Connect Pigment with AWS S3

  • 26 August 2022
  • 0 replies
Connect Pigment with AWS S3
Userlevel 5
Badge +8

This article explains how to connect a Amazon S3 bucket with your Pigment Organization to load any of csv files stored in that bucket into a Pigment’s block.




This process starts in AWS, with the creation of an IAM user with programmatic access. Next, you’ll add a policy to create permission for Pigment to access AWS.  This user and policy are used to generate the access key needed when establishing the connection in Pigment.  Establishing a connection within Pigment follows the standard steps of adding a new connection, uploading access keys, and defining the area to grab data from.  AWS has the added benefit of being able to choose from a fixed or most recent file.



You must have an AWS S3 bucket containing the data you want to load in Pigment.

You must be an AWS Admin to configure the connection on the AWS side


Setting up access in AWS


Step 1 - Creating an IAM user 


Pigment uses Programmatic access based on the access key (“Access key ID”/”Secret access key”) to connect with your AWS S3 bucket.  For security reasons, Pigment recommends a dedicated IAM user. 


Follow these AWS instructions to create a user with Access Key - Programmatic access.



Step 2 - Set Permissions for IAM user 


On the next step, select Attach existing policies directly and click on Create policy.


Follow these AWS instructions to Create a policy with the following two permission statements:

Do they need to select a specific type of policy?  Json/visual editor? 


"Version": "2012-10-17",
"Statement": [
"Sid": "PigmentS3ReadFiles",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": [
"Sid": "PigmentS3ListFiles",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [

PigmentS3ReadFiles’ is mandatory (so that Pigment can access to files you need to load).
PigmentS3ListFiles’  is only needed if you want you the lan to use the “Pattern Mode”

Edit the “Resource” with the bucket arn you want to share with Pigment. 


Step 3 - Attach Permissions to IAM user to generate access key.


Once the policy is created, attach it to Pigment User that you created earlier.  


The last step of the user Creation process will prompt you with an access key generated for this user. Keep the “Access key ID” and the “Secret access key” you will need these for the next step. 




Establishing connection in Pigment 


Like for other integrations, go to the integration page from the Settings tab.

Next click on + Add next to the Amazon S3 integration.


Fill out the form with the following information. You will need to establish a connection for each individual AWS bucket. 


Name: give a name to your connection  

Bucket name: name of the bucket which can be accessed with this connection. (ex: pigment-export )

Bucket region: AWS region associated to the bucket (ex: Europe (Frankfurt)

Access key ID: ID of the access key associated to Pigment User from Step 3.

Secret access keysecret of the access key assoiated to Pigment User from Step 3.

Application access: Select the applications which will be allowed to use this connection



Use the connection in Pigment 


Once the Amazon S3 connection is configured, open an Application that the connection is available on and open the “Import Data” interface for the object you want to import data into.  For example, if you were importing data into a Transactions, you would open up list and then select Import and Download and then Import .

Instead of “Upload file”, select the Integration option. From here, select your Amazon S3 Connection.


Select the Import mode you want.


Fixed file


This import mode will choose one individual file name.

Just input the file name and location (ex: folder1/folder2/file.csv) and click on Import.

The file should load in Pigment within a few seconds!  If this configuration is saved, it will only upload that file name.


Most recent file


This import mode allows you to define a path and Pigment will upload the most recent file depending on a defined naming convention that must contain a ISO-8601 compatible date format within it. 


Naming convention in Amazon S3 

When naming your files in Amazon s3, your file name must follow a consistent naming convention with the date included.  Here are some examples of file names for a rev.csv with the ISO-8601 compatible date formats located at the start.


ISO-8601 compatible date formats example of file names {{date}}-rev.csv naming convention
yyyy-MM-dd 2022-09-30-rev.csv
yyyy-MM-ddThh:mm:ss 2022-09-30T00:00:00-rev.csv
yyyy-MM-ddThh:mm:ssZ 2022-09-30T00:00:00Z-rev.csv


When writing the file path in Pigment


Similar to the Fixed file, you must first define the path with the location(ex: folder1/folder2/ ) ,then you must define file naming convention with a date included in the file name.  When entering the case sensitive path in Pigment, use {{date}} where the date is located. 

It should look something like this  folder1/folder2/file-{{date}}.csv


Here are some examples of file names and the results depending on what path you entered.

If the bucket contains the following files:

  • /myfolderA/2022-09-15-salaries.csv
  • /myfolderA/2022-10-15-salaries.csv
  • /myfolderA/2022-10-16-revenue.csv
  • /myfolderB/2022-11-15-salaries.csv

Here are the results I would get depending on my file path :

  • path "myfolderA/{{date}}-salaries.csv" will import /myfolderA/2022-10-15-salaries.csv because this is the most recent file in myfolderA.
  • path "myfolderB/{{date}}-salaries.csv" will import /myfolderB/2022-11-15-salaries.csv because this is the most recent file in myfolderB.
  • path "/{{date}}-salaries.csv" will import nothing because its missing the folder location.


Advance: Server Side encryption 

The Pigment connector is compatible with Server Side Encrypted AWS buckets (SSE-S3 and SSE-KMS).


if you are using using SSE-KMS with a Customer managed Key (CMK), you must adjust the Policy of the CMK associated to the bucket to allow Pigment User to decrypt files. (AWS doc)

Add the below statement to the CMK policy:

"Sid": "Allow use of the key to decrypt",
"Effect": "Allow",
"Principal": {
"Action": [
"Resource": "*"



This topic has been closed for comments