Skip to content

Amazon S3 target

Sends events to Amazon S3.

With tmctl:

tmctl create target awss3 --arn <arn> --auth.credentials.accessKeyID <access key> --auth.credentials.secretAccessKey <secret key>

On Kubernetes:


apiVersion: v1
kind: Secret
  name: aws
type: Opaque
  AWS_ACCESS_KEY_ID: "<AWS Access Key ID>"
  AWS_SECRET_ACCESS_KEY: "<AWS Secret Access Key>"


kind: AWSS3Target
  name: triggermesh-aws-s3-test
  arn: arn:aws:s3:::bucket
          name: aws
          key: AWS_ACCESS_KEY_ID
          name: aws
          key: AWS_SECRET_ACCESS_KEY

When TriggerMesh is running on Amazon EKS, you can use an IAM role for authentication rather than an access key and secret. In this case, TriggerMesh will generate a Kubernetes service account for you that will leverage this IAM role. You also have the option of specifying your own service account name, and if a service account with the same name already exists and it is already managed by the TriggerMesh controller, then it will be reused. By reusing the same serivce account in this way, you can avoid having to create many STS trust relationships for each generated service account.

    roleArn: arn:aws:iam::123456789012:role/dev-role
    serviceAccount: aws-source-sa

For more details on authenticating with AWS, please take a look at our dedicated guide on AWS credentials.

There is an optional toggle flag indicating if the full CloudEvent should be sent to S3 bucket. By default, this is disabled which means only the event payload will be sent.

Accepts events of any type, with a special rule for io.triggermesh.awss3.object.put for which the target will store the payload body regardless of the Discard CloudEvent context attributes setting.

The Amazon S3 bucket key used to store the event is defined by the ce-subject attribute. If ce-subject is not set, the default key will be: ce-type/ce-source/ce-time.

Attributes for the putoperation are:

  • type io.triggermesh.awss3.object.put
  • subject: string, the key to use with the assigned bucket for the Target
  • data contains the payload to store

Responds with events with the following attributes:

  • type
  • source arn:aws:s3:..., the S3's bucket ARN value as configured by the target
  • data contains a JSON response from the Target invocation with the Etag associated with the request

See the Kubernetes object reference for more details.


  • AWS API key and secret
  • ARN for the S3 bucket to store the event

The ARN for the S3 bucket must include the account number and region of a pre-defined access point.

For more information about using Amazon S3, please refer to the AWS documentation.