Skip to main content

Amazon S3

To start receiving these deliveries, you'll need the following details:

  1. Access key ID
  2. Secret access key
  3. S3 bucket name

Once you have this information, you can add it to the S3 integration settings for your project in RevenueCat.

S3 delivery configuration in RevenueCat dashboard

πŸ“˜Allow 24 hours for initial delivery

Once you've configured the S3 integration in RevenueCat, allow up to 24 hours before the first file is delivered.

Receive new and updated transactions only​

When configuring the deliveries, you have the option to receive a full export daily or only new and updated transactions from the last export. The first delivery will always be a full export even if this option is selected.

Creating S3 bucket​

If you don't already have an S3 bucket, you can create one in the AWS console.

Navigate to the S3 dashboard in your AWS console and click Create bucket: https://s3.console.aws.amazon.com/s3/home

Enter a name for your bucket.

Bucket Name
revenuecat-s3-bucket-appname

Scroll down to choose the encryption options for your bucket. The default option is fine for most use cases.

If you choose SSE-KMS, you'll need to add the kms:GenerateDataKey permission to the IAM policy you create in the next step.

Creating Amazon S3 Credentials​

The below steps outline how to create an Access Key in your AWS console that RevenueCat will need to complete data deliveries.

1. Create Access Policy​

You should only give RevenueCat access to the minimum resources necessary. To do this, create a new policy that only allows access to the S3 bucket where you want your deliveries to go.

Navigate to the IAM Policy dashboard in your AWS console and click β€˜Create policy’: https://console.aws.amazon.com/iam/home#/policies

In the policy editor, switch to the JSON view and paste in the following code. Be sure to replace revenuecat-deliveries with the name of your bucket.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<YOUR_S3_BUCKET_NAME>"
]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": [
"arn:aws:s3:::<YOUR_S3_BUCKET_NAME>/*"
]
},
// If SSE-KMS encryption is enabled on your S3 bucket, you will also need to add the following policy statement
{
"Sid": "KMSDataKeyGeneration",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:region:account-id:key/key-id" // <-- Replace with your KMS key ARN
]
}
]
}

This policy will allow RevenueCat to list the contents of your bucket, as well as read, write, delete files to it. When you've pasted in the code, click Review policy*.

Finally, give the policy a name and description. Example:

IAM Policy Name
RevenueCatS3Policy_<AppName>
IAM Policy Description
Policy for RevenueCat to deliver Scheduled Data Export data to S3

2. Create IAM User​

You'll next need to create an individual user that only has access to the policy you just created in Step 1.

Navigate to the IAM User dashboard in your AWS console and click Add user: https://console.aws.amazon.com/iam/home#/users

Enter a User name and click Next.

IAM User Name
RevenueCatS3User_<AppName>

Choose the option to Add user to a group, and click Create group.

Select the Policy name you created from Step 1, and enter a name for the group, then click Create group.

IAM User Group Name
RevenueCatS3UserGroup_<AppName>

Once the group is created, select it and click Next, optionally add any tags to the group.

Review and click Create user.

3. Download Access Credentials​

After creating the user, select it from the list of users in the IAM dashboard and click 'Create access key'.

Select 'Other' and click Next.

Download the CSV or enter your access key and secret access key into RevenueCat.

Debugging​

Error: The provided ETL credentials or bucket name are incorrect.

Please ensure your IAM policy reflects the correct bucket name. If you've changed the bucket name, you'll need to update the policy to reflect the new name.