Skip to main content

Enable Access to S3 and AWS Resources

If you plan to use S3 as the default storage environment, the following sections outline the AWS configuration prerequisites and requirements.


This section should be shared with your S3 administrator, who can provide the required information.

AWS Overview

Below are the AWS objects that are required for S3 setup.

AWS object



AWS account


To create these objects are part of the setup process, you must have an AWS account. For more information, see

Valid email address


To validate your registration for a new workspace, you must have a valid email address to which the product can deliver the registration email.

Choice: cross-account role access or key-secret access


To integrate with your existing S3 resources, you must choose a method of authentication. Choices:

  • cross-account role: This method uses IAM roles to define the permissions used by the product for S3 access.


    This method is recommended.

  • key-secret access: This method uses an IAM access keys to provide S3 access.

IAM policy


An IAM (Identity and Access Management) policy is an AWS resource used to define the low-level permissions for access to a specific resource. You can use an IAM policy for the product to use for either access method.

For more information, see "Create policy to grant access to S3 bucket" below.

cross-account role access: IAM role


An IAM role contains one or more IAM policies that can be used to define the set of available AWS services and the level of access to them for a user. In this case, the user is the Cloud Portal.

key-secret access: AWS key-secret


An older AWS access method, the key-secret combination is essentially a username and password combination to one or more S3 buckets.

S3 bucket


S3 (Simplified Storage Service) is a cloud-based file storage system hosted in AWS. An S3 bucket contains your data files and their organizing folders.

S3 bucket: encryption


For better security, your S3 bucket may be encrypted, which means that the data is stored inside of S3 in a way that is not human-readable.


The product can optionally integrate with encrypted S3 buckets. The following S3 encryption methods are supported: sse-s3 and sse-kms.


If None is selected here, AWS S3 still applies server-side encryption to the bucket without impact to cost or performance. For more information, see


If your bucket is encrypted with ss3-kms, additional configuration is required. See "Update policy to accommodate SSE-KMS if necessary" below.

For more information on your bucket's encryption, please contact your S3 administrator.

S3 bucket: storage location


If needed, you can change the location where results are stored in S3.


The product must have write permission to this location. If you are changing the location from the default, please verify with your S3 administrator that the preferred location is enabled for writing through your access method.

IAM role: Account ID


The account ID identifies in the trust policy that Alteryx AWS account can use your IAM role.


This identifier is provided to you during registration and setup.

IAM role: External ID


The external ID identifies in the trust policy that Cloud Portal can use your IAM role only on your behalf.


This identifier is provided to you during registration and setup.

Technical Setup

The following sections should be provided to your AWS administrator for setting up access to these resources, if required.

Create policy to grant access to S3 bucket

To use your own S3 bucket(s) with Cloud Portal, create a policy and assign it to either the user or IAM Role selected to grant access to AWS resources. In this section, you create the policy. Later, it will be applied.

From the AWS Account page, you can use the example policy template as the basis for building your own policy statement.


You should not simply use one of the predefined AWS policies or an existing policy you have as it will likely give access to more resources than required.

Template Notes:

  1. One of the statements grants access to the public demo asset buckets.

  2. Replace <s3-bucket-name> with the name of your default S3 bucket.

  3. To grant access to multiple buckets within your account, you can extend the resources list to accommodate the additional buckets.

For more information, see AWS Account Page.

Update policy to accommodate SSE-KMS if necessary

If any accessible bucket is encrypted with SSE-KMS, another policy must be deployed. See

Add policy for Redshift access

If you are connecting to Redshift databases through your workspace, you can enable access by creating a GetClusterCredentials policy. This policy is additive to the the S3 access policies. All of these policies can be captured in a single IAM role.


  "Version": "2012-10-17",
  "Statement": [
      "Sid": "GetClusterCredsStatement",
      "Effect": "Allow",
      "Action": [
      "Resource": [
      "Condition": {
        "StringEquals": {
          "aws:userid": "AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}"

For more information on these permissions, see Required AWS Account Permissions.

Whitelist the IP address range of the Alteryx Service, if necessary

If you are enabling any relational source, including Redshift, you must whitelist the IP address range of the Alteryx service in the relevant security groups.


The database to which you are connecting must be available from the Alteryx service over the public Internet.

The IP address range of the Alteryx service is:

For Redshift:

For Redshift, there are two ways to whitelist the IP range depending on if you are using EC2-VPC or EC2-Classic (not common).

For details on this process with RDS in general, see

For more information, please contact Alteryx Support.