Amazon S3
To start receiving these deliveries, you'll need the following details:
- Access key ID
- Secret access key
- S3 bucket name
Once you have this information, you can add it to the S3 integration settings for your project in RevenueCat.
Once you've configured the S3 integration in RevenueCat, allow up to 24 hours before the first file is delivered.
Receive new and updated transactions onlyβ
When configuring the deliveries, you have the option to receive a full export daily or only new and updated transactions from the last export. The first delivery will always be a full export even if this option is selected.
Creating S3 bucketβ
If you don't already have an S3 bucket, you can create one in the AWS console.
Navigate to the S3 dashboard in your AWS console and click Create bucket: https://s3.console.aws.amazon.com/s3/home
Enter a name for your bucket.
revenuecat-s3-bucket-appname
Scroll down to choose the encryption options for your bucket. The default option is fine for most use cases.
If you choose SSE-KMS, you'll need to add the kms:GenerateDataKey
permission to the IAM policy you create in the next step.
Creating Amazon S3 Credentialsβ
The below steps outline how to create an Access Key in your AWS console that RevenueCat will need to complete data deliveries.
1. Create Access Policyβ
You should only give RevenueCat access to the minimum resources necessary. To do this, create a new policy that only allows access to the S3 bucket where you want your deliveries to go.
Navigate to the IAM Policy dashboard in your AWS console and click βCreate policyβ: https://console.aws.amazon.com/iam/home#/policies
In the policy editor, switch to the JSON view and paste in the following code. Be sure to replace revenuecat-deliveries
with the name of your bucket.
- Access Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<YOUR_S3_BUCKET_NAME>"
]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": [
"arn:aws:s3:::<YOUR_S3_BUCKET_NAME>/*"
]
},
// If SSE-KMS encryption is enabled on your S3 bucket, you will also need to add the following policy statement
{
"Sid": "KMSDataKeyGeneration",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:region:account-id:key/key-id" // <-- Replace with your KMS key ARN
]
}
]
}
This policy will allow RevenueCat to list the contents of your bucket, as well as read, write, delete files to it. When you've pasted in the code, click Review policy*.
Finally, give the policy a name and description. Example:
RevenueCatS3Policy_<AppName>
Policy for RevenueCat to deliver Scheduled Data Export data to S3
2. Create IAM Userβ
You'll next need to create an individual user that only has access to the policy you just created in Step 1.
Navigate to the IAM User dashboard in your AWS console and click Add user: https://console.aws.amazon.com/iam/home#/users
Enter a User name and click Next.
RevenueCatS3User_<AppName>
Choose the option to Add user to a group, and click Create group.
Select the Policy name you created from Step 1, and enter a name for the group, then click Create group.
RevenueCatS3UserGroup_<AppName>
Once the group is created, select it and click Next, optionally add any tags to the group.
Review and click Create user.
3. Download Access Credentialsβ
After creating the user, select it from the list of users in the IAM dashboard and click 'Create access key'.
Select 'Other' and click Next.
Download the CSV or enter your access key and secret access key into RevenueCat.
Debuggingβ
Error: The provided ETL credentials or bucket name are incorrect.
Please ensure your IAM policy reflects the correct bucket name. If you've changed the bucket name, you'll need to update the policy to reflect the new name.