bucket/list-all FormID 20502
List all S3 buckets in the AWS account accessible to the configured credentials.
Account-Level Operation: This operation uses
s3:ListAllMyBuckets and returns every bucket the IAM identity can enumerate. It does not accept any filters — use bucket/search to list objects within a specific bucket.
When to Use
- Compliance audit: Enumerate all buckets in the account during a scheduled compliance review to verify naming conventions, expected encryption settings, and absence of orphaned buckets.
- Environment health check: Verify that all expected buckets exist (dev, staging, prod) as part of a deployment health check workflow.
- Backup reporting: List all buckets at the start of a backup summary report, then iterate with
bucket/searchto check object counts per bucket. - Admin UI population: Populate a bucket picker dropdown in an admin interface by fetching the live list of available buckets.
- Orphan detection: Cross-reference bucket list against tenant records to identify storage buckets no longer associated with active tenants.
Configuration
Connection
| Field | Required | Description |
|---|---|---|
accessKeyId | Required | AWS Access Key ID. Store in BizFirst Credentials Manager. |
secretKey | Required | AWS Secret Access Key. Never log or expose. |
sessionToken | Optional | STS session token for temporary credentials. |
region | Required | AWS region for the API endpoint. The response includes buckets from all regions. |
Operation Fields
No additional fields are required. This operation uses only the connection credentials.
Sample Configuration
{
"connection": {
"accessKeyId": "{{ $credentials.s3_audit.accessKeyId }}",
"secretKey": "{{ $credentials.s3_audit.secretKey }}",
"region": "us-east-1"
},
"operation": {
"resource": "bucket",
"action": "listAll"
}
}
Validation Errors
| Error Code | Cause & Resolution |
|---|---|
AccessDenied | The IAM identity lacks s3:ListAllMyBuckets. Add this action to the IAM policy — it cannot be scoped to a specific resource, so grant at the * resource level. |
InvalidClientTokenId | The accessKeyId is invalid or has been deactivated. Verify the credential in the Credentials Manager and rotate if necessary. |
SignatureDoesNotMatch | The secretKey does not match the accessKeyId. Update the credential pair in the Credentials Manager. |
Output
Success Port
| Field | Type | Description |
|---|---|---|
status | string | success on successful enumeration. |
errorCode | string | Empty string on success. |
bucketCount | int | Total number of buckets returned. |
bucketNames | string | Comma-separated list of all bucket names, e.g. bucket-a,bucket-b,bucket-c. |
Error Port
On failure, activates with errorCode, errorMessage, and httpStatusCode. An AccessDenied error here indicates a missing s3:ListAllMyBuckets permission — this is an account-level permission that cannot be resource-scoped.
Sample Output
{
"status": "success",
"errorCode": "",
"bucketCount": 5,
"bucketNames": "acme-prod-documents,acme-staging-documents,acme-dev-documents,acme-compliance-archive-2026-Q2,ci-artifacts-shared"
}
Expression Reference
| Expression | Result |
|---|---|
{{ $node.ListBuckets.output.bucketCount }} | Total bucket count — use in report generation or health check assertions. |
{{ $node.ListBuckets.output.bucketNames }} | Comma-separated bucket names — split for iteration or include in an audit report body. |
{{ $node.ListBuckets.output.status }} | Confirm success before processing the list in downstream nodes. |
Node Policies & GuardRails
| Policy Area | Recommendation |
|---|---|
| Credential Storage | Store credentials in BizFirst Credentials Manager. Never hardcode. |
| IAM Permissions | Grant s3:ListAllMyBuckets on resource * — this is the minimum required. Do not grant additional write permissions to audit-only credentials. |
| Read-Only Audit Credentials | Use a dedicated read-only IAM user for compliance and audit workflows. Separate from credentials used for write operations. |
| Scheduled Audit Frequency | Run compliance bucket listing on a schedule (weekly or monthly) rather than on every workflow execution to reduce unnecessary API calls. |
| Output Handling | The bucketNames output is a comma-separated string. Use a JSON Transform or Code Execute node to split into an array for iteration workflows. |
| Cross-Account Awareness | Credentials only return buckets accessible to that IAM identity. For multi-account setups, use separate credential sets per account and aggregate results downstream. |
| Sensitive Output | Bucket names may reveal organizational structure. Treat the output as sensitive — do not expose in public-facing logs or notifications. |
Examples
Example 1: Weekly Compliance Audit
A scheduled workflow lists all buckets and sends the count and names to a compliance review Slack channel.
// Node: ListAllBuckets (S3 — bucket/list-all)
// Node: FormatReport (Code Execute)
// Output: "Bucket count: 5 | Names: acme-prod-documents, ..."
// Node: NotifyCompliance (Slack — message/send)
Example 2: Environment Health Check
Assert that the three expected environment buckets are present before a deployment proceeds.
// Node: ListBuckets (S3 — bucket/list-all)
// Node: CheckBucketsPresent (If Condition)
// Condition: bucketNames contains "myapp-prod-assets"
// AND bucketNames contains "myapp-staging-assets"
// AND bucketNames contains "myapp-dev-assets"
// True path: Proceed with deployment
// False path: Abort and alert DevOps team
Example 3: Orphaned Bucket Detection
A monthly workflow cross-references the live bucket list with the tenant database to find buckets no longer linked to active tenants.
// Node: ListBuckets (S3 — bucket/list-all)
// Node: GetActiveTenantBuckets (Database query → array of expected bucket names)
// Node: FindOrphans (Code Execute)
// Logic: compare bucketNames array against active tenant bucket list
// Node: AlertOpsTeam with orphaned bucket names for review