Amazon S3 File Transfer — Xferity Secure MFT with S3
S3-Compatible Storage
Section titled “S3-Compatible Storage”Xferity supports S3-compatible object storage as a transfer endpoint for upload and download flows. This covers AWS S3, MinIO, Cloudflare R2, Backblaze B2, and any other storage system that provides an S3-compatible API.
What S3 is in Xferity
Section titled “What S3 is in Xferity”S3-compatible storage is an object API transport. Unlike SFTP or FTPS, it does not use session-based directory browsing — it operates via API calls to list, get, and put objects in a bucket with an optional prefix.
This makes it well-suited for:
- staging files for downstream processing or archiving
- delivering reports or data exports to shared buckets
- picking up files from partners who use cloud storage
- backup and DR staging
Trust model
Section titled “Trust model”S3-compatible storage does not use SSH host keys or X.509 peer certificates in the same way as SFTP or FTPS. Trust depends on:
- TLS to the S3 API endpoint (standard HTTPS)
- credentials that authorize access to the specific bucket and prefix
- network access to the endpoint
There is no built-in per-partner message signing model like AS2.
Authentication modes
Section titled “Authentication modes”AWS SDK default credential chain
Section titled “AWS SDK default credential chain”id: reports-bucketprotocol: s3s3: bucket: company-reports-prod region: eu-west-1 prefix: outbound/ use_default_chain: trueWhen use_default_chain=true, Xferity delegates credential resolution to the AWS SDK, which checks:
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables~/.aws/credentialsfile- EC2 instance metadata (IMDS)
- ECS task role
- IAM role attached to the instance
Use this for IAM-role-based authentication in AWS environments.
Explicit credentials
Section titled “Explicit credentials”id: partner-exchange-bucketprotocol: s3s3: bucket: partner-exchange-incoming region: us-east-1 prefix: uploads/ use_default_chain: false access_key_id: env:PARTNER_S3_ACCESS_KEY_ID secret_access_key: env:PARTNER_S3_SECRET_KEYUse secret references (env:, file:, vault:) for all credential fields.
Custom endpoints (MinIO, Localstack, R2)
Section titled “Custom endpoints (MinIO, Localstack, R2)”id: minio-stagingprotocol: s3s3: bucket: staging-files region: us-east-1 endpoint_url: http://minio.internal:9000 use_default_chain: false access_key_id: env:MINIO_ACCESS_KEY secret_access_key: env:MINIO_SECRET_KEYSet endpoint_url to override the default AWS S3 endpoint. Required for MinIO, LocalStack, Cloudflare R2, and similar alternatives.
Configuration fields
Section titled “Configuration fields”| Field | Required | Description |
|---|---|---|
bucket | yes | S3 bucket name |
region | no | AWS region (e.g. eu-west-1). Required for AWS S3, optional for custom endpoints. |
prefix | no | Object key prefix. Trailing slash stripped automatically. |
endpoint_url | no | Custom S3-compatible API endpoint URL. |
use_default_chain | no | Use AWS SDK default credential chain. |
access_key_id | no | Access key ID or secret reference. Required if use_default_chain=false. |
secret_access_key | no | Secret access key or secret reference. Required if use_default_chain=false. |
session_token | no | Session token or secret reference for temporary credentials. |
Flow example: S3 upload
Section titled “Flow example: S3 upload”flows: reports-to-s3: direction: upload enabled: true target: partner: reports-bucket path: outbound/daily local: path: ./storage/reports/outgoing files: - pattern: "*.csv" idempotency_mode: hash delete_after_upload: true schedule_cron: "0 0 18 * * 1-5"Flow example: S3 download
Section titled “Flow example: S3 download”flows: partner-files-from-s3: direction: download enabled: true source: partner: partner-exchange-bucket path: uploads/ local: path: ./storage/partner/incoming files: - pattern: "*.xml" idempotency_mode: hash schedule_cron: "0 */30 * * * *"Hardened mode behavior
Section titled “Hardened mode behavior”In hardened mode, S3 credential fields must use secret references:
access_key_id,secret_access_key,session_tokenmust beenv:,file:, orvault:references when set
Common failures
Section titled “Common failures”| Symptom | Likely cause |
|---|---|
| Access denied | Wrong credentials or insufficient IAM policy |
| NoSuchBucket | Wrong bucket name or wrong region |
| 403 on list/get | Policy allows only put, or prefix mismatch |
| Connection refused | Wrong endpoint_url or service not running |
| Credential resolution failed | use_default_chain=false and credentials not set |