Skip to main content

Connect to Amazon S3 and S3-compatible services

Learn how to connect Amazon S3 and S3-compatible services to Retool.

You can connect to Amazon S3 and make it available as a resource in Retool. Once complete, your users can write queries that interact with Amazon S3 data.

You can also use the Amazon S3 integration to use S3-compatible services, such as DigitalOcean Spaces.

Requirements and settings

The following requirements for a Amazon S3 resource depend on whether you are creating a resource on a cloud-hosted Retool organization or a self-hosted deployment.

For more information on how to obtain the necessary information from Amazon S3, refer to its documentation.

Requirements for cloud-hosted Retool

The following requirements must be met to successfully create Amazon S3 resources.

RequirementDescription
Sufficient user permissions to create resources

All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.

Resource configuration settings

You must be able to provide the settings needed to create a resource. This may require you to perform actions, such as generating access credentials or creating a client application.

Resource authentication settings

You must have access to the data source and sufficient permissions to perform the actions needed, and be able to provide valid authentication settings.

Allow Retool access to the data source

If the data source is behind a firewall or restricts access based on IP address then you must ensure that your Retool organization can access it. If necessary, configure your data source to allow access from Retool's IP addresses.

Configuration settings for cloud-hosted Retool

Cloud-hosted Retool organizations support the following configuration settings.

SettingDescription
Bucket name

The bucket to use.

Default S3 ACL for uploaded files

The default access control list (ACL) to use when uploading files.

Use custom S3 endpoint

Whether to use a custom endpoint URL. This enables you to connect to S3-compatible storage services.

Force S3 URLs to use path style

Whether to force S3-compatible services to use path style.

Cloud-hosted Retool organizations can also optionally configure the following advanced options.

SettingDescription
Override default outbound Retool region

Specify a different outbound region from which Retool connects. This can improve performance if your resource is located in a different region to us-west-2.

Authentication settings for cloud-hosted Retool

Cloud-hosted Retool organizations can authenticate with this resource using the following methods. You must be able to provide the necessary credentials for the method you wish to use.

Access keys

Authentication is performed using AWS identity and access management (IAM) access keys for which you provide details.

SettingDescription
Access key ID

The access key ID with which to authenticate.

Secret key ID

The secret key ID with which to authenticate.

Role to assume (ARN)

A different role with which to access.

Cross-origin resource sharing (CORS)

Before you create a resource, you must configure CORS to allow Retool access to write or modify data. The CORS configuration depends on your use case.

Amazon S3

[
{
"AllowedOrigins": ["https://*.retool.com"],
"AllowedMethods": ["PUT", "POST", "DELETE"],
"AllowedHeaders": ["*"]
},
{
"AllowedOrigins": ["*"],
"AllowedMethods": ["GET"]
}
]
Create access credentials

Retool uses programmatic access to connect to the S3 bucket. You create a new user in the IAM Management Console, assign in to a group, and then create a policy that grants access to the specified S3 bucket.

Create the policy

  1. Add a new user through the IAM Management Console. You can add the user to an existing group or create a new group in which to add them. Once created, generate a set of access keys. You provide the access key and secret access key when creating an S3 resource in Retool.
  2. You configure permissions for S3 buckets using policies. Create a new policy using the IAM Management Console that grants sufficient permission to read and write data to the S3 bucket.
  3. You use the console's GUI to create permissions or provide a JSON configuration. The following configuration grants access to read and write data for the specified S3 bucket. Update the BUCKET_NAME placeholders with the name of your bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketWebsite",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}

Attach the policy

You can attach the policy to either the user or the group to which it belongs. Select the user group in which the user you created is assigned, then attach the policy.

If you want to avoid having permanent permissions for the S3 bucket granted to your IAM user, you can configure the user to assume a role that has sufficient permissions.

Once the policy is attached, you can create the S3 resource in Retool.

S3-compatible services

Retool authenticates with S3-compatible services using access keys. Generate access credentials and provide them as values for AWS Access Key ID and AWS Secret Key ID.

Retool requires GET, PUT, POST, and DELETE. Set the origin to your Retool organization URL.

1. Create a resource

Sign in to your Retool organization and navigate to the Resources tab. Click Create new > Resource, then select Amazon S3.

2. Configure the resource

Specify a name and location for your Amazon S3 resource. Retool displays the resource name and type in query editors to help users identify them. Next, provide the required information to create the resource. Depending on how your data source is configured, you may also need to provide optional settings for Retool to connect.

3. Test the connection

Click Test Connection to verify that Retool can successfully connect to Amazon S3. If the test fails, check the resource settings and try again.

Testing only verifies connection

Testing a connection only checks whether Retool can successfully connect to the resource. It cannot check whether the provided credentials have sufficient privileges or can perform every supported action.

4. Save the resource

Click Create resource to complete the setup. You can then click either Create app to immediately start building a Retool app or Back to resources to return to the list of resources.

Wrap up

Your Amazon S3 resource is now ready to use. To start querying Amazon S3 data:

  1. Add a Resource query to an app or a Resource query block to a workflow.
  2. Select the new Amazon S3 resource from the resources dropdown.
  3. Write and run a query.