Amazon S3 Authentication

Access Keys

This method uses a static Access Key ID and Secret Access Key. Use this method when MOVEit Automation is running outside AWS or when authentication using an IAM user is required. Access Keys are the only supported authentication method for non-AWS S3 hosts.

AWS Config File

This method uses an AWS configuration file to obtain short‑lived credentials via AWS Security Token Service (STS). Instead of storing secrets directly in MOVEit Automation, it obtains temporary credentials using a named profile in an AWS config file. MOVEit Automation can use multiple profiles from the same config file.

This method supports both script‑based credential generation and certificate‑based authentication using AWS Roles Anywhere. It can also be used to enable a basic IAM Role.

When the AWS Config File authentication method is selected, MOVEit Automation reads the AWS configuration file at runtime to execute the credential_process directive and obtain temporary credentials.

Use this method when you want to use AWS RolesAnywhere or another AWS credential process.

When MOVEit Automation connects to Amazon S3, it uses a profile defined in an AWS config file. That profile specifies how credentials are obtained, typically by running a script or executable. The credential process returns temporary AWS credentials, which AWS issues as a short‑lived STS token. MOVEit Automation uses this token for S3 access and automatically requests a new token when needed.

If AWS Roles Anywhere is used, the credential process authenticates to AWS using a client certificate instead of access keys. AWS validates the certificate, assumes the configured role, and returns a temporary STS token. MOVEit Automation uses the token in the same way.

Testing the configuration

AWS Config File authentication can use custom scripts, external tools, and certificate‑based authentication. Therefore, it can be helpful to test the configuration outside of MOVEit Automation using the AWS CLI.

Ensure that the AWS_CONFIG_FILE user environment variable is set to point to the location where the MOVEit Automation aws config file is stored. This will direct the AWS CLI to look at the same config file as MOVEit Automation. If you do not configure this, the AWS CLI defaults to the .aws directory in the current user’s profile.

aws s3 ls --profile <profile-name>

If the command succeeds, the configuration is valid and can be used by MOVEit Automation.

EC2 Instance Role (IMDS)

When MOVEit Automation is running on an Amazon EC2 instance, it can authenticate to Amazon S3 using an EC2 instance role. MOVEit Automation obtains temporary credentials from the EC2 Instance Metadata Service (IMDS) based on the IAM role assigned to the instance. No credentials are stored in the MOVEit Automation configuration.

MOVEit Automation retrieves credentials from IMDS automatically at runtime and refreshes them as needed. The permissions available are determined by the IAM policy attached to the instance role, which is external to the MOVEit Automation configuration.

MOVEit Automation supports both IMDSv1 and IMDSv2. However, IMDSv2 is strongly recommended, as it provides additional security protections.

Use this method when MOVEit Automation is running on an Amazon EC2 instance.

Permissions guidance

When using EC2 Instance Role authentication, MOVEit Automation requires only a limited set of Amazon S3 permissions. Avoid granting broad permissions such as s3:*, iam:*, or unrestricted cross‑account access unless required.

The instance’s IAM role should be scoped to the minimum permissions necessary for the target bucket or buckets, for example:

• s3:GetObject, s3:PutObject, s3:DeleteObject — on the specific target buckets
• s3:ListBucket — on the specific target bucket