> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/resources/secret/data-sources/simple-storage-service-amazon-s3.md).

# Simple Storage Service (Amazon S3)

## Prerequisites

To create a Secret for securing Amazon Simple Storage Service (S3) credentials, you need the following information.

### Source system requirements

* **Access Key ID**: The access key ID used to authenticate AWS requests. Retrieve this from the AWS Management Console under **IAM > Users**, selecting the relevant user, and viewing their **Security Credentials**.
* **AWS Access Key ID**: The AWS-specific access key ID. Retrieve this from the **IAM > Users** section in the AWS Management Console under **Security Credentials**.
* **AWS Secret Access Key**: The secret access key paired with the AWS access key ID. AWS displays this only once when the key is generated. If lost, create a new access key in the **IAM > Users** section under **Security Credentials**.
* **Secret Key**: Another key used for authentication.

## Create a Secret for securing Amazon S3 credentials

S3 is an object storage system. Object stores are distributed storage systems for managing large amounts of unstructured data.

To create an S3 Secret in DataOS, you need access to the DataOS Command Line Interface (CLI) and the required permissions.

### Step 1: Create a manifest file

Create a manifest file with the configuration details for your S3 Secret.

```yaml
name: ${{aws-secret-name}}
version: v2alpha
type: secret
tags:
  - ${{tag-1}}
  - ${{tag-2}}
description: "Credentials for s3 depot"
layer: user
secret:
  type: key-value
  data:
    aws_access_key: ${{s3-aws-access-key}}
    aws_secret_key: ${{s3-aws-secret-key}}
```

For more information about each attribute, refer to the [configurations section.](/concepts/resources/secret/manifest-configuration.md)

### Step 2: Apply the manifest

Use the `apply` command to create the S3 Secret in DataOS.

```bash
dataos-ctl resource apply -f ${{manifest-file-path}}
```

**Example Usage:**

```bash
dataos-ctl resource apply -f secret.yaml

#output
INFO[0000] 🛠 apply... 
INFO[0000] 🔧 applying s3-cred:v1:secret... 
INFO[0004] 🔧 applying s3-cred:v1:secret...created 
INFO[0004] 🛠 apply...complete

```

### Step 3: Validate the Secret

Use the `get` command to verify the S3 Secret in DataOS.

```bash
dataos-ctl resource get -t secret
```

**Expected Output:**

```bash
INFO[0000] 🔍 get... 
INFO[0000] 🔍 get...complete 

 NAME  | VERSION | TYPE | WORKSPACE | STATUS | RUNTIME | OWNER 
-----------------|---------|-----------------|-----------|--------|-----------|------------------------------
 s3-cred | v2alpha | secret | | active | | iamgroottmdcio
```

To list all Secrets in the DataOS environment, run the following command.

```bash
dataos-ctl resource get -t secret -a
```

Expected Output:

```bash
time="2026-03-25T15:34:17+05:30" level=info msg="🔍 resource get..."
time="2026-03-25T15:34:17+05:30" level=info msg="🔍 resource get...complete"

              NAME              | VERSION |  TYPE  | STATUS | RUNTIME |          OWNER
--------------------------------+---------+--------+--------+---------+-------------------------
 s3-cred                       | v2alpha | secret | active |         | iamgroottmdcio
 azureconnection-testing        | v2alpha | secret | active |         | iamgroottmdcio
 azuresecretnilus               | v2alpha | secret | active |         | iamgroottmdcio
 bitbucket-secrets              | v2alpha | secret | active |         | iamgroottmdcio
```

## Delete the Secret

{% hint style="warning" %}
Before deleting a Secret, remove any Resources that depend on it. For example, if a Depot depends on a Secret, deleting the Secret fails until you remove the Depot. The same rule applies to all dependent Resources, such as Workflow, Service, and Worker. The example below shows the error returned when a Resource still depends on the Secret.

**Example usage:**

```bash
dataos-ctl resource delete -t secret -n postgres-cred
time="2026-03-25T15:46:12+05:30" level=info msg="🗑 delete..."
time="2026-03-25T15:46:12+05:30" level=info msg="🗑 deleting postgres-cred:v2alpha:secret..."
time="2026-03-25T15:46:13+05:30" level=info msg="🗑 deleting postgres-cred:v2alpha:secret...error"
time="2026-03-25T15:46:13+05:30" level=warning msg="🗑 delete...error for resource postgres-cred"
time="2026-03-25T15:46:13+05:30" level=error msg="Invalid Parameter - failure deleting tenant resource : cannot delete resource, it is a dependency of 'depot:v2alpha:postgresconnection'"
```

{% endhint %}

To delete the S3 Secret, use one of the following commands:

{% tabs %}
{% tab title="Command 1" %}

```bash
dataos-ctl resource delete -t secret -n ${{secret-name}}
```

{% endtab %}

{% tab title="Command 2 " %}

```bash
dataos-ctl resource delete -i "${{secret-name}}|v2alpha|secret"
```

{% endtab %}

{% tab title="Command 3" %}

```bash
dataos-ctl resource delete -f ${{manifest-file-path}}
```

{% endtab %}
{% endtabs %}

Specify the Resource type and Secret name in the `delete` command.

**Example Usage:**

{% tabs %}
{% tab title="Command 1" %}

```bash
dataos-ctl resource delete -t secret -n testsecret
#output
time="2026-03-25T15:53:55+05:30" level=info msg="🗑 delete..."
time="2026-03-25T15:53:55+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret..."
time="2026-03-25T15:53:56+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret...deleted"
time="2026-03-25T15:53:56+05:30" level=info msg="🗑 delete...complete"
```

{% endtab %}

{% tab title="Command 2" %}

```bash
dataos-ctl resource delete -i "testsecret|valpha|secret"
#output
time="2026-03-25T15:55:37+05:30" level=info msg="🗑 delete..."
time="2026-03-25T15:55:37+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret..."
time="2026-03-25T15:55:37+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret...deleted"
time="2026-03-25T15:55:37+05:30" level=info msg="🗑 delete...complete"
```

{% endtab %}

{% tab title="Command 3" %}

```bash
dataos-ctl resource delete -f docs\platform-entities\governance-resources\secret\test.yaml
#output
time="2026-03-25T15:53:55+05:30" level=info msg="🗑 delete..."
time="2026-03-25T15:53:55+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret..."
time="2026-03-25T15:53:56+05:30" level=info msg="🗑 deleting testsecret:v2alpha:secret...deleted"
time="2026-03-25T15:53:56+05:30" level=info msg="🗑 delete...complete"
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/resources/secret/data-sources/simple-storage-service-amazon-s3.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
