Portal Community

When to Use

Configuration

Connection

FieldRequiredDescription
accessKeyIdRequiredAWS Access Key ID. Store in BizFirst Credentials Manager.
secretKeyRequiredAWS Secret Access Key. Never log or expose.
sessionTokenOptionalSTS session token for temporary credentials.
regionRequiredAWS region of the target bucket.

Operation Fields

FieldRequiredDescription
bucketNameRequiredTarget S3 bucket name.
objectKeyRequiredFull key path including any prefix (e.g. uploads/2026/05/report.pdf). Forward slashes create logical folder hierarchy.
dataModeOptionalContent encoding mode. base64 (default) for binary files; text for plain text or JSON content.
contentTypeOptionalMIME type of the object. Default: application/octet-stream. Use application/pdf, text/csv, image/png etc. for better browser handling.
storageClassOptionalS3 storage class. Default: STANDARD. Options: INTELLIGENT_TIERING, STANDARD_IA, ONE_ZONE_IA, GLACIER, DEEP_ARCHIVE.
serverSideEncryptionOptionalEncryption algorithm. Default: AES256. Options: aws:kms, none.
kmsKeyIdOptionalKMS key ARN. Required when serverSideEncryption is aws:kms.
cannedAclOptionalObject-level ACL. Default: private. Options: public-read.
cacheControlOptionalCache-Control header value for CDN/browser caching (e.g. max-age=86400).
metadataOptionalJSON object of custom user-defined metadata key-value pairs attached to the object.
taggingOptionalJSON key-value object of S3 tags applied to the object (e.g. {"Environment":"prod","Owner":"billing"}).

Sample Configuration

{
  "connection": {
    "accessKeyId": "{{ $credentials.s3_prod.accessKeyId }}",
    "secretKey": "{{ $credentials.s3_prod.secretKey }}",
    "region": "us-east-1"
  },
  "operation": {
    "resource": "object",
    "action": "upload",
    "bucketName": "acme-prod-reports",
    "objectKey": "monthly/{{ $now | date: 'YYYY/MM' }}/billing-summary-{{ $now | date: 'YYYY-MM' }}.pdf",
    "dataMode": "base64",
    "contentType": "application/pdf",
    "storageClass": "STANDARD",
    "serverSideEncryption": "AES256",
    "cannedAcl": "private",
    "metadata": {
      "generatedBy": "billing-workflow",
      "tenantId": "{{ $node.BillingJob.output.tenantId }}"
    },
    "tagging": {
      "Environment": "production",
      "DataClass": "confidential"
    }
  }
}

Validation Errors

Error CodeCause & Resolution
ObjectTooLargeThe object exceeds the 5 GB single-part upload limit. Use multipart upload orchestration for large files.
AccessDeniedThe IAM identity lacks s3:PutObject permission on the target bucket/key. Update the IAM policy.
InvalidArgumentThe metadata or tagging JSON is malformed, or a metadata key/value contains invalid characters. Validate JSON structure before passing.
NoSuchBucketThe target bucket does not exist. Create it first using bucket/create or verify the bucket name.
KMSDisabledExceptionThe specified KMS key is disabled. Enable the key in AWS KMS before uploading.

Output

Success Port

FieldTypeDescription
statusstringsuccess on successful upload.
errorCodestringEmpty string on success.
bucketNamestringTarget bucket name.
objectKeystringFull key of the uploaded object.
eTagstringMD5 ETag of the uploaded object — use for integrity verification.
sizelongSize of the uploaded object in bytes.
uploadedAtstringISO 8601 timestamp of the upload.
storageClassstringStorage class applied to the object.

Error Port

On failure, activates with errorCode, errorMessage, and httpStatusCode. Route to a retry or alerting node. For ObjectTooLarge, route to a multipart upload sub-workflow.

Sample Output

{
  "status": "success",
  "errorCode": "",
  "bucketName": "acme-prod-reports",
  "objectKey": "monthly/2026/05/billing-summary-2026-05.pdf",
  "eTag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
  "size": 204800,
  "uploadedAt": "2026-05-26T11:30:15Z",
  "storageClass": "STANDARD"
}

Expression Reference

ExpressionResult
{{ $node.UploadReport.output.objectKey }}Full S3 key — use to construct a presigned URL or pass to an email attachment node.
{{ $node.UploadReport.output.eTag }}ETag value — log for data integrity audit trail.
{{ $node.UploadReport.output.size }}Object size in bytes — include in upload confirmation logs.
{{ $node.UploadReport.output.uploadedAt }}Upload timestamp — store in database record alongside the object key.
{{ $node.UploadReport.output.storageClass }}Confirm the applied storage class for cost accounting.

Node Policies & GuardRails

Policy AreaRecommendation
Credential StorageStore credentials in BizFirst Credentials Manager. Never hardcode.
IAM PermissionsGrant s3:PutObject scoped to the specific bucket ARN and prefix (e.g. arn:aws:s3:::my-bucket/uploads/*).
Object Key ExpressionAlways use deterministic, expression-generated keys. Never write to a key derived from user input without sanitization — prevent path traversal patterns.
Default ACLAlways default to private. Never use public-read for objects containing PII or business-sensitive data.
EncryptionSet serverSideEncryption: AES256 minimum on all uploads. Use aws:kms for regulated data.
Content TypeAlways set the correct contentType MIME type — prevents browser security issues when serving objects via presigned URLs.
Tagging for Cost AllocationApply resource tags (Environment, CostCenter, DataClass) to enable accurate S3 cost allocation reports per team or tenant.
ETag Audit LoggingLog eTag and objectKey to the workflow execution audit trail for every upload to enable future integrity verification.

Examples

Example 1: Monthly Billing Report Archival

After generating a billing PDF, a workflow uploads it to S3 under a date-partitioned prefix and records the S3 key in the database.

// Node: GenerateReport (Code Execute → produces base64 PDF)
// Node: UploadToBilling (S3 — object/upload)
{
  "bucketName": "acme-billing-archive",
  "objectKey": "invoices/{{ $node.BillingJob.output.tenantId }}/{{ $now | date: 'YYYY-MM' }}.pdf",
  "dataMode": "base64",
  "contentType": "application/pdf",
  "storageClass": "STANDARD_IA",
  "serverSideEncryption": "AES256",
  "metadata": { "invoiceId": "{{ $node.BillingJob.output.invoiceId }}" }
}
// Next: UpdateInvoiceRecord → set s3Key = objectKey

Example 2: Form Submission Document Storage

A form workflow accepts user-uploaded documents and stores them in S3 under the submitter's tenant folder.

// Node: StoreDocument (S3 — object/upload)
{
  "bucketName": "acme-tenant-uploads",
  "objectKey": "{{ $node.FormData.output.tenantId }}/{{ $node.FormData.output.submissionId }}/{{ $node.FormData.output.fileName }}",
  "dataMode": "base64",
  "contentType": "{{ $node.FormData.output.mimeType }}",
  "serverSideEncryption": "AES256",
  "tagging": {
    "TenantId": "{{ $node.FormData.output.tenantId }}",
    "SubmissionId": "{{ $node.FormData.output.submissionId }}"
  }
}
// Next: ApprovalWorkflow with objectKey reference

Example 3: Static Site Asset Deployment

A CI/CD workflow uploads versioned static assets to S3 with public-read ACL and Cache-Control headers for CDN delivery.

// Node: UploadAssets (S3 — object/upload, inside Loop)
{
  "bucketName": "acme-static-assets",
  "objectKey": "v{{ $node.BuildInfo.output.version }}/{{ $loop.currentItem.filename }}",
  "dataMode": "base64",
  "contentType": "{{ $loop.currentItem.mimeType }}",
  "storageClass": "STANDARD",
  "cannedAcl": "public-read",
  "cacheControl": "max-age=31536000, immutable",
  "serverSideEncryption": "none"
}