AWS storage AWS storage
  1. iconik
  2. Admin
  3. Storage
  4. adding

AWS storage

adding

Before you begin

Please ensure you have the following details ready to configure your AWS S3 storage (your AWS administrator should be able to provide these if you don’t have them):

  • Access Key*
  • Secret Key*
  • Bucket Name
  • Region
  • End Point
    *Note: You can use iconik managed credentials instead of the Access and Secret keys. This is automatically generated based on your iconik domain ID

If you are setting up a third party bucket we strongly recommend you read our knowledgebase article Controlling Costs as using iconik with third party buckets may cause costs for you.

Permissions

The access key you use need to have the necessary permissions to the bucket content and to the bucket itself to be able to set the CORS settings.

Example:

{
    "Version": "2012-10-17",
    "Id": "Policy12345576",
    "Statement": [
        {
            "Sid": "Stmt123456",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/demoUser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iconik-demo",
                "arn:aws:s3:::iconik-demo/*"
            ]
        }
    ]
}

Granular Permissions

In the event that you cannot open the entirety of your bucket for security reasons, here is a more granular set of bucket policies that will provide basic functionality for uploads/downloads, transfers, scans, and deletes.

{
    "Version": "2012-10-17",
    "Id": "Policy1665193826690",
    "Statement": [
        {
            "Sid": "Stmt1665193792269",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/demoUser"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:RestoreObject"
            ],
            "Resource": "arn:aws:s3:::iconik-demo-s3-file/*"
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/demoUser"
            },
            "Action": [
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:PutBucketCORS",
                "s3:GetAccelerateConfiguration"
            ],
            "Resource": "arn:aws:s3:::iconik-demo-s3-file"
        }
    ]
}

Here we see that the following permissions should apply to the bucket contents:

  • s3:DeleteObject - To delete files.
  • s3:GetObject - To read and retrieve files.
  • s3:PutObject - To write files.
  • s3:RestoreObject - To restore files from Glacier archive buckets.

While these permissions should apply to the bucket itself:

  • s3:GetBucketCORS - To read the CORS policy on the bucket.
  • s3:GetBucketLocation - To read bucket region.
  • s3:ListBucket - A part of s3:HeadObject in order to list the bucket.
  • s3:PutBucketCORS - To set the CORS policy on the bucket. This can be removed once the CORS policy is set on the bucket.
  • s3:GetAccelerateConfiguration - To obtain the Acceleration configuration set on the bucket. This is only required if the Acceleration setting is enabled.

Roles

These are the iconik roles that are needed:

  • Owner
  • read storage
  • write storage
  • reindex storage

Where to connect the storage

  1. Click on ADMIN in the top navigation.
  2. Choose Storages from the left navigation bar.
  3. In the + Connect Storage section, select the AWS option from the list of available storages:

Screenshot 2025-03-25 at 2.17.14 PM.png

Connecting your AWS S3 Storage

To successfully connect your AWS S3 storage to iconik, fill out the required fields presented in the guided step-by-step wizard. You can expand the Help pop out to provide more context as you complete each step.

 Step 1 - Setup

Screenshot 2025-04-28 at 3.41.04 PM.png

  1. Enter the purpose of the storage you’re connecting:
  • Files: stores all file types except keyframes and proxies.
  • Keyframes: stores only keyframes generated by iconik.*
  • Proxies: stores only proxies generated by iconik.*
  • Exports: will be used as a destination for export jobs.
  • Archive: will be used as an archive destination.
    *Note: Adding your own keyframe and proxy storages will incur an additional monthly cost.
  1. Enter a unique name for your storage that will be easily recognizable for yourself and your team.
  1. Optional - enter a brief description of what this storage is used for.
  1. Enable or disable the available options:
  • Read: this will allow iconik to read files on the storage.
  • Write: this will allow iconik to write files to the storage.
  • Delete: this will allow iconik to delete files on this storage. If this is enabled, files deleted from iconik will also be deleted from this storage.
  • Add unique ID to filename: this will allow iconik to add a unique ID to each file within the storage, to avoid filename duplication.
  1. Select “Next” to continue.

Step 2 - Credentials

  1. Optional - instead of adding the Access and Secret Key, you can toggle on the option to use iconik managed credentials that will be automatically generated for you.
  1. Enter the Access Key for the AWS S3 storage you want to connect.
  1. Enter the Secret key for the AWS S3 storage you want to connect. 
  1. Enter the name of the AWS S3 storage bucket you want to connect.
  1. Enter the Region where the bucket is located.*
  1. Enter the Endpoint for your bucket.*
    *Note. If your storage address is https://s3.eu-central-1.amazonaws.com/bucketname then your Region will be eu-central-1 and your endpoint will be https://s3.eu-central-1.amazonaws.com.
  1. Optional - update the following fields based on the storage bucket you are connecting:
  • If bucket acceleration is enabled on your AWS S3 storage, toggle this on. If you are not sure, leave off and the setting can be changed later.
  • If the storage bucket has object lock enabled and therefore a default retention period set, toggle this on. If you are not sure, leave off and the setting can be changed later.
  1. For file or archive storages, choose whether you will enable the ability for iconik to scan for new files on the storage. 
  • Optional - if Scan is enabled, you can enter specific scan directories to limit the scanning of these directories only.
  • Recommended - If Scan is enabled, you can enable the Collection Directory Mapping toggle. This will automatically mirror the folder structure within your directory to a collection structure within iconik. 
    *Note: You can customize the scan settings after the storage is connected.
  1. Optional - Select any of the transcoders that Iconik provides or have been set up previously by your team.
  2. Select “Verify” to continue.

Step 3 - Verification

Iconik will verify the credentials that you have provided. 

If verification is successful, please complete the process by selecting “Connect” and reviewing the storage settings. There may be some additional customization that you want to complete.

If verification is not successful, you can use the “Back” button to visit the previous steps and update the highlighted fields. If you’re making changes outside of iconik and want to run the verification process again, please choose “Retry”.

Next steps

Once you have successfully connected your AWS S3 storage, review the storage and scan settings available to ensure that is is configuration is optimized for your workflows.

Read next >> editing AWS S3 Storages