You may configure your own connection to an AWS S3 bucket where your generated report data will be stored.

To set this up, the following information is necessary:

  • User Access Key ID
  • Access secret
  • S3 bucket name
  • Region
  • Expiration Limit (in hours) for the Presigned URL - a value between 1 and 168 (optional; defaults to 1 hour if left blank)

How your files are stored and shared

There are two separate operations, and it helps to understand the difference:

  • Storing (upload). When a report runs, PushMetrics writes the generated files (CSV, XLSX, PDF, PNG, etc.) into your bucket using the credentials above. This needs s3:PutObject. Your files stay in your bucket.
  • Sharing (presigned link). When a file needs to be handed to someone who has no AWS access — e.g. an email recipient clicking a download link for an attachment that was too large to send inline — PushMetrics generates a presigned URL: a temporary, signed link that grants read access to that one object for a limited time, then expires. This needs s3:GetObject.

Your bucket can stay fully private. A presigned URL works whether the bucket is public or private — the signature is the access grant. PushMetrics always shares via presigned links and never makes your objects public. The "Expiration Limit" above controls how long those links stay valid.

When does PushMetrics create a presigned (share) link?

Presigned download links are created for events where a file leaves PushMetrics to an external viewer, including:

  • Email attachments that exceed the SMTP size limit — the email embeds a secure download link instead of the file. The link in the inbox stays valid for 14 days, and each click mints a fresh 1-hour presigned URL to the object in your bucket. See Sending Emails → Large attachments & download links.
  • Report exports (CSV, XLSX, PDF, PNG, PPTX) produced by SQL, Tableau, Google Slides, External File, Webhook, Data Source and Document blocks, when those outputs are surfaced as a downloadable link.
  • Viewing/“Test export” of a result inside the PushMetrics UI.

About the Expiration Limit field. This value applies to the presigned URLs PushMetrics generates for internal read access to your bucket (e.g. fetching an export back to attach it). It does not control the email download links — the recipient-facing download endpoint always mints 1-hour links regardless of this setting, and the link in the inbox is governed by its own 14-day window. If the field is left blank, PushMetrics defaults it to the minimum of 1 hour and still creates a presigned link — so a partially completed integration won't accidentally fall back to PushMetrics' own storage.

Make sure your IAM user has s3:GetObject (not just PutObject), otherwise the upload will succeed but share links will fail to open.

Create an IAM user in AWS

  1. In the AWS Console, go to IAM → Users → Create user.
  2. Enter a user name (e.g. pushmetrics-s3).
  3. Attach the AmazonS3FullAccess managed policy (or a scoped-down policy limited to your bucket).
  4. Go to Security credentials → Create access key and select Third-party service as the use case.
  5. Note down the Access Key ID and Secret Access Key. The secret is only shown once.

Note: PushMetrics currently requires IAM user credentials (Access Key ID + Secret Access Key). IAM role assumption is not supported at this time.

Configure the bucket in AWS

  • Create an AWS S3 bucket in a region of your choice.
  • Enable AES256 encryption. If you use AWS KMS (SSE-KMS) encryption instead, you must additionally grant the IAM user kms:GenerateDataKey and kms:Decrypt on the bucket's KMS key — otherwise uploads fail with AccessDenied: kms:GenerateDataKey. S3 permissions alone are not enough for KMS buckets.
  • Add the following bucket policy (replace your-bucket-name with your actual bucket name):
{
  “Version”: “2012-10-17”,
  “Id”: “PushMetricsS3BucketPolicy”,
  “Statement”: [
    {
      “Sid”: “AllowPushMetricsAccess”,
      “Effect”: “Allow”,
      “Principal”: {
        “AWS”: “arn:aws:iam::133737826969:user/pushmetrics”
      },
      “Action”: [
        “s3:GetObject”,
        “s3:PutObject”,
        “s3:ListBucket”
      ],
      “Resource”: [
        “arn:aws:s3:::your-bucket-name/*”,
        “arn:aws:s3:::your-bucket-name”
      ]
    }
  ]
}

Tip: The Principal entry above grants PushMetrics' own AWS user access to your bucket so that PushMetrics can store and retrieve your generated report data. You must also ensure the IAM user you created in the previous step has permission to access this bucket (via the attached IAM policy).