Skip to main content

Intro

Amazon S3 is built to store and retrieve any amount of data from anywhere. Like Amazon S3, Domo is built to scale with your business. Our customers collectively upload new data into their Domo environments millions of times each week. Have datasets that exceed 50 billion rows? No problem, Domo is built to handle huge amounts of data with speed. Domo’s S3 connector will allow you to leverage all of your S3 data anytime, anywhere. Domo connects directly to S3 and delivers the information you need in real-time visualizations that make analysis easier. Plus, you can see your S3 data alongside metrics from any other system, all in a single platform, and get instant notifications when your metrics hit thresholds that you determine. If your Amazon S3 bucket contains multiple files that begin with the prefix string you provide in the Details section of the connector, the Amazon S3 AssumeRole Advanced V2 connector will import all files with the provided prefix, assuming they all have the same schema. Use Domo’s Amazon S3 AssumeRole Advanced V2 Connector to connect your S3 bucket data with the Amazon S3 AssumeRole Advanced V2 integration that imports all files with the same prefix. To learn more about the Amazon S3 API, visit their page (http://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html ). The Amazon S3 AssumeRole Advanced V2 connector is a “File” connector, meaning it retrieves files and outputs them to Domo. In the Data Center, you can access the connector page for this and other File connectors by clicking File in the toolbar at the top of the window. You connect to your Amazon S3 account in the Data Center. This topic discusses the fields and menus that are specific to the Amazon S3 AssumeRole Advanced V2 connector user interface. General information for adding DataSets, setting update schedules, and editing DataSet information is discussed in Adding a DataSet Using a Data Connector.

Best Practices

Understanding the data stored in S3 and its relation to other S3 databases will be a huge asset in using this connector.

Prerequisites

To connect to your Amazon S3 account and create a DataSet, you must have the following:
  • The Amazon Resource Name (ARN) of the role to assume.
  • The identifier for the assumed role session. You will need to set up a trust policy. This is described in continuation.
  • The unique identifier used by third parties when assuming roles in their customers’ accounts.
  • The name of the Amazon S3 bucket you want to pull data from.
  • Your Amazon S3 Region.

Trust policy configuration

The trust policy for the role session identifier should look as follows: 
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::*accountId*:root"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "sts:ExternalId": "*customer externalID*"
    }
  }
}
Account IDs for Domo environments are as follows:
  • US: 339405024189
  • AU: 010251424122
  • EMEA (IE): 687132894031
  • JP: 622384692065
  • CA: 710710207408

FAQs

A: ARN is Amazon Resource Name (ARN). It must be a role.
A: The Role Session Name is the identifier for the assumed role session. It can be any name you choose.
A: Below is what the trust policy should look like for a customer in us-east-1.Note: You need to replace the EXTERNAL_ID with the ID generated by DOMO on the Connector Credentials section UI.
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::339405024189:root"
  },
  "Action": "sts:AssumeRole",
  "Condition": {
    "StringEquals": {
      "sts:ExternalId": "EXTERNAL_ID"
    }
  }
}
Description for the fields in the connector configuration:
Role ARN This is the ARN of the role that the customer created and added the trust policy to. Role Session Name This can be left as the default - “Domo”. External ID This is the external ID that DOMO generated in the credentials section pane and put into their trust policy for the role. Bucket This is the S3 bucket the customer wants to get data out of. Region This is the AWS region in which their S3 bucket resides.

Connecting to an Amazon S3 Bucket

This section enumerates the options in the Credentials and Details panes in the Amazon S3 AssumedRole Advanced V2 Connector page. The components of the other panes in this page, Scheduling and Name & Describe Your DataSet, are universal across most connector types and are discussed in greater length in Adding a DataSet Using a Data Connector.

Creating an IAM role (console)

You can use the AWS Management Console to create a role that an IAM user can assume. For example, assume that your organization has multiple AWS accounts to isolate a development environment from a production environment. For high-level information about creating a role that allows users in the development account to access resources in the production account, see Example scenario using separate development and production accounts. To create a role (console)
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane of the console, choose Roles and then choose Create role.
  3. Choose AWS account role type.
  4. To create a role for your account, choose This account. To create a role for another account, choose Another AWS account and enter the Account ID to which you want to grant access to your resources. The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action. That policy must specify the role’s ARN as the Resource.
  5. If you are granting permissions to users from an account that you do not control, and the users will assume this role programmatically, select Require external ID. The external ID can be any word or number that is agreed upon between you and the administrator of the third-party account. This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID. For more information, see How to use an external ID when granting access to your AWS resources to a third party. Important Choosing this option restricts access to the role only through the AWS CLI, Tools for Windows PowerShell, or the AWS API. This is because you cannot use the AWS console to switch to a role that has an externalId condition in its trust policy. However, you can create this kind of access programmatically by writing a script or an application using the relevant SDK. For more information and a sample script, see How to Enable Cross-Account Access to the AWS Management Console in the AWS Security Blog.
  6. If you want to restrict the role to users who sign in with multi-factor authentication (MFA), select Require MFA. This adds a condition to the role’s trust policy that checks for an MFA sign-in. A user who wants to assume the role must sign in with a temporary one-time password from a configured MFA device. Users without MFA authentication cannot assume the role. For more information about MFA, see Using multi-factor authentication (MFA) in AWS
  7. Choose Next.
  8. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies. After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want anyone who assumes the role to have. If you prefer, you can select no policies at this time, and then attach policies to the role later. By default, a role has no permissions.
  9. (Optional) Set a permissions boundary. This is an advanced feature. Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. Select the policy to use for the permissions boundary.
  10. Choose Next.
  11. For Role name, enter a name for your role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other AWS resources might reference the role, you cannot edit the name of the role after it has been created.
  12. (Optional) For Description, enter a description for the new role.
  13. Choose Edit in the Step 1: Select trusted entities or Step 2: Add permissions sections to edit the use cases and permissions for the role.
  14. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources.
  15. Review the role and then choose Create role.

Credentials Pane

This pane contains fields for entering credentials to connect to an Amazon S3 bucket. The following table describes what is needed for each field:

Field

Description

Role ARNEnter the Amazon Resource Name (ARN) of the role you want to assume.
Role Session NameEnter the identifier for the assumed role session.
External IDEnter the unique identifier used by third parties when assuming roles in their customers’ accounts.
BucketEnter the Amazon S3 Bucket you want to pull files from.
RegionSelect the S3 Bucket Region where your file is located.
Once you have entered valid Amazon S3 credentials, you can use the same account any time you go to create a new Amazon S3 AssumedRole Advanced V2 DataSet. You can manage connector accounts in the Accounts tab in the Data Center. For more information about this tab, see Managing User Accounts for Connectors.

Details Pane

This pane contains a primary Reports menu, along with various other menus which may or may not appear depending on the report type you select.

Menu

Description

What File Type would you like to import?Select the file type that you would like to parse and import, either CSV, JSON, TSV, TXT, XML, XLS, or XLSX.
PrefixEnter a prefix to filter results by. A prefix limits the results to only those keys that begin with the specified prefix.
File NameEnter the name of the Amazon S3 Object(file) that you would like to import.
File Name Match TypeSpecify whether the file you want to retrieve starts with or contains the text you entered under File Name .
File Compression TypeSelect the compression type of your file, either Gzip, zip, or none.
Subfile NameEnter the name or a portion of the name of the subfiles that you would like to import.
Add Filename ColumnSpecify if the BATCH_FILE_NAME column should be added to the final output or not.
Select the Delimiting CharacterSelect the delimiting character used in your file. If your delimiter is not listed select ‘Other.’
Specify your DelimiterEnter the character used to delimit your character separated values (CSV) text.
Quote CharacterSelect the desired quote character for parsing CSV files. Double quote is the default quote character for CSV standard.
Custom Quote CharacterEnter the desired CSV Quote character.
Escape CharacterSelect the desired escape character for parsing CSV files.
Custom Escape CharacterEnter the desired CSV escape character.
Are Headers present in CSV file?Select YES if the file contains headers, else select NO.
Date Columns and FormatsEnter the desired date column names and their respective formats as specified below, in the same order they exist in the file.
Example: columnName1:dateFormat1,columnName2:dateFormat2
columnName1:dd-MM-yyyy,columnName2:MM-dd-yyyy
Session Duration In HoursEnter the role session duration (in hours). Note that this value can range from 1 to 12 hours, and it must be less than or equal to the maximum session duration set for the role.
Ensure Consistent Column Count Across Rows (checkbox)Terminates the execution if malformed data with inconsistent column values is detected.
Enable parsing for large JSON files?Select Yes to enable parsing large JSON files.
Does your JSON text require a line reader?Select Yes if your JSON text includes multiple lines that should be read.
Should the backslash be escaped?Select Yes if your JSON text has backslash characters that need to be escaped.
Enter your data tagEnter the tag for the data in your file.
Enter your sub list to flattenEnter the comma-separated lists that you would like to flatten out in your data.
Enter fields to excludeProvide a comma-separated list of fields you want to exclude from the import.
Enter your header tagEnter the tag for the header in your JSON text.
Header Start RowEnter the header start row number in the file.
Data Start RowEnter the data start row number in the file.
Footer Rows to SkipEnter the number of rows at the end of the file to skip. For example, to skip the last two rows you would enter 2.
Sheet NameEnter the sheet name you want to retrieve from the specified spreadsheet be sure to check sheet name for accidental spaces, first sheet of the workbook will be used if the field is left blank.
Enter XPath ExpressionEnter your XPath expression.
Do you require Attributes in Data?Select ‘Yes’ if you require attributes values as a part of data.

Other Panes

For information about the remaining sections of the connector interface, including how to configure scheduling, retry, and update options, see Adding a DataSet Using a Data Connector.