Note that the S3 plugin only supports append write-mode. The (top level) spec section is described in the Destination Spec Reference.
The plugin needs to be authenticated with your account(s) in order to sync information from your cloud setup.
The plugin requires only PutObject permissions (we will never make any changes to your cloud setup), so, following the principle of least privilege, it's recommended to grant it PutObject permissions.
There are multiple ways to authenticate with AWS, and the plugin respects the AWS credential provider chain. This means that CloudQuery will follow the following priorities when attempting to authenticate:
The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN environment variables.
The credentials and config files in ~/.aws (the credentials file takes priority).
CloudQuery can use the credentials from the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and
AWS_SESSION_TOKEN environment variables (AWS_SESSION_TOKEN can be optional for some accounts). For information on obtaining credentials, see the
AWS guide (opens in a new tab).
To export the environment variables (On Linux/Mac - similar for Windows):
The plugin can use credentials from your credentials and config files in the .aws directory in your home folder.
The contents of these files are practically interchangeable, but CloudQuery will prioritize credentials in the credentials file.
Then, you can either export the AWS_PROFILE environment variable (On Linux/Mac, similar for Windows):
IAM Roles for AWS Compute Resources
The plugin can use IAM roles for AWS compute resources (including EC2 instances, Fargate and ECS containers).
If you configured your AWS compute resources with IAM, the plugin will use these roles automatically.
For more information on configuring IAM, see the AWS docs here (opens in a new tab) and here (opens in a new tab).
User Credentials with MFA
In order to leverage IAM User credentials with MFA, the STS "get-session-token" command may be used with the IAM User's long-term security credentials (Access Key and Secret Access Key). For more information, see here (opens in a new tab).
If you are using a custom S3 endpoint, you can specify it using the endpoint spec option. If you're using authentication, the region option in the spec determines the signing region used.
kind:source# Common source-plugin configurationspec:name:shopifypath:cloudquery/shopifyversion:"v3.1.0"tables:["*"]destinations:["s3"]# Shopify specific configurationspec:backend_options:table_name:"test_state_table"connection:"@@plugins.s3.connection"api_key:"<YOUR_API_KEY_HERE>"api_secret:"<YOUR_API_SECRET_HERE>"shop_url:"https://<YOUR_SHOP>.myshopify.com"# concurrency: 1000
The Shopify plugin supports incremental syncing for event data. This means that only new events will be fetched from Shopify and loaded into your destination. This is done by keeping track of the last event fetched and only fetching events that has been created since then.
To enable this, backend option must be set in the spec (as shown in the example). This is documented in the Managing Incremental Tables section.
In order to fetch information from Shopify, cloudquery needs to be authenticated. Either an API key and password (in the case of basic custom/private apps) or an access token (for OAuth apps) is required for authentication.
Refer to the Shopify Help Center article on Custom apps (opens in a new tab) and create a custom app. Follow Get the API credentials for a custom app section to get the credentials for Admin API and put them in your plugin configuration as api_key and api_secret.
If you have a large or busy store, API key/secret type credentials might not be enough due to the heavy rate limiting. In this case, you can use OAuth in your custom app to get an access token which allow many more requests a second. To use that token in your plugin configuration instead, just set it in access_token and remove api_key and api_secret sections. For more information, refer to Shopify.dev (opens in a new tab) on the subject.