Configuring AWS S3 Blob Storage in Qlik SaaS (Qlik Cloud Services, Qlik Sense Business)
For this document, we will review how to setup a connection to an AWS S3 bucket using Qlik SaaS (Qlik Cloud Services and Qlik Sense Business).
AWS S3 Setup:
Navigate to the S3 Service and create a bucket
Specify a name (which will need to be unique, globally), select the desired region.
Note: It is highly recommended to leave the default Block all public access setting. Qlik SaaS does not require a public bucket for use and use of a public bucket is considered extremely risky from a data security perspective.
AWS IAM Configuration
Since Qlik SaaS uses IAM user accounts to connect to S3, we will create an IAM user who will have full control over the S3 bucket. An optional configuration will be outlined later which will create an IAM user who has only read rights to the bucket. This shows the ability of Qlik SaaS to inherit granular IAM rights to buckets. For example, creation of read and read / write users who are scoped to departments is possible an encouraged in Qlik SaaS.
Navigate to the IAM Service in the AWS Console
Create a user. The Access Type should be set to Programmatic access so that the account has an access key and secret key.
We will apply permissions at the bucket level, so continue through Permissions
Tags are optional so configure if used in your AWS tenant
Copy both the Access Key and Secret Key
Navigate to the newly created user’s record in IAM and copy the User ARN
AWS S3 Configuration
Navigate to the Properties panel of the S3 bucket and copy the bucket's ARN
Navigate to the S3 bucket’s Permissions configuration and edit the Bucket Policy. An example broad policy which permits full access to all files in the bucket can be adapted from this schema: