Skip to main content
Omni delivers content to Amazon S3 using cross-account IAM role assumption. No long-lived AWS credentials are stored — Omni obtains temporary credentials via AWS STS at delivery time.

Requirements

To set up an Amazon S3 delivery, you’ll need:
  • An AWS account with permissions to create IAM roles
  • An S3 bucket to deliver content to (or permissions to create one)

Setup

1

Retrieve Omni's AWS information

  1. Navigate to a published dashboard.
  2. Click File > Deliveries & Alerts. The delivery options will display on the left side of the page.
  3. Click New to create a new delivery.
  4. For Destination, select Amazon S3.
  5. Click the Amazon S3 tab.
At the top of the form, note the following values — you’ll need them to create an IAM role in the next step:
  • Omni Deliverer Role ARN — The identity Omni uses to access your S3 bucket. Copy this value.
  • External ID — Your organization’s unique identifier. This value is the same for all Amazon S3 deliveries in your organization — you only need to configure your IAM trust policy once. Copy this value.
2

Create an IAM permissions policy in AWS

In this step, you’ll create a policy that defines the permissions the Omni IAM role will have to your S3 bucket. You’ll attach this policy to the Omni role in the next step.
  1. Open a new tab in your browser and navigate to the AWS console.
  2. In the AWS Console, navigate to IAM > Policies.
  3. Click Create policy.
  4. In the Policy editor section, click the JSON toggle.
  5. Paste in the following, replacing YOUR-BUCKET-NAME with the name of your S3 bucket:
    Omni S3 policy
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:CreateMultipartUpload",
        "s3:UploadPart",
        "s3:CompleteMultipartUpload",
        "s3:AbortMultipartUpload"
      ],
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}
    To restrict uploads to a specific folder in your bucket, change the permission policy resource to arn:aws:s3:::YOUR-BUCKET-NAME/some/prefix/*.
  6. Click Next.
  7. Enter a name for the policy, such as OmniDeliveryPolicy.
  8. Click Create policy.
3

Create an IAM role in AWS

In this step, you’ll create an IAM role for Omni. This will associate the role with Omni’s AWS identity and the permissions policy you created in the previous step, giving Omni access to write to the S3 bucket.
  1. In the AWS Console, navigate to IAM > Roles.
  2. Click Create role.
  3. Select Custom trust policy and paste in the following, replacing the placeholder values with the Omni Deliverer Role ARN and External ID from step 1 of this guide:
    Omni custom trust policy
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<Omni Deliverer Role ARN>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<External ID>"
        }
      }
    }
  ]
}
    What’s the External ID for? This prevents confused deputy attacks, ensuring that only your Omni organization can assume this role.
  4. Click Next.
  5. In the list of permissions policies, locate and select the one you created in the previous step.
  6. Click Next.
  7. Enter a name for the role, such as OmniS3DeliveryRole.
  8. Click Create role.
  9. Open the newly created role and copy its ARN — you’ll enter this in Omni in a later step.
4

Configure delivery settings

  1. Navigate back to the Omni tab in your browser. The delivery you started creating in step 1 should still be open.
  2. Fill in the delivery options:
    • Delivery - Select Schedule or Alert.
    • Send - Select the content you want to deliver.
    • Destination - This should already be set to Amazon S3.
    • Name - Enter a name for the delivery.
If creating an alert, use the Alert tab to define the conditions that must be met to trigger the delivery. For example, you have a chart that tracks the Total sales for your ecommerce company. Using an alert, you can trigger a delivery when the total of your sales has changed.
5

Configure the delivery schedule

In this step, you’ll define the cadence for the delivery:
  • For schedules, this determines when Omni will deliver the specified content to the destination
  • For alerts, this tells Omni when to check if the current query results meet the conditions required to send the delivery
Schedules can be defined using the visual options or with cron:
Use the UI options (Daily, Weekly, etc.) to select a time period.By default, schedules are set to send in the local timezone of the delivery creator’s computer. Use the Times are in drop down to change the timezone.
A cron expression is a string that describes the individual details of a schedule:
OrderUnitAllowed valuesAllowed special characters
1minute0-59* , - /
2hour0-23* , - /
3day of month1-31* , - / L W ?
4month1-12 or JAN-DEC* , - /
5day of week1-7 or SUN-SAT* , - / L W ?
6yearany* , - /
Using cron, you can create schedules like the following:
At 9:00 AM every day
0 9 ? * * *
At 6:30AM on the last day of the month
30 6 L * ? *
At 8:45 AM every day, Monday through Friday
45 8 ? * MON-FRI *
Omni uses Amazon Web Services’ (AWS) syntax for cron expressions. Refer to the AWS documentation for more information. By default, the most frequent you can configure a schedule is hourly.
If your organization has AI enabled, you can use the AI cron generator to create cron expressions from natural language. Click the sparkle icon next to the cron input field and describe your desired schedule, such as “every weekday at 9am” or “first Monday of each month at noon.”
Schedule send timezone may be different than query run timezone. For example, if your Database timezone is UTC with no other timezone conversion settings and you set your schedule to send at 12:00 PM PST, the query will execute at 8:00 PM UTC.Refer to your connection timezone settings for more information.
6

Select format and filter options

In the Dashboard or Chart tab, you can:
  • Select the format of the content, such as PNG, PDF, XLSX, or CSV
  • Lightly customize the contents and layout, such as expanding tables to include up to 1,000 rows, hiding filter values, or arranging tiles in a single column.
  • Set filter or control values for the delivery. Some formats will have additional customization options. PDF formats, for example, will allow you to specify the orientation and page size for the PDF.
For dashboard deliveries, the default filters and controls will automatically be applied upon creation. Subsequent default filter value updates will not change the filter values set for existing deliveries.
You can use filters to customize content for different recipients! For example, set a filter to A in a scheduled delivery to recipient A, and in another scheduled delivery to recipient B, set a filter to B.
7

Configure Amazon S3 settings

Click the Amazon S3 tab and enter the following:
  • IAM role ARNRequired. The ARN of the IAM role Omni will assume to write to your bucket. For example, arn:aws:iam::123456789012:role/OmniS3DeliveryRole.
  • BucketRequired. The name of your Amazon S3 bucket.
  • Optional path — The folder that you want to save your data to, if any. For example, reports/weekly/.
  • File name (without extension) — A custom filename template. Supports Mustache templates like {{currentDate}} and {{scheduledTaskName}}.
  • RegionRequired. The Amazon services region where your S3 bucket is hosted. This must match the bucket’s actual region.
8

Test the delivery

If you want to test the delivery before saving, click the Test Now button in the bottom left corner of the page. This will send the dashboard/chart to the destination using the current settings. For example, using Test Now would send the delivery to all Recipients.
The Test Now button will be unavailable for alerts if the Condition type is Results have changed or Results have stayed the same. A workaround is to use the Send Now option to manually trigger the delivery, which is available once the delivery has been saved.Save the alert and then click the icon to display the Send Now option. This will initiate a check on the alert condition - if the condition isn’t met, the delivery will show as successful but not send anything.
9

Save the delivery

When finished, click Save to create the delivery.

Troubleshooting

If a delivery to Amazon S3 fails, an error email is sent to the delivery owner. The following table describes common errors and how to resolve them:
ErrorResolution
Unable to assume the IAM roleVerify the IAM Role ARN in Omni matches the role you created. Check that the trust policy uses the correct Omni Deliverer Role ARN as the Principal and the correct External ID in the condition. See the Create an AWS IAM role step of this guide for the required information.
Access denied writing to bucketVerify the IAM role’s permission policy includes the required S3 actions (s3:PutObject, s3:CreateMultipartUpload, s3:UploadPart, s3:CompleteMultipartUpload, s3:AbortMultipartUpload) and that the Resource ARN matches your bucket name. See the Create an AWS IAM permissions policy step of this guide for the required information.
Bucket not foundVerify the Bucket name and Region in Omni match the actual S3 bucket. Bucket names are case-sensitive.
Could not connect to S3Verify the Region in Omni matches the AWS region where the bucket was created.