Skip to main content
Version: 1.22.0 (latest)

Configure an Amazon S3 target

You can migrate data to an Amazon Simple Storage Service (S3) bucket by configuring one as a target filesystem.

Follow these steps to create an Amazon S3 target:


You need the following:

  • An S3 bucket hosted on Amazon Web Services.
  • Authentication details for your bucket, depending on your chosen credentials provider. See below for more information.

Configure an Amazon S3 target filesystem in the UI#

  1. Select your Data Migrator product from the Products list in the dashboard.

  2. In the Filesystems panel on the Overview page, select Add Target Filesystem.

  3. Enter the following details:

    • Filesystem Type - The type of filesystem target. Select Amazon S3.

    • Display Name - Enter a name for your target filesystem.

    • Bucket Name - The reference name of your Amazon S3 bucket.

    • Authentication Method - The Java class name of a credentials provider for authenticating with the S3 endpoint.

      The Authentication Method options available include:

      • Access Key and Secret org.apache.hadoop.fs.s3a.SimpleAWSCredentialsProvider

        Use this provider to enter credentials as an access key and secret access key with the following entries:

        • Access Key - Enter the AWS access key. For example, RANDOMSTRINGACCESSKEY.

        • Secret Key - Enter the secret key that corresponds with your Access Key. For example, RANDOMSTRINGPASSWORD.

      • AWS Identity and Access Management com.amazonaws.auth.InstanceProfileCredentialsProvider

        Use this provider if you're running Data Migrator on an EC2 instance that has been assigned an IAM role with policies that allow it to access the S3 bucket.

      • AWS Hierarchical Credential Chain com.amazonaws.auth.DefaultAWSCredentialsProviderChain

        A commonly used credentials provider chain that looks for credentials in this order:

        • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or AWS_ACCESS_KEY and AWS_SECRET_KEY.
        • Java System Properties - aws.accessKeyId and aws.secretKey.
        • Web Identity Token credentials from the environment or container.
        • Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI.
        • Credentials delivered through the Amazon EC2 container service if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set and the security manager has permission to access the variable.
        • Instance profile credentials delivered through the Amazon EC2 metadata service.
      • Environment Variables com.amazonaws.auth.EnvironmentVariableCredentialsProvider

        Use this provider to enter an access key and a secret access key as either AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or AWS_ACCESS_KEY and AWS_SECRET_KEY.

      • EC2 Instance Metadata Credentials com.amazonaws.auth.InstanceProfileCredentialsProvider

        Use this provider if you need instance profile credentials delivered through the Amazon EC2 metadata service.

      • Profile Credentials Provider com.wandisco.livemigrator2.fs.ExtendedProfileCredentialsProvider

        Use this provider to enter a custom profile configured to access Amazon S3 storage. You can find AWS credential information in a local file named credentials in a folder named .aws in your home directory.

        Enter an AWS Named Profile and a Credentials File Path. For example, ~/.aws/credentials.

      • Custom Provider Class

        Use this if you want to enter a class for the credentials provider.

      • JCEKS Keystore

        This authentication method uses an access key and a secret key for Amazon S3 contained in a Java Cryptography Extension KeyStore (JCEKS). The keystore needs to contain values for the access key and the secret key.

        The access and secret keys are already in the keystore properties file, so you don't need to enter them once you've saved the path.


        You must add the and additional properties when you're using a JCEKS keystore.


        You can't select JCEKS Keystore if you don't have a HDFS target configured. The HDFS resource must exist on the same Data Migrator instance as the Amazon S3 filesystem you're adding.

        • JCEKS HDFS - Select the HDFS filesystem where your JCEKS file is located.

        • JCEKS Keystore Path - Enter the path containing the JCEKS keystore. For example, jceks://hdfs@active-namenode-host:8020/credentials/aws/aws.jceks.


        You must provide an endpoint when using JCEKS for an s3a-vpc type of S3 bucket.

        JCEKS on HDFS with Kerberos - You must add the dfs.namenode.kerberos.principal.pattern configuration property.

        Include the following steps when you add an HDFS source or target with Kerberos:

      1. Under Additional Configuration, select Configuration Property Overrides from the dropdown.

      2. Select + Add Key/Value Pair and add the key dfs.namenode.kerberos.principal.pattern and the value *.

      3. Select Save, then restart Data Migrator.

        The property dfs.namenode.kerberos.principal.pattern provides a regular expression wildcard that allows realm authentication. You need to use this if the realms on your source or target filesystems don't have matching truststores or principal patterns.


        When deleting filesystems with JCEKS authentication configured, delete the Amazon S3 filesystem before the HDFS.

    • S3 Service Endpoint - The Amazon S3 endpoint for your S3 bucket.

    • S3 Properties - Add optional properties to your S3 target as key-value pairs.

  4. Select Save. You can now use your Amazon S3 target in data migrations.

S3a properties#

Enter additional properties for Amazon S3 filesystems by adding them as key-value pairs in the UI or as a comma-separated key-value pair list with the --properties parameter in the CLI. You can overwrite default property values or add new properties.

Default properties#

These properties are defined by default when you add an Amazon S3 filesystem. Overwrite them by specifying their keys with new values in key-value pairs.

  • fs.s3a.impl (default org.apache.hadoop.fs.s3a.S3AFileSystem): The implementation class of the S3a Filesystem.
  • fs.AbstractFileSystem.s3a.impl (default org.apache.hadoop.fs.s3a.S3A): The implementation class of the S3a AbstractFileSystem.
  • fs.s3a.user.agent.prefix (default APN/1.0 WANdisco/1.0 LiveDataMigrator/1.11.6): Sets a custom value that will be pre-pended to the User-Agent header sent in HTTP requests to the S3 back-end by S3aFileSystem.
  • fs.s3a.impl.disable.cache (default true): Disables the S3 filesystem cache when set to 'true'.
  • hadoop.tmp.dir (default tmp): The parent directory for other temporary directories.
  • fs.s3a.connection.maximum (default 120) Defines the maximum number of simultaneous connections to the S3 filesystem.
  • fs.s3a.threads.max (default 150): Defines the total number of threads to make available in the filesystem for data uploads or any other queued filesystem operation.
  • (default 60): Defines the number of operations that can be queued for execution at a time.
  • fs.s3a.healthcheck (Default true): Allows the S3A filesystem health check to be turned off by changing true to false. This option is useful for setting up Data Migrator while cloud services are offline. However, when disabled, errors in S3A configuration may be missed, resulting in hard-to-diagnose migration stalls.

Additional properties#

These additional properties are not defined by default. Add them by specifying their keys with values in key-value pairs.

  • (default disk): Defines how the filesystem will buffer the upload.
  • (default 8): Defines how many blocks a single output stream can have uploading or queued at a given time.
  • fs.s3a.block.size (default 32M): Defines the maximum size of blocks during file transfer. Use the suffix K, M, G, T, or P to scale the value in Kilobytes, Megabytes, Gigabytes, Terabytes, or Petabytes, respectively.
  • fs.s3a.buffer.dir (default tmp): Defines the directory used by disk buffering.
  • Defines the path to the JCEKS keystore, if you're using JCEKS as your credential provider. You must add this parameter if you're using a JCEKS keystore as your credential provider.
  • The ID of a configured HDFS filesystem containing the JCEKS keystore file. You must add this parameter if you're using a JCEKS keystore as your credential provider.

Find an additional list of S3a properties in the S3a documentation.

Upload buffering#

Migrations using an S3 target destination will buffer all uploads. By default, the buffering will occur on the local disk of the system Data Migrator is running on, in the /tmp directory.

Data Migrator will automatically delete the temporary buffering files once they are no longer needed.

If you want to use a different type of buffering, you can change the property You can enter one of the following values:

Buffering OptionDetailsProperty Value
Array BufferBuffers the uploaded data in memory instead of on the disk, using the Java heap.array
Byte BufferBuffers the uploaded data in memory instead of on the disk, but does not use the Java heap.bytebuffer
Disk BufferingThe default option. This property buffers the upload to the disk.disk

Both the array and bytebuffer options may consume large amounts of memory. Other properties (such as may be used to fine-tune the migration to avoid issues.


If you run out of disk space on which to buffer the migration, the migration will stall with a series of errors. To avoid this, ensure the filesystem containing the directory used for buffering (/tmp by default) has enough remaining space to facilitate the transfer.

Next steps#

If you haven't already, configure a source filesystem from which to migrate data. Then, you can create a migration to migrate data to your new S3 target.