Amazon S3
This article outlines the integration with the Amazon S3 connector, enabling streamlined metadata management through features such as crawling of files and folders, profiling, and data preview. Additionally, it ensures secure authentication via Credential Manager.
Overview
Connector Details
Connector Category
Cloud Storage
OvalEdge Release Current Connector Version
6.3.4
Connectivity
[How OvalEdge connects to Amazon S3]
AWS S3 SDK
OvalEdge Releases Supported
(Available from)
Release4.0
Connector Features
Crawling / Cataloging
✅
Delta Crawling
❌
Profiling*
✅
Sample Profiling
✅
Query Sheet
NA
Data Preview
✅
Auto Lineage
NA
Manual Lineage
✅
Secure Authentication via Credential Manager
✅
Data Quality
✅
DAM (Data Access Management)
✅
Bridge
✅
"NA" indicates that the respective feature is 'Not Applicable.'
*Full profiling is supported through DuckDB. To enable this capability, configure the system setting (key: enable.duckdb) to True.
Metadata Mapping
The following objects are crawled from Amazon S3 and mapped to the corresponding UI assets.
Bucket
Folder
Folder
Folder
Folder
File
File
File
File
File
XLSX
Folder(subfile)
Folder(subfile)
Folder(subfile)
Folder(subfile)
XLS
Folder(subfile)
Folder(subfile)
Folder(subfile)
Folder(subfile)
CSV
File
File
File
File
TXT
File
File
File
File
PARQUET
File
File
File
File
ORC
File
File
File
File
JSON
File
File
File
File
YAML
File
File
File
File
PIP
File
File
File
File
Set up a Connection
Prerequisites
The following are the prerequisites to establish a connection:
Ensure that the CSV files follow the required formatting standards for proper data processing and visibility. Refer to CSV Format Requirements.
Service Account User Permissions
It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions.
👨💻Who can provide these permissions? These permissions are typically granted by the Amazon S3 administrator, as users may not have the required access to assign them independently.
Buckets
ListAllMyBuckets
GetBucketLocation
GetBucketTagging
GetEncryptionConfiguration
Folder
ListBucket
GetBucketLocation
GetEncryptionConfiguration
Files
ListBucket
GetBucketLocation
GetEncryptionConfiguration
Profile
GetObject
Cross-Account Role Prerequisites
For cross-account access, ensure the following configurations are completed:
The target AWS IAM role must include a trust policy that allows the source account or IAM principal to assume the role.
The IAM principal or role used by the application must have the
sts:AssumeRolepermission for the target role.
SSE-KMS Bucket Permissions
For Amazon S3 buckets encrypted using SSE-KMS, additional AWS KMS permissions are required.
Along with s3:GetObject, the IAM principal or assumed role must also have the following permissions on the associated Customer Managed Key (CMK):
kms:Decryptkms:DescribeKey(if applicable)
Connection Configuration Steps
Users are required to have the Connector Creator role in order to configure a new connection.
Log into OvalEdge, go to Administration > Connectors, click + (New Connector), search for Amazon S3, and complete the required parameters.
Fields marked with an asterisk (*) are mandatory for establishing a connection.
Connector Type
By default, "Amazon S3" is displayed as the selected connector type.
Authentication*
The following two types of authentication are supported for Amazon S3:
Role Based Authentication (Default)
IAM User Authentication
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on the selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Data Quality Add-On to identify data quality issues using data quality rules and anomaly detection.
Select the checkbox for Data Access Add-On to enable the data access functionality.
Connector Name*
Enter a unique name for the Amazon S3 connection
(Example: "AmazonS3db").
Connector Description
Enter a brief summary or details about the connector.
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Cross-Account Role ARN
Enter the ARN (Amazon Resource Name) of the role used for cross-account access.
Filter by tags
Enter one or more tags to narrow down and display only the items associated with those tags.
Region
Enter the region where the Amazon S3 files or resources are located.
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on the selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Data Quality Add-On to identify data quality issues using data quality rules and anomaly detection.
Select the checkbox for Data Access Add-On to enable the data access functionality.
Auto Lineage
Not Supported
Data Quality
Supported
Data Access
Supported
Connector Name*
Enter a unique name for the Amazon S3 connection
(Example: "AmazonS3db").
Connector Description
Enter a brief summary or details about the connector.
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Access key*
Enter the AWS Access Key ID used to authenticate the IAM user.
Secret key*
Enter the AWS Secret Access Key associated with the Access Key ID.
Filter by tags
Enter one or more tags to narrow down and display only the items associated with those tags.
Region
Enter the region where the Amazon S3 files or resources are located.
Default Governance Roles
Default Governance Roles*
Select the appropriate users or teams for each governance role from the drop-down list. All users configured in the security settings are available for selection.
Admin Roles
Admin Roles*
Select one or more users from the dropdown list for Integration Admin and Security & Governance Admin. All users configured in the security settings are available for selection.
No of Archive Objects
No Of Archive Objects*
This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.
Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.
Bridge
Select Bridge*
If applicable, select the bridge from the drop-down list.
The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.
After entering all connection details, the following actions can be performed:
Click Validate to verify the connection.
Click Save to store the connection for future use.
Click Save & Configure to apply additional settings before saving.
The saved connection will appear on the Connectors home page.
Manage Connector Operations
Crawl/Profile
To perform crawl and profile operations, users must be assigned the Integration Admin role.
Navigate to the Connectors page and click Crawl/Profile.
This action initiates the metadata collection process from the data source and loads the retrieved metadata into the File Manager > File Explorer.
In the File Manager, click the connector name, select the specific folder(s) or file(s), then click Catalog / Catalog and Profile from the Nine Dots menu. For more details, click here.
Profiling is supported only at the individual file level through the File Nine Dots menu in File Manager. File columns are fetched into the system only after the profiling process has been successfully completed.
The selected files or folders will be added to the Data Catalog > Files/File Columns tab.
Other Operations
The Connectors page provides a centralized view of all configured connectors, along with their health status.
Managing connectors includes:
Connectors Health: Displays the current status of each connector using a green icon for active connections and a red icon for inactive connections, helping to monitor the connectivity with data sources.
Viewing: Click the Eye icon next to the connector name to view connector details, including databases, tables, columns, and codes.
Nine Dots Menu Options:
To view, edit, validate, configure, or delete connectors, click on the Nine Dots menu.
Edit Connector: Update and revalidate the data source.
Validate Connector: Check the connection's integrity.
Settings: Modify connector settings.
Crawler: Configure data extraction.
Access Instructions: Add notes on how data can be accessed.
Business Glossary Settings: Manage term associations at the connector level.
Anomaly Detection Settings: Configure anomaly detection preferences at the connector level.
Others: Configure notification recipients for metadata changes.
Delete Connector: Remove a connector with confirmation.
For more details, click here.
Connectivity Troubleshooting
If incorrect parameters are entered, error messages may appear. Ensure all inputs are accurate to resolve these issues. If issues persist, contact the assigned support team.
1
Error while validating connection: Please provide valid credentials: The AWS Access Key Id you provided does not exist in our records. (Service: Amazon S3; Status Code: 403; Error Code: InvalidAccessKeyId; Request ID: 73GVA0Y9H15Q5K7G; S3 Extended Request ID: jmNMT5vyMU9kEiT68EgfY6IYRwTdvzSh+51qL/6IzxpguBCYe7e1JOJYLpbHOl1t2mqyKlmArTw=; Proxy: null)
Error Description: Invalid Access Key
Resolution:
Verify that the configured AWS Access Key ID is correct and active.
Ensure that the access key belongs to the intended AWS account.
Update the connection with a valid access key and revalidate the connection.
2
Error while validating connection: Please provide valid credentials: The request signature we calculated does not match the signature you provided. Check your key and signing method. If you start to see this issue after you upgrade the SDK to 1.12.460 or later, it could be because the bucket provided contains '/'. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: NWGSQ9BDSZ2A3H5H; S3 Extended Request ID: 319yH7h/x76swRiPpjxjs8KB/6dLrdGHrrAJs9rD2/HgQWudiMCQJMzj1ItUQAJ1zEsVm/YsCbU=; Proxy: null)
Error Description: Invalid Secret Key
Resolution:
Verify that the configured AWS Secret Access Key is correct.
Ensure that only the bucket name is provided without any folder path or prefix.
Revalidate the connection after updating the secret key or bucket configuration.
Note: With AWS SDK version 1.12.460 and later, entering a bucket value that includes a forward slash (/) or path prefix may result in an SignatureDoesNotMatch error. Ensure that only the bucket name is provided without any folder path or prefix.
3
Error while validating connection: Exception while fetching AWSCredentialsProvider : User: arn:aws:iam::479930578883:user/connector_testing is not authorized to perform: sts: AssumeRole on resource: arn:aws:iam::479930578883:role/airflow_MWAA (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 6bd3e40e-6e9c-43e9-8f51-e631727b6afe; Proxy: null)
Error Description: Missing sts:AssumeRole permission for cross-account role authentication.
Resolution:
Verify that the IAM user or role has permission to perform
sts:AssumeRole.Ensure that the target IAM role trust relationship is configured correctly.
Update the required permissions and revalidate the connection.
4
Error while validating connection: Incorrect Account ID!
Error Description: Invalid account ID
Resolution:
Verify that the configured AWS Account ID is correct.
Ensure that the account ID matches the configured AWS environment.
Update the account ID and validate the connection again.
Copyright © 2026, OvalEdge LLC, Peachtree Corners GA USA
Last updated
Was this helpful?