Ctrlk
Contact Us

Amazon S3 Bucket Endpoint

An Amazon S3 Bucket Endpoint connects Finout to a specific S3 bucket in your AWS account. Once configured, the endpoint can be reused across multiple Finout features that read from or write to S3 — including telemetry imports, billing data, and Data Exporter.

Each endpoint is scoped to a single bucket and a single permission mode, which you choose at creation time.

Choose Your Endpoint Mode

Before creating the endpoint, decide which permission mode fits your use case. The mode determines which IAM permissions Finout needs and which Finout features the endpoint can support.

Mode
What Finout can do
Use this for

Read Only

Read objects from the bucket

Telemetry imports, billing data ingestion, any feature that consumes data you've placed in S3

Read and Write

Read and write objects in the bucket

Data Exporter — Finout writes daily Parquet files to your bucket

A single endpoint cannot switch between modes after creation. If you need both modes against the same bucket, create two endpoints with different prefix paths.

Prerequisites

Before creating an Amazon S3 Bucket Endpoint, make sure you have:

  • An S3 bucket in your AWS account

  • Permission to create an IAM role and attach an inline policy in that AWS account

  • The AWS region of your bucket

Step 1 — Obtain the External ID from Finout

The External ID is generated by Finout and is required when you create the IAM role in AWS. It ensures only Finout can assume the role on your behalf.

  1. In Finout, navigate to Settings → Endpoints.

  2. Click Add Endpoint, then select Amazon S3.

  3. Under Bucket Access, choose the mode you decided on:

    • Read Only — for telemetry, billing, and other read-from-S3 use cases

    • Read and Write — for Data Exporter

  4. Copy the External ID. You will paste it into the AWS console in the next step.

Keep this Finout window open. You will return to it in Step 3 to enter the Role ARN and bucket details.

Step 2 — Create the IAM Role and Policy in AWS

The IAM role grants Finout scoped access to your bucket. The trust policy uses the External ID from Step 1, and the inline policy controls exactly what Finout can do.

Create the role

  1. In the AWS console, create a new cross-account role in IAM.

  2. In the Account ID field, enter the AWS Account ID associated with the S3 bucket.

  3. Select Require external ID and paste the External ID you copied from Finout.

  1. Click Next until you reach the review screen.

  2. Name the role and create it. You can use any name; just remember it for the next step.

  3. Open the newly created role and copy the Role ARN. You will paste it into Finout in Step 3.

Suggested role names — pick the one that matches your endpoint mode so it's clear what the role is for:

  • Read Only: Finout-S3-ReadOnly-Role

  • Read and Write: Finout-DataExporter-Role

Attach the inline policy

  1. In the role page, click Add permissions and select Create inline policy.

  2. Select the JSON tab.

  3. Paste the policy that matches your endpoint mode:

Use this policy if your endpoint is for telemetry, billing data, or other read-from-S3 features. Replace BUCKET_NAME with your bucket name:

  1. Click Next until you reach the review screen.

  2. Name the policy (for example, finout-s3-access-policy) and click Create policy.

Step 3 — Add the Endpoint in Finout

Return to the Add Amazon S3 Bucket Endpoint page in Finout and fill in the bucket details.

  1. Fill in the following fields:

Field
Value

Endpoint Name

A descriptive name for this endpoint

Description

An optional description

Bucket Access

The mode you chose in Step 1 (Read Only or Read and Write)

Role ARN

The ARN of the IAM role you created in Step 2

Bucket Name

The name of your S3 bucket

S3 Path Prefix (optional)

A folder path inside the bucket where Finout should read or write

Region

The AWS region of your bucket

  1. Click Test Endpoint. Finout verifies the connection by reading from the bucket — and, for Read and Write endpoints, by writing and deleting a test file.

  2. Click Add Endpoint.

The endpoint is now available for use across Finout features that support S3.

Using the Endpoint

Once created, the endpoint can be selected from any Finout feature that reads from or writes to S3:

  • Telemetry — for importing telemetry data from a Read Only endpoint

  • Data Exporter — for daily Parquet exports to a Read and Write endpoint

A single endpoint can be reused across multiple features, as long as they all use the same permission mode. To use the same bucket for both reading and writing, create two endpoints with different prefix paths — one in each mode.

FAQs

Can I use the same S3 bucket for multiple endpoints?

Yes. You can point multiple endpoints at the same bucket, as long as the prefix paths don't conflict. This is the recommended approach if you need both Read Only and Read and Write access to the same bucket.

Why does the IAM role need an External ID?

The External ID prevents the confused deputy problem — it ensures only Finout, acting on your behalf, can assume the role. Each Finout account has a unique External ID.

Can I edit an endpoint after creating it?

Not at the moment. If you need a different configuration, create a new endpoint. Contact your customer success manager or [email protected] if you need assistance.

What happens if my IAM role's permissions change after the endpoint is created?

Finout will fail to read from or write to the bucket on the next operation.

PreviousServiceNow Incident Endpoint (Alpha)NextRole-Based Access Control (RBAC)

Last updated

Was this helpful?