Skip to main content

Connect to Amazon S3 and S3-compatible services

Learn how to connect Amazon S3 and S3-compatible services to Retool.

Version: Cloud and 3.191 Edge

You can use the Amazon S3 integration to create a resource and make it available in Retool. Once complete, your users can write queries that interact with Amazon S3 data.

Requirements

The Amazon S3 integration requirements depend on whether you have a cloud-hosted or self-hosted Retool organization. You may also need to make Amazon S3 configuration changes before creating the resource.

Sufficient user permissions to create resources

All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.

Allow Retool to access the data source

If the data source is behind a firewall or restricts access based on IP address, then you must ensure that your Retool organization can access it. If necessary, configure your data source to allow access from Retool's IP addresses.

To allow Retool access from one of its outbound regions, you must include the necessary IP addresses in your allowlist if you use inbound firewall rules.

CIDR IP addresses
35.90.103.132/30
44.208.168.68/30
Individual IP addresses
35.90.103.132
35.90.103.133
35.90.103.134
35.90.103.135
44.208.168.68
44.208.168.69
44.208.168.70
44.208.168.71

Retool is building support for querying firewalled resources without allowlisting Retool’s IP address. To learn more or be considered for early access, contact cloud-connect@retool.com.

Amazon S3 settings and authentication

You must have sufficient access and familiarity with your Amazon S3 data source so you can provide:

  • Required connection settings (e.g., URL and server variables).
  • Authentication credentials (e.g., API keys).

In some cases, you may need to make changes to your Amazon S3 configuration, such as generating authentication credentials or allowing access through a firewall. Refer to the configuration and authentication sections to learn more.

Before you create a resource, you must configure CORS to allow Retool access to write or modify data. The CORS configuration depends on your use case.

Amazon S3

Example CORS policy
[
  {
    "AllowedOrigins": ["https://<your-domain>.retool.com"], // FQDN of your Retool deployment.
    "AllowedMethods": ["PUT", "POST", "DELETE"],
    "AllowedHeaders": ["*"]
  },
  {
    "AllowedOrigins": ["*"],
    "AllowedMethods": ["GET"]
  }
]
Create access credentials

Retool uses programmatic access to connect to the S3 bucket. You create a new user in the IAM Management Console, assign in to a group, and then create a policy that grants access to the specified S3 bucket.

Create the policy

  1. Add a new user through the IAM Management Console. You can add the user to an existing group or create a new group in which to add them. Once created, generate a set of access keys. You provide the access key and secret access key when creating an S3 resource in Retool.
  2. You configure permissions for S3 buckets using policies. Create a new policy using the IAM Management Console that grants sufficient permission to read and write data to the S3 bucket.
  3. You use the console's GUI to create permissions or provide a JSON configuration. The following configuration grants access to read and write data for the specified S3 bucket. Update the BUCKET_NAME placeholders with the name of your bucket.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Attach the policy

You can attach the policy to either the user or the group to which it belongs. Select the user group in which the user you created is assigned, then attach the policy.

If you want to avoid having permanent permissions for the S3 bucket granted to your IAM user, you can configure the user to assume a role that has sufficient permissions.

Once the policy is attached, you can create the S3 resource in Retool.

S3-compatible services

Retool authenticates with S3-compatible services using access keys. Generate access credentials and provide them as values for AWS Access Key ID and AWS Secret Key ID.

Retool requires GET, PUT, POST, and DELETE. Set the origin to your Retool organization URL.

Configure the CORS policy

Before you create a resource, you must configure CORS to allow Retool access to write or modify data. The CORS configuration depends on your use case.

Amazon S3

Example CORS policy
[
  {
    "AllowedOrigins": ["https://<your-domain>.retool.com"], // FQDN of your Retool deployment.
    "AllowedMethods": ["PUT", "POST", "DELETE"],
    "AllowedHeaders": ["*"]
  },
  {
    "AllowedOrigins": ["*"],
    "AllowedMethods": ["GET"]
  }
]
Create access credentials

Retool uses programmatic access to connect to the S3 bucket. You create a new user in the IAM Management Console, assign in to a group, and then create a policy that grants access to the specified S3 bucket.

Create the policy

  1. Add a new user through the IAM Management Console. You can add the user to an existing group or create a new group in which to add them. Once created, generate a set of access keys. You provide the access key and secret access key when creating an S3 resource in Retool.
  2. You configure permissions for S3 buckets using policies. Create a new policy using the IAM Management Console that grants sufficient permission to read and write data to the S3 bucket.
  3. You use the console's GUI to create permissions or provide a JSON configuration. The following configuration grants access to read and write data for the specified S3 bucket. Update the BUCKET_NAME placeholders with the name of your bucket.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Attach the policy

You can attach the policy to either the user or the group to which it belongs. Select the user group in which the user you created is assigned, then attach the policy.

If you want to avoid having permanent permissions for the S3 bucket granted to your IAM user, you can configure the user to assume a role that has sufficient permissions.

Once the policy is attached, you can create the S3 resource in Retool.

S3-compatible services

Retool authenticates with S3-compatible services using access keys. Generate access credentials and provide them as values for AWS Access Key ID and AWS Secret Key ID.

Retool requires GET, PUT, POST, and DELETE. Set the origin to your Retool organization URL.

Configure the resource

Sign in to your Retool organization and navigate to the Resources tab. Click Create new > Resource, then select Amazon S3.

Configuration

Specify the name, location, and description to use for your Amazon S3 resource. Retool displays the resource name and type in query editors to help users identify them.

Provide the following configuration settings to create the resource. Depending on how your data source is configured, you may also need to provide optional settings for Retool to connect.

You can automatically populate resource configuration fields by importing an AWS-hosted data source.

Name

The name to use for the resource.

Description

A description of the resource.

Bucket name

The bucket to use for the resource.

Default S3 ACL for uploaded files

The default access control list (ACL) to use when uploading files.

Override default outbound Retool region

Retool connects to your data source from the us-west-2 region. Choosing a different outbound region can improve performance through geographic proximity.

RegionLocation
us-west-2US West (Oregon)
eu-central-1Europe (Frankfurt, Germany)
ap-southeast-1Asia-Pacific (Singapore)

Authentication

The Amazon S3 integration supports the following authentication methods. Depending on which authentication method you use, you may need to make changes to your Amazon S3 configuration.

AWS Identity and Access Management

Authentication is performed using the provided AWS security credentials. You must be able to obtain and provide these credentials to create the resource.

Access key ID

The access key ID with which to authenticate.

Secret key ID

The secret key ID with which to authenticate.

Role to assume (ARN)

A different role to use for accessing the API.

Test the connection

Click Test Connection to verify that Retool can successfully connect to the data source. If the test fails, check the resource settings and try again.

Testing a connection only checks whether Retool can successfully connect to the resource. It cannot check whether the provided credentials have sufficient privileges or can perform every supported action.

Save the resource

Click Create resource to complete the setup. You can then click either Create app to immediately start building a Retool app or Back to resources to return to the list of resources.

Next steps

Your Amazon S3 resource is now ready to use. Check out related queries and code documentation to learn how to interact with Amazon S3 data.