Portal Community
  Versioned Buckets: For buckets with versioning enabled, deleting without specifying versionId places a delete marker — the data is still recoverable. To permanently remove a specific version, you must specify its versionId. Use bucket/search to retrieve all version IDs before permanently deleting versioned objects.

When to Use

Configuration

Connection

FieldRequiredDescription
accessKeyIdRequiredAWS Access Key ID. Store in BizFirst Credentials Manager.
secretKeyRequiredAWS Secret Access Key. Never log or expose.
sessionTokenOptionalSTS session token for temporary credentials.
regionRequiredAWS region of the bucket.

Operation Fields

FieldRequiredDescription
bucketNameRequiredName of the bucket containing the object to delete.
objectKeyRequiredFull key path of the object to delete.
versionIdOptionalSpecific version ID to permanently delete. For versioned buckets, omitting this creates a delete marker instead of permanently removing the data.
bypassGovernanceRetentionOptionalWhen true, bypasses S3 Object Lock governance-mode retention. Requires s3:BypassGovernanceRetention IAM permission. Default: false.

Sample Configuration

{
  "connection": {
    "accessKeyId": "{{ $credentials.s3_prod.accessKeyId }}",
    "secretKey": "{{ $credentials.s3_prod.secretKey }}",
    "region": "us-east-1"
  },
  "operation": {
    "resource": "object",
    "action": "delete",
    "bucketName": "acme-processing-temp",
    "objectKey": "{{ $node.ProcessFile.output.tempObjectKey }}",
    "bypassGovernanceRetention": false
  }
}

Validation Errors

Error CodeCause & Resolution
AccessDeniedThe IAM identity lacks s3:DeleteObject permission. Update the IAM policy. For governance bypass, also add s3:BypassGovernanceRetention.
ObjectLockedThe object is under S3 Object Lock compliance mode. Compliance-mode locked objects cannot be deleted until the retention period expires, regardless of permissions.
NoSuchKeyS3 returns HTTP 204 for deleting a non-existent key (success behavior). The node treats this as success. If you need to detect missing objects, use bucket/search first.

Output

Success Port

FieldTypeDescription
statusstringsuccess on successful deletion or when the object did not exist (S3 is idempotent on delete).
errorCodestringEmpty string on success.
bucketNamestringThe bucket from which the object was deleted.
objectKeystringThe key of the deleted object, for audit logging.

Error Port

On failure, activates with errorCode, errorMessage, and httpStatusCode. The primary failure cases are AccessDenied and ObjectLocked — both indicate permission or retention policy issues requiring human review.

Sample Output

{
  "status": "success",
  "errorCode": "",
  "bucketName": "acme-processing-temp",
  "objectKey": "temp/session-8f3a2b1c/upload-buffer.bin"
}

Expression Reference

ExpressionResult
{{ $node.DeleteTempFile.output.status }}Confirm deletion succeeded before proceeding in cleanup workflows.
{{ $node.DeleteTempFile.output.objectKey }}Deleted key — log to audit trail as evidence of data erasure (GDPR use case).
{{ $node.DeleteTempFile.output.bucketName }}Confirm which bucket the deletion occurred in for multi-bucket workflows.

Node Policies & GuardRails

Policy AreaRecommendation
Credential StorageStore credentials in BizFirst Credentials Manager. Never hardcode.
IAM PermissionsGrant s3:DeleteObject scoped to the specific bucket ARN and key prefix. Never grant wildcard delete on the entire account.
Object Key ExpressionAlways resolve objectKey from a trusted workflow variable — never derive from user input without strict sanitization to prevent unintended deletions.
Versioned Bucket AwarenessFor versioned buckets, omitting versionId creates a delete marker, not a permanent deletion. Specify versionId for true erasure (e.g. GDPR compliance).
GDPR Erasure PatternFor right-to-erasure workflows, list all versions first with bucket/search, then loop through all versionIds and delete each individually.
Audit Trail for ErasureLog objectKey, versionId, the requesting user identity, and the erasure timestamp to a persistent compliance audit log.
Post-Copy DeleteWhen implementing a "move" pattern (copy + delete), only execute the delete after confirming the copy succeeded — check $node.CopyStep.output.status == "success" in an If Condition before deleting.
Governance BypassNever enable bypassGovernanceRetention in automated workflows without a documented exception. This capability requires an explicit IAM permission and audit justification.

Examples

Example 1: Post-Processing Temp File Cleanup

After an ETL workflow finishes transforming a file, delete the original temp object from the landing zone.

// Node: CleanupSource (S3 — object/delete)
// Only runs after successful copy to archive (If Condition check)
{
  "bucketName": "acme-ingest-landing",
  "objectKey": "{{ $node.CopyToArchive.output.sourceKey }}"
}
// This implements a safe "move" — copy first, delete only on success

Example 2: GDPR Right-to-Erasure

A compliance workflow permanently removes all versions of a user's documents from S3 after a deletion request is approved.

// Node: ListAllVersions (bucket/search with versioned list)
// Node: EraseVersions (Loop over all versionId values)
// Node: DeleteVersion (S3 — object/delete)
{
  "bucketName": "acme-user-documents",
  "objectKey": "users/{{ $node.ErasureRequest.output.userId }}/{{ $loop.currentItem.key }}",
  "versionId": "{{ $loop.currentItem.versionId }}"
}
// After loop: Log erasure confirmation to compliance audit store

Example 3: Expired Cache Eviction

A scheduled workflow removes report cache objects older than 7 days to force regeneration on next access.

// Node: FindExpiredCacheFiles (bucket/search, prefix: "cache/reports/")
// Node: FilterOldObjects (Code Execute — filter by lastModified < 7 days ago)
// Node: DeleteExpiredCache (Loop → S3 — object/delete)
{
  "bucketName": "acme-report-cache",
  "objectKey": "{{ $loop.currentItem.key }}"
}
// No versionId needed — cache bucket is not versioned