Portal Community
  Account-Level Operation: This operation uses s3:ListAllMyBuckets and returns every bucket the IAM identity can enumerate. It does not accept any filters — use bucket/search to list objects within a specific bucket.

When to Use

Configuration

Connection

FieldRequiredDescription
accessKeyIdRequiredAWS Access Key ID. Store in BizFirst Credentials Manager.
secretKeyRequiredAWS Secret Access Key. Never log or expose.
sessionTokenOptionalSTS session token for temporary credentials.
regionRequiredAWS region for the API endpoint. The response includes buckets from all regions.

Operation Fields

No additional fields are required. This operation uses only the connection credentials.

Sample Configuration

{
  "connection": {
    "accessKeyId": "{{ $credentials.s3_audit.accessKeyId }}",
    "secretKey": "{{ $credentials.s3_audit.secretKey }}",
    "region": "us-east-1"
  },
  "operation": {
    "resource": "bucket",
    "action": "listAll"
  }
}

Validation Errors

Error CodeCause & Resolution
AccessDeniedThe IAM identity lacks s3:ListAllMyBuckets. Add this action to the IAM policy — it cannot be scoped to a specific resource, so grant at the * resource level.
InvalidClientTokenIdThe accessKeyId is invalid or has been deactivated. Verify the credential in the Credentials Manager and rotate if necessary.
SignatureDoesNotMatchThe secretKey does not match the accessKeyId. Update the credential pair in the Credentials Manager.

Output

Success Port

FieldTypeDescription
statusstringsuccess on successful enumeration.
errorCodestringEmpty string on success.
bucketCountintTotal number of buckets returned.
bucketNamesstringComma-separated list of all bucket names, e.g. bucket-a,bucket-b,bucket-c.

Error Port

On failure, activates with errorCode, errorMessage, and httpStatusCode. An AccessDenied error here indicates a missing s3:ListAllMyBuckets permission — this is an account-level permission that cannot be resource-scoped.

Sample Output

{
  "status": "success",
  "errorCode": "",
  "bucketCount": 5,
  "bucketNames": "acme-prod-documents,acme-staging-documents,acme-dev-documents,acme-compliance-archive-2026-Q2,ci-artifacts-shared"
}

Expression Reference

ExpressionResult
{{ $node.ListBuckets.output.bucketCount }}Total bucket count — use in report generation or health check assertions.
{{ $node.ListBuckets.output.bucketNames }}Comma-separated bucket names — split for iteration or include in an audit report body.
{{ $node.ListBuckets.output.status }}Confirm success before processing the list in downstream nodes.

Node Policies & GuardRails

Policy AreaRecommendation
Credential StorageStore credentials in BizFirst Credentials Manager. Never hardcode.
IAM PermissionsGrant s3:ListAllMyBuckets on resource * — this is the minimum required. Do not grant additional write permissions to audit-only credentials.
Read-Only Audit CredentialsUse a dedicated read-only IAM user for compliance and audit workflows. Separate from credentials used for write operations.
Scheduled Audit FrequencyRun compliance bucket listing on a schedule (weekly or monthly) rather than on every workflow execution to reduce unnecessary API calls.
Output HandlingThe bucketNames output is a comma-separated string. Use a JSON Transform or Code Execute node to split into an array for iteration workflows.
Cross-Account AwarenessCredentials only return buckets accessible to that IAM identity. For multi-account setups, use separate credential sets per account and aggregate results downstream.
Sensitive OutputBucket names may reveal organizational structure. Treat the output as sensitive — do not expose in public-facing logs or notifications.

Examples

Example 1: Weekly Compliance Audit

A scheduled workflow lists all buckets and sends the count and names to a compliance review Slack channel.

// Node: ListAllBuckets (S3 — bucket/list-all)
// Node: FormatReport (Code Execute)
// Output: "Bucket count: 5 | Names: acme-prod-documents, ..."
// Node: NotifyCompliance (Slack — message/send)

Example 2: Environment Health Check

Assert that the three expected environment buckets are present before a deployment proceeds.

// Node: ListBuckets (S3 — bucket/list-all)
// Node: CheckBucketsPresent (If Condition)
// Condition: bucketNames contains "myapp-prod-assets"
//            AND bucketNames contains "myapp-staging-assets"
//            AND bucketNames contains "myapp-dev-assets"
// True path: Proceed with deployment
// False path: Abort and alert DevOps team

Example 3: Orphaned Bucket Detection

A monthly workflow cross-references the live bucket list with the tenant database to find buckets no longer linked to active tenants.

// Node: ListBuckets (S3 — bucket/list-all)
// Node: GetActiveTenantBuckets (Database query → array of expected bucket names)
// Node: FindOrphans (Code Execute)
// Logic: compare bucketNames array against active tenant bucket list
// Node: AlertOpsTeam with orphaned bucket names for review