How to use App Connect with IBM Cloud Object Storage S3

IBM Cloud Object Storage S3 is a highly available, durable, and secure platform for storing unstructured data.

The following information describes how to use App Connect to connect IBM Cloud Object Storage S3 to your other applications.

Supported product and API versions

To find out which product and API versions this connector supports, see Detailed System Requirements on the IBM Support page.

Connecting to IBM Cloud Object Storage

Select the appropriate authorization method for the type of authentication that your IBM Cloud Object Storage S3 service instance uses. For more information, see What to consider first.

  • If your service instance uses IBM Cloud® Identity and Access Management (IAM) authentication, select Provide credentials for App Connect to use (BASIC IAM) and provide the following connection details.
    • Endpoint URL is the Cloud Object Storage service endpoint URL (public only) for your location or region.
    • API key is the API key for the Cloud Object Storage service ID.
    • Resource instance ID is the unique identifier for the Cloud Object Storage instance.
  • If your service instance uses HMAC credentials for authentication, select Provide credentials for App Connect to use (BASIC) and provide the following connection details.
    • Endpoint URL is the Cloud Object Storage service endpoint URL (public only) for your location or region.
    • Secret access key is the secret access key of the instance.
    • Access key ID is the access key ID of the instance.
    • Region is the region of the instance.
    • API key is the API key of the instance if the service instance uses the Identity and Access Management (IAM) authentication.
    • Resource instance ID: is the resource instance ID of the instance if the service instance uses the Identity and Access Management (IAM) authentication.
Tip: For a connection to IBM Cloud Object Storage S3, you can access buckets that are specific to the location (or region) of the endpoint URL that you specified. For example, if you connect to the us-geo location (such as the Endpoint URL s3.us.cloud-object-storage.appdomain.cloud), you can access buckets that are listed with the us-geo location on the Buckets page of your IBM Cloud Object Storage instance. If you want App Connect to access buckets from more than one location, create a separate connection for each location.
  • The following example shows completed fields to connect from App Connect by using IAM authentication.
    Figure 1. Example of IBM Cloud Object Storage connection details
    Example of IBM Cloud Object Storage connection details
You can find the connection values on the Endpoint and Service credentials pages for the service instance in IBM Cloud.
  1. Log in to IBM Cloud.
  2. From the IBM Cloud Dashboard, click the Cloud Object Storage service instance that you want to work with.
  3. To view the endpoint URLs, click Endpoint and select your preferred location or region.
    • If your service instance uses IAM authentication, copy and paste your preferred public endpoint (for example, s3.us.cloud-object-storage.appdomain.cloud) into the App Connect Endpoint URL field.
    • If your service instance supports HMAC authentication, copy and paste your preferred public endpoint (for example, s3.us.cloud-object-storage.appdomain.cloud) into the App Connect Endpoint URL field. Then, copy and paste your preferred location or region (for example, us-geo) into the App Connect Region field.
      Figure 2. IBM Cloud Object Storage service endpoints page
      IBM Cloud Object Storage service endpoints page
  4. To view the service credentials, click Service credentials and expand the list of credentials. (To define new credentials to use, click New credential.)
    • If your service instance uses IAM authentication, copy the apikey value and paste it into the App Connect API key field. Then, copy the resource_instance_id value and paste it into the App Connect Resource instance ID field.
      Figure 3. IBM Cloud Object Storage credentials page
      IBM Cloud Object Storage credentials page
    • If your service instance supports HMAC authentication, copy the cos_hmac_keys/secret_access_key value and paste it into the App Connect Secret access key field. Then, copy the cos_hmac_keys/access_key_id value and paste it into the App Connect Access key ID field.
      Note: To get the Secret access key and Access key ID values, you must first create a credential with the option to generate HMAC credentials. (When you add a credential, specify {"HMAC":true} in the Add Inline Configuration Parameters (Optional) field.

      For more information about creating and managing service credentials, see 'Service credentials' in IBM Cloud Docs / Cloud Object Storage.

      Figure 4. IBM Cloud Object Storage service credentials tab
      IBM Cloud Object Storage service credentials tab

To connect to a IBM Cloud Object Storage S3 endpoint from the App Connect Designer Connect > Applications and APIs page (previously the Catalog page) for the first time, expand IBM Cloud Object Storage S3, then click Connect. For more information, see Managing accounts.

Tip:

Before you use the account that is created in App Connect in a flow, rename the account to something meaningful that helps you to identify it. To rename the account on the Applications and APIs page, select the account, open its options menu (⋮), then click Rename Account.

What to consider first

Before you use App Connect Designer with IBM Cloud Object Storage, take note of the following considerations:

  • IBM Cloud Object Storage S3 accounts that are created in a Cloud environment support a claim check. See the following table for claim check limits for each authorization method.
    Table 1. IAM and BASIC claim check limits
    Authorization methods File download (MB) File upload (MB)
    IAM 50 50
    BASIC 50 10
    Restriction: Claim check is not supported for IBM Cloud Object Storage S3 accounts in a container environment.
  • For the following ACL actions, the IAM resource access policy for your IBM Cloud Object Storage instance needs to have the Manager role.
    Bucket
    • Create custom ACL for bucket
    • Create standard ACL for bucket
    Object
    • Create custom ACL for object
    • Create standard ACL for object
    • Retrieve ACLs for objects
    The IAM resource access policy is defined for the service credentials that are used to connect to the service instance. You can check and configure the access policy in Service IDs.
    1. In the Service IDs list, click the name for the IAM API key of your service credentials. You can check the row by comparing the description to the iam_api_key_description value of your service credentials.

      This step displays the Service ID page for the service credentials.

    2. On the Service ID page, select the Access policies tab. The Role column includes Manager.
      To add the Manager role, click the existing role to edit the access policy for the service credentials, select the Manager checkbox, then click Save. The Service ID page is shown with the Manager role in the Role column.
      The Service ID page, displaying the roles assigned for a service credential
  • (General consideration) You can see lists of the trigger events and actions that are available on the Applications and APIs page of the App Connect Designer.

    For some applications, the events and actions depend on the environment and whether the connector supports configurable events and dynamic discovery of actions. If the application supports configurable events, you see a Show more configurable events link under the events list. If the application supports dynamic discovery of actions, you see a Show more link under the actions list.

  • (General consideration) If you are using multiple accounts for an application, the set of fields that is displayed when you select an action for that application can vary for different accounts. In the flow editor, some applications always provide a curated set of static fields for an action. Other applications use dynamic discovery to retrieve the set of fields that are configured on the instance that you are connected to. For example, if you have two accounts for two instances of an application, the first account might use settings that are ready for immediate use. However, the second account might be configured with extra custom fields.

Events and actions

IBM Cloud Object Storage S3 events

These events are for changes in this application that trigger a flow to start completing the actions in the flow.

Note: Events are not available for changes in this application. You can trigger a flow in other ways, such as at a scheduled interval or at specific dates and times.

IBM Cloud Object Storage S3 actions

Your flow completes these actions on this application.

Bucket
Create bucket
Retrieve all buckets
Retrieve buckets
Create standard ACL for bucket
Create custom ACL for bucket
CORS
Create CORS configuration for bucket
Retrieve CORS configuration for buckets
Delete CORS configuration for bucket
Object
Create object
Retrieve all objects
Retrieve objects
Download object
Create standard ACL for object
Create custom ACL for object
Update object
Delete object
Retrieve ACLs for objects
Retrieve objects by marker
Search objects
Retrieve object by prefix and delimiter

Examples

Dashboard tile for a template that uses IBM Cloud Object Storage S3

Use templates to quickly create flows for IBM Cloud Object Storage S3

Learn how to use App Connect templates to quickly create flows that complete actions on IBM Cloud Object Storage S3. For example, go to the Discover page and search for IBM Cloud Object Storage S3.

Learn more

Dashboard tile for a template that uses IBM Cloud Object Storage S3