Portal Community
  What this node does: The S3 node provides full lifecycle management for AWS S3 across three resources: bucket, object, and folder. All operations authenticate via AWS IAM credentials (Access Key ID + Secret Access Key). Use IAM roles with least-privilege policies scoped to the specific S3 actions your workflow requires.

Resources & Operations (12 total)

bucket 4 Operations

bucket/create

Create a new S3 bucket with encryption, versioning, ACL, and public access block settings.

View documentation →

bucket/delete

Permanently delete an empty S3 bucket. Optionally verify the bucket is empty before deletion.

View documentation →

bucket/list-all

List all S3 buckets in the AWS account accessible to the configured IAM credentials.

View documentation →

bucket/search

List objects in a bucket with optional prefix filter and cursor-based pagination.

View documentation →

object 5 Operations

object/upload

Upload base64-encoded or plain-text content to S3 with storage class, encryption, ACL, and tagging support.

View documentation →

object/download

Download an object from S3 to a local path. Supports versioned objects and byte-range requests.

View documentation →

object/copy

Copy an object within or between S3 buckets server-side — no local download required.

View documentation →

object/delete

Delete a specific object or object version. Supports governance retention bypass for locked objects.

View documentation →

object/get-many

List objects in a bucket with optional prefix filtering and paginated results.

View documentation →

folder 3 Operations

folder/create

Create a logical folder (zero-byte key ending in /) to organize objects by prefix.

View documentation →

folder/delete

Delete all objects matching a prefix — effectively removing a folder and all its contents.

View documentation →

folder/get-many

List the contents of a folder prefix with optional pagination for large directories.

View documentation →

Authentication

All S3 operations require AWS IAM credentials. The node supports both long-term IAM user credentials and temporary STS credentials for role-based access.

FieldRequiredDescription
accessKeyIdRequiredAWS Access Key ID. Pattern: ^[A-Z0-9]+$, 16–128 characters. Store in BizFirst Credentials Manager — never hardcode.
secretKeyRequiredAWS Secret Access Key. Never log or expose this value. Use the Credentials Manager.
sessionTokenOptionalSTS session token for temporary credentials obtained via AssumeRole or GetSessionToken.
regionRequiredAWS region identifier (e.g. us-east-1). Must match the bucket's region for all bucket/object operations.
  IAM Least-Privilege: Always create a dedicated IAM user or role for this node. Grant only the specific S3 actions the workflow needs (e.g. s3:PutObject, s3:GetObject) scoped to specific bucket ARNs. Avoid attaching AmazonS3FullAccess to automation credentials.

Supported AWS Regions

Region IDLocation
us-east-1US East (N. Virginia)
us-east-2US East (Ohio)
us-west-1US West (N. California)
us-west-2US West (Oregon)
ap-south-1Asia Pacific (Mumbai)
ap-northeast-1Asia Pacific (Tokyo)
ap-northeast-2Asia Pacific (Seoul)
ap-southeast-1Asia Pacific (Singapore)
ap-southeast-2Asia Pacific (Sydney)
ca-central-1Canada (Central)
eu-central-1Europe (Frankfurt)
eu-west-1Europe (Ireland)
eu-west-2Europe (London)
eu-west-3Europe (Paris)
sa-east-1South America (Sao Paulo)

Storage Classes

Choose the right storage class to balance cost, availability, and retrieval speed for your use case.

Storage ClassBest ForRetrievalCost Profile
STANDARDFrequently accessed data, active workloadsMillisecondsHighest storage; no retrieval fee
INTELLIGENT_TIERINGUnknown or changing access patternsMillisecondsAuto-tiers; small monitoring fee per object
STANDARD_IAInfrequently accessed, rapid retrieval neededMillisecondsLower storage; per-GB retrieval fee
ONE_ZONE_IAReproducible infrequent data, single-AZ OKMilliseconds~20% less than STANDARD_IA; single AZ only
GLACIERLong-term archive, retrieval in minutes to hours1 min – 12 hrsVery low storage; retrieval fees apply
DEEP_ARCHIVECompliance archives, accessed <1x/year12 – 48 hrsLowest storage; highest retrieval fee

Rate Limits & Performance

  S3 Request Throughput: S3 can handle 3,500 PUT/COPY/DELETE and 5,500 GET/HEAD requests per second per prefix. For high-throughput workflows, partition object keys with varied prefixes (e.g. a random hash segment before the date) to distribute load across S3 internal partitions and avoid hot-key throttling.

Node Policies & GuardRails

Policy AreaRecommendation
Credential StorageStore accessKeyId and secretKey in BizFirst Credentials Manager. Never hardcode credentials in workflow configuration or expression fields.
IAM Least-PrivilegeGrant only the specific S3 actions the workflow needs, scoped to specific bucket ARNs. Avoid AmazonS3FullAccess.
Default ACLAlways default to private ACL. Never use public-read-write without an explicit, reviewed business requirement.
EncryptionEnable server-side encryption (AES256 minimum) for all buckets containing PII, financial data, or business-sensitive content.
VersioningEnable versioning on critical data buckets before automating deletions. Versioning protects against accidental overwrites and provides point-in-time recovery.
Audit TrailLog objectKey and eTag values in workflow execution context for a complete audit trail of all S3 operations.
Key Expression SafetyUse specific objectKey expressions — avoid expressions that could resolve to an unexpected key and overwrite or delete the wrong object.
Large File UploadsFor files exceeding 100 MB, consider multipart upload patterns. The node handles standard single-part uploads; chunked patterns require orchestration via multiple nodes.