Skip to content

docs: add SSE-KMS instructions & add tip re: UI generated policy #2842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SeanWhelan wants to merge 2 commits into
base: master
Choose a base branch
from
Open

docs: add SSE-KMS instructions & add tip re: UI generated policy #2842

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
90cd63f
docs: document SSE-KMS incompatibility for S3 storage mapping buckets
SeanWhelan Apr 8, 2026
24e89f7
docs: add S3 encryption guidance and bucket policy tip for storage ma…
SeanWhelan Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion site/docs/getting-started/installation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,41 @@ Estuary's data plane IAM user will need the following actions:
* `s3:GetBucketPolicy`

You can apply the policy through the [AWS Console](https://console.aws.amazon.com/s3/) or the `aws` CLI.
The storage mapping dialog provides a ready-to-use policy JSON during connection testing.

:::tip
The storage mapping dialog generates a complete bucket policy with the correct IAM ARNs for all data planes mapped to this bucket. Copy and paste it directly into your bucket's policy configuration — no manual ARN lookup needed.
:::

#### S3 Bucket Encryption

S3 buckets are encrypted with **SSE-S3** (Amazon S3 managed keys) by default, which works with Estuary out of the box.

If your bucket uses **SSE-KMS** (AWS Key Management Service) for default encryption, you must grant Estuary's data plane IAM user permissions on your KMS key. Add the following statement to your [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html):

```json
{
"Sid": "AllowEstuaryDataPlane",
"Effect": "Allow",
"Principal": {
"AWS": "<data-plane-IAM-ARN>"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
```

Replace `<data-plane-IAM-ARN>` with your data plane's IAM ARN, found under **Admin > Settings > Data Planes** in the Estuary dashboard.
Copy link
Copy Markdown
Collaborator

@aeluce aeluce Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welp. I believe we just removed this from the UI. @GregorShear do we want to add data plane service account details back to the data plane table for advanced use cases like this, or are we planning on surfacing the SSE-KMS option when users set up their storage mapping?


Alternatively, you can switch your bucket's default encryption from SSE-KMS to SSE-S3 to avoid managing KMS permissions:

1. In the [AWS Console](https://console.aws.amazon.com/s3/), navigate to your bucket.
2. Go to **Properties** > **Default encryption**.
3. Click **Edit** and change from **AWS Key Management Service key (SSE-KMS)** to **Amazon S3 managed key (SSE-S3)**.
4. Save the change, then retry the connection test in Estuary.

### Azure Blob Storage

Expand Down
Loading