Link Search Menu Expand Document

AWS S3 Integration

You can configure AS2 Gateway to use an Amazon Web Services (AWS) S3 storage bucket, as the point of integration and automation:

  • AS2 Gateway will place incoming files into the bucket, from where you can download them directly.
  • you can submit outgoing files by uploading them to the desired station-partner subpath on the bucket.

Visiting the AWS S3 menu item, you can navigate to the S3 integration configuration page. Direct S3 integration will be helpful where backend systems processing incoming files are executing in a native AWS environment, like Lambda functions etc.

1 AWS S3 Bucket and Access Credentials

AS2 Gateway follows a “bring your own bucket” model. You would create or use your own bucket (in your own AWS account) and grant AS2 Gateway minimal access to write/read its content. The actual content of the bucket is under your own ownership, control, and maintenance schedule.

If you are new to AWS, you can create an account for free and get started quite easily; however if you want AS2 Gateway to provision a bucket for you instead, contact our team for more details.

  1. First create a new bucket on your desired AWS account, and note its region.

    Note: To get started quickly, you can simplify the next step by using any AWS IAM keypair with sufficient permissions (e.g. AdministratorAccess or AmazonS3FullAccess); however it is generally recommended to set up a separate keypair with minimum privileges as described below, especially for production use and automation.

  2. Next, create a security policy as shown below. Replace the text ‘<bucket-name>’ (4 occurrences) with the name of your S3 bucket.
    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "SaveToas2gateway",
             "Effect": "Allow",
             "Action": [
                 "s3:DeleteObject",
                 "s3:PutObject"
             ],
             "Resource": "arn:aws:s3:::<bucket-name>/as2gateway/*"
         },
         {
             "Sid": "ListAS2send",
             "Effect": "Allow",
             "Action": "s3:ListBucket",
             "Resource": "arn:aws:s3:::<bucket-name>",
             "Condition": {
                 "StringLike": {
                     "s3:prefix": [
                         "<bucket-name>/AS2/send/*",
                         "AS2/send/*"
                     ]
                 }
             }
         },
         {
             "Sid": "FetchFromAS2send",
             "Effect": "Allow",
             "Action": [
                 "s3:DeleteObject",
                 "s3:GetObject"
             ],
             "Resource": "arn:aws:s3:::<bucket-name>/AS2/send/*"
         }
     ]
    }
    

    Note: You can customize the security policy further if desired

  3. Then create a user with programmatic access (i.e. having an Access key and Secret Key pair), assigned with the aforementioned policy.

2. Configure S3 bucket and credentials on AS2 Gateway

Now, open the AWS S3 integration page on AS2 Gateway. Provide the plain S3 bucket name without any s3:// prefix, the region, and the access and secret keys in the page as shown below, and click Setup AWS S3 button.

By default, S3 integration will be enabled for incoming files (i.e. saving of received files into the bucket). If you also wish to submit outgoing files by means of S3 uploads, you can enable it under the Advanced Options section.

AWS S3 Configuration
AWS S3 Configuration

AS2 Gateway will first perform a series of S3 operations on your bucket, to ensure that the provided credentials have sufficient permissions to access the bucket. (It will automatically revert/clean up the results after completion.) If there is any issue encountered during the access check, AS2 Gateway will flag the error and refuse to proceed. You can then make necessary changes on the configurations and key-pair permissions and re-submit, so that AS2 Gateway can re-run the check. Once the integration is performed successfully, you will see an output as follows.

AWS S3 Configuration Completed
AWS S3 Configuration Completed

3. Receiving Incoming Files through S3

After S3 integration, all files received to your AS2 Gateway trading stations will be saved into the S3 bucket; under the following path/prefix pattern:

as2gateway/(AS2-Station-ID)/(AS2-Partner-ID)/inbox/

Note: This feature requires inbound integration option to be enabled under Advanced Options of your S3 configuration.

AWS S3 File Path
e.g. AWS S3 File Path

Note

  • Depending on the Partner type (i.e. test vs production), there may be an extra test/ sub-level after the <partner-AS2-ID>/ fragment.
  • Depending on the folder-structure format selected on the receiving trading station, there may be an extra sub-level or file-name prefix after the inbox/ fragment as can be seen in the example above.

For more details on these variations, check the SFTP folder structure documentation

4. Submitting/Sending Files through S3

To submit an outgoing file, upload it to the following path in your S3 bucket:

AS2/send/<station-AS2-ID>/<partner-AS2-ID>/

Note: This feature requires outbound integration option to be enabled under Advanced Options of your S3 configuration.

AS2 Gateway will pick up each file after 15 seconds from their last modification time (to allow extra time for slow/large uploads), add it to the queue for sending out as a separate/new message, and remove it from the bucket.

If any file could not be queued for some reason/error, AS2 Gateway moves it under as2gateway/<station-AS2-ID>/<partner-AS2-ID>/failed/<failure-timestamp>/ and notifies the relevant trading station owner for further action.

Sending multiple files in one message

You can also submit multiple files as a single message, by uploading all of them under one subdirectory/subpath:

AS2/send/<station-AS2-ID>/<partner-AS2-ID>/<subdirectory>/

In this case, AS2 Gateway will pick up the subdirectory after it has remained in steady state for more than 2 minutes (i.e. no new files were uploaded to the subdirectory during the last 2-minute period).

Please note that if you are sending files to a test-mode partner, the usual test-mode directory structure differences should be applied to all these paths; e.g. for test partners, the partner subpath will be followed by an additional test/ subpath fragment.