Set Up Amazon S3

Before you set up Salesforce connection to Amazon S3, make sure that you complete the required setup on Amazon S3.

• Make sure you understand Amazon S3. For more information, see Amazon S3.
• Set up Amazon S3. See Getting started with Amazon S3.
• Create the Amazon S3 bucket that you want to connect to, if doesn’t already exist. See AWS Documentation: Working with buckets.
• To allow requests from the Salesforce org and Experience Cloud sites to the S3 buckets, specify the org domain (hostname or Origin) in the CORS section of the S3 bucket.
  

  Tip Use the org domain name found in your browser's address bar URL.

  Here’s a sample CORS JSON that allows accessing files from and uploading files to Amazon S3 buckets:

  
  [
      {
          "AllowedHeaders": [
              "*"
          ],
          "AllowedMethods": [
              "GET",
              "HEAD",
              "POST",
              "PUT"
          ],
          "AllowedOrigins": [
              "<hostname>”
          ],
          "ExposeHeaders": [
              "ETag",
              "Access-Control-Allow-Origin"
          ]
      }
  ]
  

  Where, <hostname> is your Salesforce org domain, such as https://company1.force.com/.

  For more information, see Configuring CORS.

• Depending on your use case, create the required users and roles on AWS to connect to the S3 bucket. In AWS, for users to gain access to AWS resources, add IAM policies to roles. Users can then assume the roles.
  • Create IAM users. See Create an IAM user or create a IAM group.
  • Create access keys for the users. See Create new access keys for an IAM user.
  • Create roles. See Creating a new IAM role.
  • Assign roles to users. See Trust relationship for an IAM role.

    Sample user JSON:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "user/AUser1"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
    

    Where, user/AUser1 is the user ARN value.

  • Create IAM policies. See Identity-based policies for Amazon S3.

    Sample policy JSON to grant access to search files from and upload files to the ‘evidences’ S3 bucket and its subfolders:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AccessFromOrgToBucket",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:ListBucket",
                    "s3:GetObjectTagging"
                ],
                "Resource": [
                    "arn:aws:s3:::evidences",
                    "arn:aws:s3:::evidences/*"
                ]
            }
    

    See Identity and Access Management for Amazon S3.

• After setting up Amazon S3, note these details for your Salesforce setup:
  • Amazon account ID. For example, 296062575494
  • Region
  • S3 Bucket URL in this format: https://<bucketname>.s3.<region>.amazonaws.com. For example, https://evidences-user2.s3.us-west-2.amazonaws.com
  • For each user:
    • Access key
    • Secret access key
    • User ARN. For example, user/AUser1