Connecting to Amazon S3

Derivv Pro uploads to S3 using an IAM access key ID and secret access key that you provision in your AWS account. We never see your AWS console password, and the secret access key is encrypted at rest.

What you need

Before you start, have an AWS user with programmatic access to the bucket you want to use. AWS's own guide is the source of truth and walks you through the console:

• Create an IAM user with programmatic access
• Manage access keys for IAM users

At minimum the IAM policy attached to that user needs s3:PutObject and s3:HeadBucket on the target bucket. AWS's AmazonS3FullAccess managed policy works but is broader than necessary — a least-privilege bucket policy is preferred for production use.

When you create the access key, AWS shows the secret access key exactly once. Save it somewhere safe (a password manager) before closing the dialog.

Filling in the form

In Derivv Pro, choose S3 as the provider and fill in:

• Name — a label you'll recognize later, e.g. Production S3 or Marketing assets bucket. Internal to Derivv Pro.
• Region — the AWS region of your bucket (e.g. us-east-1, eu-west-2). You can find this in the S3 console next to the bucket name.
• Access Key ID — the public half of the IAM access key.
• Secret Access Key — the private half AWS only showed you once.
• Endpoint (optional) — leave blank for AWS. Fill in only for S3-compatible providers (see below).
• Force path style (optional) — leave off for AWS. Turn on if your S3-compatible provider requires path-style URLs instead of virtual-hosted-style.

The bucket itself is not part of the connection — it's chosen on a per-preset basis when you bind a destination. One connection can therefore serve many presets writing to different buckets in the same account.

Click Save, then click Test on the new row to verify the credentials reach AWS.

S3-compatible providers

The same connection works for any S3-compatible service — Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, Wasabi, and so on — by filling in the Endpoint field with the provider's S3 API URL and (for most of them) turning on Force path style.

Consult your provider's documentation for the exact endpoint URL and whether path-style addressing is required.