Create AWS S3 connections in meters
The AWS S3 connection type in the Manage Connections window lets you register AWS S3 buckets that can be used by meters in Zuora Mediation.
S3 connections allow meters to read from and write to AWS S3 buckets, using cross-account IAM role assumption so that no long-lived access keys are stored in Zuora.
You can either use a Zuora-managed S3 bucket, which requires no configuration on your side, or connect your own AWS S3 bucket for full control over data residency and compliance.
A single S3 connection can be used by multiple meters. Configure the bucket, region, and optional base path in the S3 connection, and configure the folder path in each meter source. If you need to read from different S3 buckets, create a separate S3 connection for each bucket.
The following rules apply when you create or activate S3 connections:
-
Required fields: Connection Name, AWS Account ID, Bucket Name, and Region must be provided; missing required fields result in validation errors in the form.
-
The AWS Account ID must contain exactly 12 numeric digits.
-
The Base Path must not start with
/and must not contain.. -
Connection names must be unique; creating an S3 connection with a duplicate name returns an error.
-
A Zuora-managed S3 connection can only be created once. After one is created, the Zuora-managed S3 option is disabled.
-
If validation fails during activation, an error message is displayed and the connection is not activated until validation succeeds.
For Zuora-managed S3 connections, Zuora uses its own infrastructure bucket and automatically sets the connection to ACTIVE upon creation. Zuora-managed S3 connections cannot be updated or deleted, and data is stored under a Zuora-managed path of the form <zuora-bucket>/<environment>/mediation-tenant-data/<tenantId>/.
How S3 connections are used in meters
Meters reference S3 connections by name on S3 source and sink tasks. For S3 source tasks, meters read files from the configured bucket and region, using file paths that are relative to the connection's basePath.
If you store different file types in different folders in the same bucket, you can usually use a single S3 connection. Set the common folder prefix as the connection base path, then configure each meter with the folder suffix for its own S3 source path.
If you need to read from different buckets, create separate S3 connections.
Supported input file formats are JSON, CSV, Avro, and Parquet, and source tasks can also run in incremental or streaming mode for continuous file monitoring. For S3 sink tasks, meters write output files to the same bucket and base path defined on the connection.
IAM role setup concepts
The following terms are used in the IAM role setup:
| Term | What it means |
|---|---|
| IAM Role | An AWS identity with specific permissions. Zuora assumes this role to access your S3 bucket. |
| Trust Policy | Defines who is allowed to assume the role. You grant trust to Zuora's AWS accounts. |
| Permissions Policy | Defines what the role can do. You grant S3 read/write access to your specific bucket. |
| External ID | A unique identifier that helps prevent confused deputy attacks. Zuora generates this during connection setup. |
| AssumeRole | The AWS API call Zuora uses to obtain temporary credentials for your bucket. |