AWS S3 Node
Store and retrieve files, manage buckets, and organize objects in AWS Simple Storage Service (S3).
Resources & Operations (12 total)
bucket 4 Operations
bucket/create
Create a new S3 bucket with encryption, versioning, ACL, and public access block settings.
View documentation →bucket/delete
Permanently delete an empty S3 bucket. Optionally verify the bucket is empty before deletion.
View documentation →bucket/list-all
List all S3 buckets in the AWS account accessible to the configured IAM credentials.
View documentation →bucket/search
List objects in a bucket with optional prefix filter and cursor-based pagination.
View documentation →object 5 Operations
object/upload
Upload base64-encoded or plain-text content to S3 with storage class, encryption, ACL, and tagging support.
View documentation →object/download
Download an object from S3 to a local path. Supports versioned objects and byte-range requests.
View documentation →object/copy
Copy an object within or between S3 buckets server-side — no local download required.
View documentation →object/delete
Delete a specific object or object version. Supports governance retention bypass for locked objects.
View documentation →object/get-many
List objects in a bucket with optional prefix filtering and paginated results.
View documentation →folder 3 Operations
folder/create
Create a logical folder (zero-byte key ending in /) to organize objects by prefix.
folder/delete
Delete all objects matching a prefix — effectively removing a folder and all its contents.
View documentation →folder/get-many
List the contents of a folder prefix with optional pagination for large directories.
View documentation →Authentication
All S3 operations require AWS IAM credentials. The node supports both long-term IAM user credentials and temporary STS credentials for role-based access.
| Field | Required | Description |
|---|---|---|
accessKeyId | Required | AWS Access Key ID. Pattern: ^[A-Z0-9]+$, 16–128 characters. Store in BizFirst Credentials Manager — never hardcode. |
secretKey | Required | AWS Secret Access Key. Never log or expose this value. Use the Credentials Manager. |
sessionToken | Optional | STS session token for temporary credentials obtained via AssumeRole or GetSessionToken. |
region | Required | AWS region identifier (e.g. us-east-1). Must match the bucket's region for all bucket/object operations. |
s3:PutObject, s3:GetObject) scoped to specific bucket ARNs. Avoid attaching AmazonS3FullAccess to automation credentials.
Supported AWS Regions
| Region ID | Location |
|---|---|
us-east-1 | US East (N. Virginia) |
us-east-2 | US East (Ohio) |
us-west-1 | US West (N. California) |
us-west-2 | US West (Oregon) |
ap-south-1 | Asia Pacific (Mumbai) |
ap-northeast-1 | Asia Pacific (Tokyo) |
ap-northeast-2 | Asia Pacific (Seoul) |
ap-southeast-1 | Asia Pacific (Singapore) |
ap-southeast-2 | Asia Pacific (Sydney) |
ca-central-1 | Canada (Central) |
eu-central-1 | Europe (Frankfurt) |
eu-west-1 | Europe (Ireland) |
eu-west-2 | Europe (London) |
eu-west-3 | Europe (Paris) |
sa-east-1 | South America (Sao Paulo) |
Storage Classes
Choose the right storage class to balance cost, availability, and retrieval speed for your use case.
| Storage Class | Best For | Retrieval | Cost Profile |
|---|---|---|---|
| STANDARD | Frequently accessed data, active workloads | Milliseconds | Highest storage; no retrieval fee |
| INTELLIGENT_TIERING | Unknown or changing access patterns | Milliseconds | Auto-tiers; small monitoring fee per object |
| STANDARD_IA | Infrequently accessed, rapid retrieval needed | Milliseconds | Lower storage; per-GB retrieval fee |
| ONE_ZONE_IA | Reproducible infrequent data, single-AZ OK | Milliseconds | ~20% less than STANDARD_IA; single AZ only |
| GLACIER | Long-term archive, retrieval in minutes to hours | 1 min – 12 hrs | Very low storage; retrieval fees apply |
| DEEP_ARCHIVE | Compliance archives, accessed <1x/year | 12 – 48 hrs | Lowest storage; highest retrieval fee |
Rate Limits & Performance
Node Policies & GuardRails
| Policy Area | Recommendation |
|---|---|
| Credential Storage | Store accessKeyId and secretKey in BizFirst Credentials Manager. Never hardcode credentials in workflow configuration or expression fields. |
| IAM Least-Privilege | Grant only the specific S3 actions the workflow needs, scoped to specific bucket ARNs. Avoid AmazonS3FullAccess. |
| Default ACL | Always default to private ACL. Never use public-read-write without an explicit, reviewed business requirement. |
| Encryption | Enable server-side encryption (AES256 minimum) for all buckets containing PII, financial data, or business-sensitive content. |
| Versioning | Enable versioning on critical data buckets before automating deletions. Versioning protects against accidental overwrites and provides point-in-time recovery. |
| Audit Trail | Log objectKey and eTag values in workflow execution context for a complete audit trail of all S3 operations. |
| Key Expression Safety | Use specific objectKey expressions — avoid expressions that could resolve to an unexpected key and overwrite or delete the wrong object. |
| Large File Uploads | For files exceeding 100 MB, consider multipart upload patterns. The node handles standard single-part uploads; chunked patterns require orchestration via multiple nodes. |