home

Zuora Platform

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Platform

Create AWS S3 connections in meters

Create an external AWS S3 connection

Create an external S3 connection when you want to use your own AWS S3 bucket.

Creating an external S3 connection involves a four-step wizard: Connection Type, S3 Bucket, IAM Role, and Validate.

  • Create an IAM role for this setup. You do not need to create an IAM user.
  • You do not need to generate AWS access keys. Zuora uses AWS STS AssumeRole with temporary credentials.
  • Use the IAM role name, trust policy, and permissions policy shown in the Zuora UI when you configure the role in AWS.
  • The external ID is generated during setup and is unique for the connection.
  1. Navigate to Mediation > Meters.
  2. Click the Manage Connections button at the top of the page.
    The Manage Connections window is displayed and lists all existing connections with the connection details.
  3. Click Create New to create a new connection.
  4. From the list of connection types, select AWS S3.
  5. Under Choose AWS S3 Type, select Bring your own S3 bucket and click Continue.
  6. On the S3 Bucket step, provide the bucket configuration:
    1. Connection Name (required) – unique name for the S3 connection.
    2. AWS Account ID (required) – must contain exactly 12 numeric digits.
    3. Bucket Name (required).
    4. Region (required) – select from the drop-down list.
    5. Base Path (optional) – must not start with / and must not contain ..
    6. Click Save & Continue to go to the IAM Role step.
  7. On the IAM Role step, the window displays instructions and IAM details that you use to configure the role in AWS.
    Zuora displays the information that you need to configure the role in your AWS account. Copy the IAM role name, trust policy, and permissions policy shown in the UI and use them when you create the role in AWS.
    1. Follow the instructions and complete the steps in your AWS environment.
      The window also displays:

      • IAM Role Name (system-generated, do not modify) – the role name that Zuora expects for this connection.

      • Trust Policy – a JSON policy document to use as the role's trust relationship in AWS.

      • Permissions Policy – a JSON policy document that grants access to the configured S3 bucket.

      Example trust policy:

      Use the trust policy shown in the Zuora UI for your connection. This example shows the expected structure only. Replace the placeholders in this example with the exact values shown in the UI.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<Zuora AWS principal shown in the UI>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<External ID shown in the UI>"
        }
      }
    }
  ]
}

      Do not modify the AWS account IDs, external ID, or generated role name shown in the Zuora UI

      Example permissions policy:

      Use the permissions policy shown in the Zuora UI for your connection. This example shows the expected structure only. Replace the placeholders in this example with the exact values shown in the UI.

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "<S3 bucket action shown in the UI>",
        "<S3 object action shown in the UI>"
      ],
      "Resource": [
        "<S3 bucket ARN shown in the UI>",
        "<S3 object ARN shown in the UI>"
      ]
    }
  ]
}

      Do not modify the generated policy values shown in the Zuora UI. The Zuora UI pre-populates the correct resource ARN values for your connection.

    2. After completing the steps in your AWS environment, select the checkbox confirming that you have completed the instructions.

      Zuora accesses your bucket by assuming this IAM role. Zuora can access only the buckets and objects that are allowed by the role policy. Each connection uses a connection-specific external ID for secure role assumption.

    3. Click Continue to go to the Validate step.
  8. On the Validate step, click Validate.

    During validation, Zuora attempts to assume the configured IAM role and list files in the bucket to confirm that the connection is correctly configured.

    If validation succeeds, a Validation Successful message is displayed, stating that all checks have passed and the S3 bucket is properly configured and ready to activate. The Activate Connection button becomes available.

    If validation fails, a Validation Failed message indicates that Zuora was unable to access the S3 bucket with the provided IAM role and instructs you to review the configuration. The Activate Connection button remains disabled and a Revalidate button is available so that you can fix the configuration and run validation again.

  9. After validation succeeds, click Activate Connection.

The connection status changes from Draft to Active and the S3 connection appears as active in the Connections list.

Last updated: May 25, 2026