AWS S3 Node — BizFirstAI

What this node does: The S3 node provides full object storage integration with Amazon S3. Store files generated by workflows (PDFs, reports, exports), retrieve stored assets, list bucket contents, copy objects between buckets, and generate time-limited pre-signed URLs for sharing files securely without exposing bucket credentials. All operations support BizFirst expressions for dynamic bucket names, keys, and file content.

Supported Operations

Operation	Description
`upload`	Upload a file to an S3 bucket. Accepts base64-encoded binary data or text. Supports custom content type, ACL, and metadata headers.
`download`	Download an object from S3. Returns the file data as base64, plain text, or parsed JSON depending on configuration.
`list`	List objects in a bucket, optionally filtered by key prefix (folder path) and limited to a maximum count.
`delete`	Permanently delete an object from a bucket by key.
`copy`	Copy an object from one bucket/key to another bucket/key within or across S3 buckets. Optionally change the ACL on copy.
`getPresignedUrl`	Generate a time-limited, signed URL for GET (download) or PUT (upload) access to an object — without requiring the recipient to have AWS credentials.

Key Capabilities

Flexible data input — upload base64-encoded binary (PDFs, images, archives) or raw text and JSON
Pre-signed URL generation — share files securely with external users for a configurable window (seconds to days)
Custom metadata — attach key-value metadata to uploaded objects for later retrieval and cataloguing
ACL control — set object access to private, public-read, or authenticated-read per upload
Prefix-based listing — list objects in a virtual folder (prefix) to enumerate workflow outputs or archives
Cross-bucket copy — copy objects between buckets, including across AWS regions
Versioning aware — returns version IDs when bucket versioning is enabled
IAM credential management — credentials stored securely in BizFirst Credentials Manager

Business Benefits

Store Generated Documents

After a workflow generates a PDF invoice, contract, or report, upload it directly to S3 with a structured key path (e.g. invoices/2026/05/INV-00421.pdf). The returned object_url can be stored in a database record and included in email notifications — giving recipients a permanent link to the document.

Distribute Files via Pre-Signed Links

Generate time-limited download URLs for sensitive files without making objects publicly accessible. Send the URL by email or webhook. When the URL expires the file is no longer accessible — enforcing download windows for compliance and data security requirements.

ETL Intermediate Storage

In multi-step data processing workflows, store intermediate results between transformation stages. S3 acts as a reliable, scalable handoff layer between workflow branches — avoiding timeouts from passing large datasets through workflow variables.

Workflow Output Archiving

Archive every workflow execution's output (exports, summaries, processed records) to a dated S3 folder for audit retention. Use the list operation with a date prefix to enumerate archived runs and the download operation to retrieve any past output on demand.

Customer Document Upload

Generate a PUT pre-signed URL for an S3 key, return it to the customer via a webhook or API response, and the customer uploads directly to S3 without the file passing through your workflow servers. This enables large-file upload support at scale.

Use Cases at a Glance

Use Case	Operation	Key Pattern
Store generated invoice PDF	upload	`invoices/{year}/{month}/{invoice_id}.pdf`
Share contract for signature	getPresignedUrl (GET)	`contracts/{contract_id}.pdf`
Customer file upload	getPresignedUrl (PUT)	`uploads/{customer_id}/{timestamp}/`
List monthly reports	list	prefix: `reports/2026/05/`
Archive processed records	upload	`archives/{workflow_name}/{run_id}.json`
Backup before overwrite	copy	Source → versioned backup bucket
Serve AI-generated report	upload then getPresignedUrl	`reports/weekly/{date}.md`

In This Guide

Configuration

Full property reference for upload, download, list, delete, copy, and getPresignedUrl.

Input & Output

Output ports, data schemas, and expression paths for S3 operation results.

Examples

Four examples: invoice upload, pre-signed download link, customer upload URL, and archive listing.

IAM permissions: The AWS credential used by this node requires an IAM policy granting the necessary S3 actions: s3:PutObject (upload), s3:GetObject (download), s3:DeleteObject (delete), s3:ListBucket (list), s3:CopyObject (copy). Always follow the principle of least privilege — grant only the actions and bucket ARNs needed by this specific workflow. Store credentials in BizFirst Credentials Manager, never hard-coded in workflow configurations.

S3 Key Naming Conventions

S3 has no real folders — keys are flat strings with slashes used as visual delimiters. Consistent key naming is critical for listing, lifecycle policies, and operational clarity at scale.

Pattern	Example Key	Use Case
Type / Year / Month / ID	`invoices/2026/05/INV-00421.pdf`	Financial documents — easy lifecycle archival
Customer / Date / File	`customers/CUST-441/uploads/2026-05-23_id-doc.pdf`	Customer document vaults
Workflow / Run / Output	`workflow-runs/wf-reports/run-abc123/output.json`	Workflow execution archives
Type / Entity / Version	`templates/email-welcome/v4.html`	Versioned content assets
Year / Month / Day / File	`logs/2026/05/23/access.log`	Log archival with date-based prefix listing

Security Best Practices

Always use acl: private for business documents — never public-read
Use pre-signed URLs with the shortest appropriate expiry for sharing files externally
Enable S3 bucket versioning for important document buckets to protect against accidental deletion
Enable server-side encryption (SSE-S3 or SSE-KMS) on buckets storing sensitive data
Use separate IAM roles with least-privilege policies per workflow type
Enable S3 access logging on production buckets for audit trails
Use S3 Object Lock for regulatory compliance archiving (WORM storage)
Configure S3 Lifecycle rules to automatically transition old objects to Glacier for cost savings

Credential Setup

Store AWS credentials in BizFirst Credentials Manager with the following fields:

Field	Description
Access Key ID	AWS IAM user or role access key ID (`AKIAIOSFODNN7EXAMPLE`)
Secret Access Key	Corresponding secret access key
Region	Default AWS region (e.g. `us-east-1`, `eu-west-1`). Can be overridden per node.
Session Token	Optional — required for temporary STS credentials (role assumption)

S3-compatible storage: The S3 node works with any S3-compatible object storage service — including MinIO, Cloudflare R2, Backblaze B4, and DigitalOcean Spaces. Configure the endpoint URL in the credential to point to the compatible service instead of AWS. All operations behave identically; pre-signed URL generation may have slight differences depending on the provider's signature implementation.

Lifecycle Management Recommendations

Use S3 Lifecycle rules (configured directly in AWS, not in BizFirst) to automatically manage object retention and cost:

Use Case	Suggested Lifecycle Rule
Workflow run archives	Transition to Glacier after 90 days; delete after 7 years
Customer upload staging	Delete incomplete multipart uploads after 7 days
Generated reports	Transition to Intelligent-Tiering after 30 days
Pre-signed upload targets	Delete unconfirmed uploads older than 24 hours (use a Lambda or workflow cleanup job)
Log files	Transition to Glacier after 30 days; delete after 2 years

These rules reduce storage costs significantly on large-scale deployments without any workflow code changes — S3 applies them automatically on a daily basis.