Skip to main content
S3 Connections let Tessact work directly on the objects that already live in your own S3 bucket. Instead of copying files into Tessact storage, the platform simply links to a bucket and performs reads/writes on demand.

Why connect S3?

  • Single source of truth — Your media remains in S3; Tessact never makes a second copy.
  • Instant availability — Existing libraries become browsable in minutes with zero-copy ingestion.
  • Two-way sync — Upload, rename, or delete in either system, and the change appears in the other within minutes.
  • Enterprise-grade security — All access happens through the temporary, least-privilege AWS credentials you supply.
After you create a Connection in Settings → Connections, you can mount one or more Connected Folders in the Library. Each folder maps 1-for-1 to a selected path within the bucket and stays in continuous sync.
A Connection stores credentials and connectivity settings (account, region, encryption).
A Connected Folder mounts the entire bucket into a Library location with two-way sync.
Connections overview

Connections list and New Connection form

Prerequisites

  • AWS account with access to the target S3 bucket
  • IAM User access keys scoped to the bucket
  • Bucket Region (e.g., ap-south-1)
  • Least-privilege policy as shown below – Tessact only needs list/read/write on the bucket, not full s3:* access
  • Optional: S3 Object Lock/Versioning for safer deletes, SSE-KMS if you encrypt with a CMK
Generate dedicated access keys for a single-purpose IAM user and rotate them regularly (≤90 days) for best security.

Create a New S3 Connection

1

Open Connections

Navigate to Settings → Connections → New Connection → Amazon S3.
2

Choose authentication method

Select Access Keys.
3

Enter core settings

  • Display Name — Human-readable label
  • Region — Exact AWS region (e.g., ap-south-1)
  • Bucket — Name only (no s3:// prefix)
4

Save

Click Create Connection to save the connection.
Connection status shows Active.
New S3 Connection form

New S3 Connection form

Authentication

Tessact currently authenticates to S3 only through an IAM user’s access keys.

Why use an IAM user?

  • Universally supported—no cross-account role required
  • Quick to configure in any AWS account
  • Enforces least-privilege when you attach a restrictive policy
Long-lived keys can be compromised.
• Rotate keys every 90 days (or sooner).
• Store the secret only in Tessact’s encrypted vault.
• Remove unused keys immediately.

Setup steps

  1. In the AWS console open IAM → Users → Add user.
  2. Tick Programmatic access.
  3. Attach the permissions-policy.json below.
  4. Finish the wizard and copy the Access Key ID and Secret Access Key into Tessact.

Least-privilege S3 policy

permissions-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketList",
      "Effect": "Allow",
      "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
      "Resource": ["arn:aws:s3:::your-bucket"]
      
    },
    {
      "Sid": "ObjectRW",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": ["arn:aws:s3:::your-bucket/*"]
    }
  ]
}
That’s it—Tessact will now read and write objects only within the bucket.

Create a Connected Folder

1

Open Library → New → Connected Folder

From the Library toolbar, select New → Connected Folder.
2

Select Connection & path

  • Choose an S3 Connection
  • Pick Path to mount as a Connected Folder
  • Enter a Folder Name for Tessact to display in the Library
3

Review and create

Confirm the 1 : 1 mapping and two-way sync.
Connected Folder appears with an S3 badge; contents index shortly.
Connected Folder wizard

Connected Folder creation wizard

Sync Semantics

Operation in TessactEffect in S3Notes
UploadPutObject at bucketMultipart for large files
Rename/MoveCopy → delete old keyS3 has no atomic rename
DeleteDeleteObjectUse Versioning for recovery
New object in S3Appears in LibraryDetected within minutes
Deletes propagate to S3. Enable Bucket Versioning or test in a non-production bucket before enabling two-way sync on critical data.

Performance & Scaling

  • Multipart uploads optimise files > 100 MB
  • Parallel listing accelerates first-time indexing
  • Back-pressure prevents S3 API throttling during high churn
  • API activity (LIST, GET, PUT, DELETE) incurs normal S3 request and data-transfer charges
Keep key depth predictable (e.g., project/YYYY/MM/DD/shot) for faster listings.

Troubleshooting

Verify the IAM user policy includes ListBucket and Get/Put/DeleteObject. Check bucket Region.
Ensure the IAM user has kms:Decrypt, kms:Encrypt, and related actions on the CMK.
Wait for the next sync cycle; verify that new objects appear in the Library.
S3 can throttle large numbers of consecutive ListObjectsV2 calls. Tessact automatically backs off and retries, but you can improve performance by:
  • Using deeper, date-based prefixes (e.g., project/YYYY/MM/DD/)
  • Splitting very large buckets into several Connected Folders
Your S3 bucket is now connected, and a two-way-synced folder is live in the Library. Upload, edit, and manage assets with full parity between Tessact and S3.