-role flow works

When Qualytics connects to S3 using IAM Role authentication:

  1. Qualytics's AWS identity (the dataplane's base role) calls sts:AssumeRole against the role ARN you entered in the connection form.
  2. AWS checks the role's trust policy to confirm the calling identity is allowed to assume the role. If you supplied an External ID, AWS also checks that it matches the one in the trust policy.
  3. If the checks pass, AWS returns temporary credentials valid for the role's session duration.
  4. The S3 client uses those temporary credentials to call S3, inside your account, with the permissions attached to the role.
  5. Qualytics caches the credentials until just before they expire, then requests a fresh set automatically. You do not need to manage refresh.

The base role (the dataplane identity that calls sts:AssumeRole) and the target role (the role you enter in the connection form) are described in detail in IAM Role Authentication, including who provisions each one for Managed vs Self-Hosted deployments.

About the External ID

The External ID is an extra security check on top of the trust policy. When you require an External ID in your role's trust policy, only AssumeRole calls that pass the matching value succeed. Even if Qualytics's own identity were ever misused, an attacker still could not assume your role without also knowing your External ID.

In Qualytics, the External ID is optional. Supply it only if your trust policy requires one. AWS strongly recommends using an External ID whenever you grant a third party (such as Qualytics) the ability to assume a role in your account.