Skip to main content
POST
/
v1
/
connectors
/
s3
Create S3 Connector
curl --request POST \
  --url https://api.example.com/v1/connectors/s3 \
  --header 'Content-Type: application/json' \
  --data '
{
  "credential_name": "<string>",
  "role_arn": "<string>",
  "bucket_uri": "<string>",
  "expected_bucket_owner_account_id": "<string>",
  "connector_type": "s3"
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "credential_name": "<string>",
  "created_at": "<string>",
  "updated_at": "<string>",
  "verified_bucket_uri": "<string>",
  "verified_role_arn": "<string>",
  "verified_bucket_owner_account_id": "<string>",
  "verified_account": "<string>",
  "verified_warehouse": "<string>",
  "verified_database": "<string>",
  "verified_schema_name": "<string>",
  "verified_server_hostname": "<string>",
  "verified_http_path": "<string>",
  "verified_catalog": "<string>"
}

Headers

authorization
string | null
refresh-token
string | null

Body

application/json

POST /v1/connector -- S3 credential variant.

The customer creates an IAM role in their AWS account whose trust policy allows the OuterProduct shared principal under the condition sts:ExternalId == <this org's external_id> (fetched from GET /v1/account/aws-setup). The server probes the role by calling sts:AssumeRole with the caller's external_id, then issuing head_bucket / list_objects_v2 against bucket_uri with ExpectedBucketOwner == expected_bucket_owner_account_id. The credential row is only inserted if the probe succeeds; role_arn, bucket_uri and expected_bucket_owner_account_id are stored on the row as the validated target so console.op can show "validated against X" per credential. No AWS keys are accepted or stored.

credential_name
string
required

Unique-per-user name for this credential entry.

role_arn
string
required

Full ARN of the customer's IAM role. Must trust the OuterProduct shared principal under sts:ExternalId == <this org's external_id>.

Pattern: ^arn:aws:iam::[0-9]{12}:role/.+$
bucket_uri
string
required

Full s3://bucket[/prefix] URI the server probes after assuming the role. Stored on the row as the validated target.

expected_bucket_owner_account_id
string
required

12-digit AWS account ID that owns the target bucket. Passed as ExpectedBucketOwner on every S3 op to reject a misdirected role that points at someone else's bucket.

Pattern: ^[0-9]{12}$
connector_type
string
default:s3
Allowed value: "s3"

Response

Successful Response

Returned by POST / GET endpoints.

The verified_* fields surface the probe target the credential was validated against at create time. Exactly one set of fields is populated per response, matching connector_type:

  • s3verified_bucket_uri + verified_role_arn + verified_bucket_owner_account_id
  • snowflakeverified_account + verified_warehouse + verified_database + verified_schema_name
  • databricksverified_server_hostname + verified_http_path
    • verified_catalog + verified_schema_name

id is the stored credential's identifier — the value referenced as connector_credential_id on a connection config and as connector_id in the per-type delete route (DELETE /connectors/{type}/{connector_id}).

id
required
credential_name
string
required
connector_type
enum<string>
required

Supported external data source types for user-owned credentials.

Available options:
s3,
snowflake,
databricks,
file_upload
created_at
string
required
updated_at
string
required
verified_bucket_uri
string | null
verified_role_arn
string | null
verified_bucket_owner_account_id
string | null
verified_account
string | null
verified_warehouse
string | null
verified_database
string | null
verified_schema_name
string | null
verified_server_hostname
string | null
verified_http_path
string | null
verified_catalog
string | null