\\
!! S3 Integration Overview:\\
\\
----
__⚠️ General restrictions:__ This integration allows you to use an Amazon S3 bucket as the backend virtual file system ([VFS]) in CrushFTP. However, since S3 is not a true hierarchical file system, folder structures are simulated using object key prefixes. As a result, renaming folders is not supported. These are not limitations imposed by CrushFTP, but inherent to S3’s object storage architecture, which is optimized for static content access, not for dynamic file manipulation.\\
----
__⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, ensure that the necessary S3 domains are whitelisted to allow successful communication with the S3 REST API.\\
----
!1. Amazon S3 Configuration.\\
\\
The URL should be structured as follows (replace placeholders with your actual values):\\
\\
{{{
General S3 : s3://ACCESS_KEY_ID:SEECRET_ACCESS_KEY@SERVER/BUCKET/

Amazon S3 Example: s3://AKIAEXAMPLE:abcd1234example@s3.amazonaws.com/my-bucket/
}}}
\\
!1.1 Access Key Authentication\\
\\
To authenticate using standard Amazon S3 credentials:\\
• __Access Key ID__ – Your AWS access key.\\
• __Secret Access Key__ – The corresponding secret key.\\
\\
The __Access Key ID__ and __Secret Access Key__ are generated and offered for download when creating an S3 user (IAM user) in the AWS Management Console (More info: [Manage access keys for IAM users Link|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey]). ⚠️ Make sure to save them securely, as the secret key will not be shown again.\\
\\
The S3 server endpoint and bucket name can be found in the AWS Console under: __S3 -> Buckets__. This information is required to correctly configure your S3 integration.\\
\\
[attachments|S3_bucket_info.png]\\
\\
!1.2 Amazon EC2 IAM Authentication Support\\
\\
CrushFTP supports S3 authentication using IAM roles assigned to EC2 instances. This allows secure access without embedding static credentials.\\
To use this mode:\\
• Set the S3 Username to: __iam_lookup__\\
• Set the S3 Password to: __lookup__\\
\\
This instructs CrushFTP to __automatically retrieve temporary credentials from the EC2 instance’s IAM role__ via the instance metadata service. Use this approach to securely avoid hardcoding static credentials in environments where IAM roles are configured properly.\\
\\
__General EC2-Related Settings__ (Preferences -> Misc -> S3 Configuration):\\
• __Enable IMDSv2__: IMDS (Instance Metadata Service) v2 is the more secure version of the metadata endpoint used by EC2 instances to retrieve IAM role credentials. Enabling this option ensures that CrushFTP uses token-based access to the metadata service, protecting against SSRF attacks and adhering to AWS security best practices. ⚠️ Always enable IMDSv2 unless your instance or security policies require legacy IMDSv1.\\
• __EC2 Use relative URL__: When enabled, CrushFTP uses a relative URI path instead of an absolute path when communicating with the EC2 metadata service (http://169.254.169.254). This setting may be required in hardened environments or with certain proxy configurations that restrict full URL usage for local metadata requests. ⚠️ Note: Only enable this setting if you are encountering metadata access issues or are instructed to do so by AWS or your network/security administrator.\\
\\
Then paste them on the appropriate fields in CrushFTP.\\
\\
[attachments|S3_VFS_config.png]\\
\\
!1.3 Required S3 IAM Policy Permissions\\
\\
To allow proper integration with Amazon S3, ensure that your IAM user or role has the following permissions assigned:\\
\\
{{{
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject",
"s3:GetObject",
"s3:GetObjectAttributes"
}}}\\
\\
||Permission||Description||Why It’s Needed\\
|s3:GetBucketLocation |Retrieves the AWS region of a specified bucket.|Required to validate bucket location and endpoint.\\
|s3:ListAllMyBuckets|Lists all buckets owned by the requester.|Needed if the application dynamically lists available buckets.\\
|s3:ListBucket|Lists objects within a specific bucket.|Allows viewing file/folder listings in a bucket.\\
|s3:ListBucketMultipartUploads|Lists ongoing multipart uploads in a bucket.|Enables resuming or cleaning up incomplete multipart uploads.\\
|s3:PutObject|Uploads an object to a bucket.|Required for writing (uploading) files.\\
|s3:AbortMultipartUpload|Cancels an in-progress multipart upload.|Used to clean up failed or cancelled large file uploads.\\
|s3:ListMultipartUploadParts|Lists parts of a multipart upload.|Required when managing multipart uploads for large files.\\
|s3:DeleteObject|Deletes an object from a bucket.|Allows file deletion capabilities.\\
|s3:GetObject|Downloads or retrieves an object.|Required to read or download files.\\
|s3:GetObjectAttributes|Retrieves metadata and properties of an object (e.g., size, last-modified).|Useful for showing detailed file info without downloading the entire object.\\
\\
You may scope the "Resource" field to specific buckets or prefixes for more secure and limited access (e.g., "arn:aws:s3:::your-bucket-name/*").\\
__⚠️ Important__: In the CrushFTP S3 Remote item configuration, be sure to check the __Don’t check the Bucket at login__ flag if the user does not have permission to list or access the bucket root directly. 
----
!2. Access other cloud storage through S3 REST API\\
\\
Google Cloud - [Google Cloud Storage Access Through S3 REST API | https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Google%20Cloud%20Storage%20Integration#section-Google+Cloud+Storage+Integration-2.AccessThroughS3RESTAPI] \\
BackBlaze(b2) - [BackBlaze(b2) Access Through S3 REST API| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=BackBlaze%28b2%29%20integration#section-BackBlaze_28b2_29+integration-2.AccessThroughS3RESTAPI]\\
----
!3. Assume Role access\\
\\
You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. (for more info see: [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html], and [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html])\\
\\
Create the assume role at __Identity and Access Management (IAM)__:\\
\\
[attachments|create_assume_role.png]\\
\\
[attachments|assume_role_entity_type.png]\\
\\
[attachments|assume_role_s3_access.png]\\
\\
[attachments|assume_create_role_final_check.png]\\
\\
Add permission policy to the specified user. This policy will use the above-created assume role.\\
\\  
[attachments|assume_role_user_permission_policy.png]\\
\\
{{{
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::XXXXX:role/AssumeRoleS3"
        }
    ]
}
}}}\\
\\
Use the specified user's Access key and Secret along with the Assume Role ARN to obtain S3 access.\\
\\
[attachments|assume_role_vfs_settings.png]\\
\\