Sign inTry Free

Load Data from Amazon Web Services (AWS) S3

On this page

SingleStore Pipelines can extract objects from Amazon S3 buckets, optionally transform them, and insert them into a destination table. To understand Amazon S3’s core concepts and the terminology used in this topic, please read the Amazon S3 documentation.

Prerequisites

To complete this Quickstart, your environment must meet the following prerequisites:

  • AWS Account: This Quickstart uses Amazon S3 and requires an AWS account’s access key id and secret access key.

  • SingleStore Helios installation –or– a SingleStore Helios workspace: You will connect to the database or workspace and create a pipeline to pull data from your Amazon S3 bucket.

Part 1: Creating an Amazon S3 Bucket and Adding a File

  1. On your local machine, create a text file with the following CSV contents and name it books.txt:

    The Catcher in the Rye, J.D. Salinger, 1945
Pride and Prejudice, Jane Austen, 1813
Of Mice and Men, John Steinbeck, 1937
Frankenstein, Mary Shelley, 1818

  2. In S3 create a bucket and upload books.txt to the bucket. For information on working with S3, refer to the Amazon S3 documentation.

    Note that the aws_access_key_id that your SingleStore pipeline will use (specified in the next section in CREATE PIPELINE library ... CREDENTIALS ...) must have read access to both the bucket and the file.

Once the books.txt file has been uploaded, you can proceed to the next part of the Quickstart.

Part 2: Generating AWS Credentials

To be able to use an S3 bucket within the pipeline syntax, the following minimum permissions are required:

  • s3:GetObject

  • s3:ListBucket

These permissions only provide for read access from an S3 bucket which is the minimum required to ingest data into a pipeline.

There are two ways to create an IAM Policy: with the Visual editor or JSON. Both creation methods require obtaining the Amazon Resource Number (ARN) before the policy is created.

Create an IAM Policy Using the Visual Editor

  1. Log into the AWS Management Console.

  2. Obtain the Amazon Resource Number (ARN) and region for the bucket. The ARN and region are located in the Properties tab of the bucket.

  3. Select IAM from the list of services.

  4. Select Policies under Access Management and select the Create policy button.

  5. Using the Visual editor:

    1. Select the Service link and select S3 from the list or manually enter S3 into the search block.

    2. Select the S3 link from the available selections.

    3. In the Action section, select the List and Read checkboxes.

    4. Under Resources, select the bucket link and select the Add ARN link. Enter the ARN and bucket name and select the Add button.

    5. Under Resources, select the object link and select the Add ARN link. Enter the ARN and object name and select the Add button. If no objects are added under resources, the created policy has access to all objects in the bucket’s root path.

    6. Request conditions are optional.

Create an IAM Policy Using JSON

  1. To use JSON for policy creation, copy the information from following the code block into the AWS JSON tab. Make sure to change the bucket name.

    {
    	"Version": "2012-10-17",
    	"Statement": [{
    		"Sid": "VisualEditor1",
    		"Effect": "Allow",
    		"Action": [
    			"s3:GetObject",
    			"s3:ListBucket"
    		],
    		"Resource": [
    			"arn:aws:s3:::<bucket_name>",
    			"arn:aws:s3:::<bucket_name>/*"
    		]
    	}]
    }

  2. Select the Add tag button if needed and select Next: Review.

  3. Enter a policy name this is a required field. The description field is optional. Select Create policy to finish.

Assign the IAM Policy to a New User

  1. In the IAM services, select Users and select the Add users button.

  2. Enter in a name for the new user and select Next.

  3. Select the Attach policies directly radio button. Use the search box to find the policy or scroll through the list of available policies.

  4. Select the checkbox next to the policy to be applied to the user and select Next.

  5. Select the Create user button to finish.

Create Access Keys for Pipeline Syntax

Access keys must be generated for the new user.

  1. In the IAM services, select Users and select the user name.

  2. Select the Security credentials tab.

  3. In the access keys section, select the Create access key button.

  4. Select the Third-party service radio button and select Next.

  5. Although setting a description tag is optional, SingleStore recommends doing so, especially when multiple keys are needed. Select the Create key button to continue.

  6. Either download a .csv file containing the access and secret key information or copy the credentials directly. Select Done when finished.

  7. Following is the basic syntax for using an access key and a secret access key in a pipeline:

    CREATE PIPELINE <pipeline_name> AS
    LOAD DATA S3 's3://bucket_name/<file_name>'
    CONFIG '{"region":"us-west-2"}'
    CREDENTIALS '{"aws_access_key_id": "<access key id>",
                   "aws_secret_access_key": "<access_secret_key>"}'
    INTO TABLE <destination_table>
    FIELDS TERMINATED BY ',';

If creating or starting S3 pipelines takes approximately 60 seconds, or fails with a subprocess timeout when running outside AWS, or in environments where IMDS is blocked, reduce the value of the subprocess_ec2_metadata_timeout_ms engine variable (for example, to 1000) or explicitly provide CREDENTIALS. New workspaces already set this value to 1 (millisecond) to avoid delays. Refer to Sync Variables Lists for more information.

Warning

If the key information is not downloaded or copied to a secure location before selecting Done, the secret key cannot be retrieved, and will need to be recreated.

Part 3: Creating a SingleStore Database and S3 Pipeline

Now that you have an S3 bucket that contains an object (file), you can use SingleStore Helios or DB to create a new pipeline and ingest the messages.

Create a new database and a table that adheres to the schema contained in the books.txt file. At the prompt, execute the following statements:

CREATE DATABASE books;
CREATE TABLE classic_books
(
title VARCHAR(255),
author VARCHAR(255),
date VARCHAR(255)
);

These statements create a new database named books and a new table named classic_books, which has three columns: title, author, and date.

Now that the destination database and table have been created, you can create an S3 pipeline. In Part 1 of this Quickstart, you uploaded the books.txt file to your bucket. To create the pipeline, you will need the following information:

  • The name of the bucket, such as: <bucket-name>

  • The name of the bucket’s region, such as: us-west-1

  • Your AWS account’s access keys, such as:

    • Access Key ID: <aws_access_key_id>

    • Secret Access Key: <aws_secret_access_key>

  • Your AWS account's session token, such as:

    • Session Token: your_session_token

    • Note that the aws_session_token is required only if your credentials in the CREDENTIALS clause are temporary

Using these identifiers and keys, execute the following statement, replacing the placeholder values with your own.

CREATE PIPELINE library
AS LOAD DATA S3 'my-bucket-name'
CONFIG '{"region": "us-west-1"}'
CREDENTIALS '{"aws_access_key_id": "your_access_key_id", "aws_secret_access_key": "your_secret_access_key", "aws_session_token": "your_session_token"}'
INTO TABLE `classic_books`
FIELDS TERMINATED BY ',';

You can see what files the pipeline wants to load by running the following:

SELECT * FROM information_schema.PIPELINES_FILES;

If everything is properly configured, you should see one row in the Unloaded state, corresponding to books.txt. The CREATE PIPELINE statement creates a new pipeline named library, but the pipeline has not yet been started, and no data has been loaded. A SingleStore pipeline can run either in the background or be triggered by a foreground query. Start it in the foreground first.

START PIPELINE library FOREGROUND;

When this command returns success, all files from your bucket will be loaded. If you check information_schema.PIPELINES_FILES again, you should see all files in the Loaded state. Now query the classic_books table to make sure the data has actually loaded.

SELECT * FROM classic_books;
+------------------------+-----------------+-------+
| title                  | author          | date  |
+------------------------+-----------------+-------+
| The Catcher in the Rye |  J.D. Salinger  |  1945 |
| Pride and Prejudice    |  Jane Austen    |  1813 |
| Of Mice and Men        |  John Steinbeck |  1937 |
| Frankenstein           |  Mary Shelley   |  1818 |
+------------------------+-----------------+-------+

You can also have SingleStore run your pipeline in the background. In such a configuration, SingleStore will periodically poll S3 for new files and continuously them as they are added to the bucket. Before running your pipeline in the background, you must reset the state of the pipeline and the table.

DELETE FROM classic_books;
ALTER PIPELINE library SET OFFSETS EARLIEST;

The first command deletes all rows from the target table. The second causes the pipeline to start from the beginning, in this case, forgetting it already loaded books.txt so you can load it again. You can also drop and recreate the pipeline, if you prefer.

To start a pipeline in the background, run

START PIPELINE library;

This statement starts the pipeline. To see whether the pipeline is running, run SHOW PIPELINES.

SHOW PIPELINES;
+----------------------+---------+
| Pipelines_in_books   | State   |
+----------------------+---------+
| library              | Running |
+----------------------+---------+

At this point, the pipeline is running and the contents of the books.txt file should once again be present in the classic_books table.

Note

Foreground pipelines and background pipelines have different intended uses and behave differently. For more information, see the START PIPELINE topic.

Use Cloud Workload Identity with S3 Pipelines

You can use Cloud Workload Identity instead of static credentials to load data via S3 pipelines.

Perform the following tasks to create an S3 pipeline that authenticates using the cloud workload identity:

  1. Configure delegated entities.

    1. Create an IAM role in your AWS account with the necessary privileges. You can also use an existing IAM role.

    2. Update the IAM role's trust policy to allow the workspace's cloud workload identity to assume the role. Specify the cloud workload identity ARN of the SingleStore workspace.

    Alternatively, create a CloudFormation stack to configure the IAM roles.

  2. Create an S3 pipeline. In the pipeline configuration:

    1. Set creds_mode to eks_irsa in the CONFIG clause.

    2. Specify the IAM role to assume using role_arn in the CREDENTIALS clause. The specified role ARN must match the configured delegated entities for the SingleStore workspace. For example:

      CREATE PIPELINE s3_pipeline AS
      LOAD DATA S3 's3://bucket-name/path/'
      CONFIG '{
        "region": "us-east-1",
        "creds_mode": "eks_irsa"
      }'
      CREDENTIALS '{
        "role_arn": "arn:aws:iam::xxxxxxxx:role/singlestore-s3-pipeline"
      }'
      INTO TABLE table_name
      FIELDS TERMINATED BY ',';

  3. Start the pipeline to ingest data.

    START PIPELINE s3_pipeline;

If delegated entities are not configured, SingleStore pipelines that attempt to use IRSA with a role ARN not present in the delegated entities list fail at runtime.

Use CloudFormation Stack to Configure the IAM Role

Use this CloudFormation Stack template to define the IAM role. Configure the following input parameters for the stack:

Parameter

Description

RoleName

Name of the IAM role that the SingleStore workspace assumes to access the S3 buckets.

Default: SingleStoreS3AccessRole-01

WorkspaceGroupCloudWorkloadIdentities

Comma-separated list of SingleStore workspace's cloud workload identity ARNs that can assume this IAM role.

Note: Do not include a trailing comma (at the end of the list).

BucketNames

Comma separated list of S3 buckets that can be accessed by assuming this role.

Refer to Getting started with CloudFormation for more information.

Next Steps

See About SingleStore Pipelines to learn more about how pipelines work.

In this section

Last modified: January 30, 2026

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In