Skip to main content

Connect to S3 storage

Learn how to connect Amazon S3 and S3-compatible services to Retool.

You can connect to Amazon S3 using Retool's built-in integration and make it available as a resource. Once complete, you can write queries to interact with Amazon S3 buckets.

Requirements

All users for Retool organizations on Free or Team plans have global Edit permissions and can add, edit, and remove resources. If your organization manages user permissions for resources, you must be a member of a group with Edit all permissions.

To create an Amazon S3 resource, you need to:

Before you can create an S3 resource, you must update the S3 bucket configuration to allow Retool access. You must complete the following steps using the Amazon S3 console.

1. Configure cross-origin resource sharing (CORS)

Configure CORS to allow Retool access to the S3 bucket. Use either of the following configurations depending on whether your Retool organization is on Cloud or Self-hosted, and update example.com with the URL of your Retool organization.

[
  {
    "AllowedOrigins": ["https://example.com"],
    "AllowedMethods": ["PUT", "POST", "DELETE"],
    "AllowedHeaders": ["*"]
  },
  {
    "AllowedOrigins": ["*"],
    "AllowedMethods": ["GET"]
  }
]

2. Create access credentials

Retool uses programmatic access to connect to the S3 bucket. You create a new user in the IAM Management Console, assign in to a group, and then create a policy that grants access to the specified S3 bucket.

Add a new user through the IAM Management Console. You can add the user to an existing group or create a new group in which to add them. Once created, generate a set of access keys. You provide the access key and secret access key when creating an S3 resource in Retool.

Create a policy with access to the S3 bucket

You configure permissions for S3 buckets using policies. Create a new policy using the IAM Management Console that grants sufficient permission to read and write data to the S3 bucket.

Define the policy

You can use the console's GUI to create permissions or provide a JSON configuration. The following configuration grants access to read and write data for the specified S3 bucket. Update the BUCKET_NAME placeholders with the name of your bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Attach the policy

You can attach the policy to either the user or the group to which it belongs. Select the user group in which the user you created is assigned, then attach the policy.

If you want to avoid having permanent permissions for the S3 bucket granted to your IAM user, you can configure the user to assume a role that has sufficient permissions.

Once the policy is attached, you can create the S3 resource in Retool.

3. Create an S3 resource

Retool can connect to almost any API or database, and has built-in integrations for popular data sources. Sign in to your Retool organization and create a new S3 resource from the Resources tab.

4. Configure the resource

Provide the necessary details to configure the resource so Retool can connect to Amazon S3. Not all settings are required but refer to the Amazon S3 documentation to learn what is needed.

General

These settings configure the name and location of the resource within Retool.

Name

The name to use for the resource (e.g., Amazon S3).

Folder

The folder in which to save the resource.

Description

A brief description of the resource (e.g., Customer data).

Credentials

These settings configure how Retool connects to Amazon S3.

S3 bucket name

The name of the S3 bucket.

Default S3 ACL for uploaded files

The default access control list (ACL) to use when uploading files.

Use custom S3 endpoint

The custom endpoint URL to use. This enables you to connect to S3-compatible storage services, such as Digital Ocean Spaces. Leave this unchecked for Amazon S3.

Force S3 URLs to use path style

Force S3-compatible services to use path style if connection issues occur. Leave this unchecked for Amazon S3.

AWS Access Key ID

The access key generated for the user.

AWS Secret Key ID

The access secret key generated for the user.

Role to assume (ARN)

The role to assume, if required.

5. Save the resource

Click Create resource to complete the setup. You can then click either Create an app to immediately start building a Retool app or Back to resources to return to the list of resources.

Wrap up

Your S3 resource is now ready to use. You write queries to read or write data by specifying the action type and any additional values.

To verify you can successfully interact with Amazon S3, write a test query to retrieve a list of all files in the bucket. Select List all files in a bucket as the Action type.

Response
{
  "Contents": [...],
  "Name": "my-s3-bucket",
  "KeyCount": 6,
  "CommonPrefixes": []