Connect an S3 Bucket to Cashmere

Cashmere can automatically ingest new content from an S3 (or S3-compatible) bucket you own. Once configured, Cashmere connects with a read-only access key you provide, lists new files in your bucket on a daily schedule, parses them, and adds them to your publisher library — no manual uploads required.

This guide walks you through the end-to-end setup. Expect to spend about 5 minutes.

Connecting an S3 bucket is a function only available for Verified Publisher accounts.

If you do not see the S3 Bucket button on the Add Content page, you do not have a Publisher account.

Prerequisites

You'll need:

  1. A bucket containing the files you want ingested. Supported formats: PDF, EPUB, HTML, Markdown, XML. Other types are ignored.
  2. An access key + secret scoped to read that bucket.
  3. About 5 minutes.

We support Amazon S3 and any S3-compatible service (Cloudflare R2, MinIO, Backblaze B2, Wasabi, etc).

How it works

You generate a read-only access key in your provider's console (scoped to a single bucket) and paste it into Cashmere. We never write to your bucket. The secret is encrypted at rest in our database.

You can revoke access at any time by deleting the access key in your provider's console — revocation is immediate.


Path A — Amazon S3

Step 1. Create an IAM user for Cashmere

  1. AWS Console → IAMUsersCreate user.
  2. Name: cashmere-ingest (any name works).
  3. Do not attach permissions yet — click Next, then Create.

Step 2. Attach a minimal read-only policy

  1. Open the new user → Add permissionsAttach policies directlyCreate policyJSON tab.
  2. Paste the following, replacing YOUR_BUCKET_NAME (twice):

json { "Version": "2012-10-17", "Statement": [ { "Sid": "ListBucket", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" }, { "Sid": "ReadObjects", "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" } ] }

  1. Name the policy cashmere-ingest-readonly and save.
  2. Back on the user, attach it.

Step 3. Generate an access key

  1. IAM user → Security credentialsCreate access keyApplication running outside AWS.
  2. Copy the Access key ID and Secret access key. The secret is shown once — keep this tab open until Step 4 is done.

Step 4. Paste into Cashmere

  1. In Cashmere, go to Add Content → S3 Bucket.
  2. Fill in the form:
Field What to enter
Bucket Name YOUR_BUCKET_NAME
Region e.g. us-east-1 (must match your bucket's region)
Endpoint URL Leave blank (AWS default)
Access Key ID From Step 3
Secret Access Key From Step 3
S3 Prefix (optional) e.g. incoming/ to scope the sync
File Format (optional) Leave Any to ingest everything
  1. Click Save Configuration.
  2. Click Test Connection. You should see Connected — found N object(s).
  3. AccessDenied → your IAM policy doesn't include the bucket.
  4. NoSuchBucket → check the bucket name and region.

Path B — Cloudflare R2

R2 is fully S3-API-compatible; the only differences are the endpoint URL and how you mint the key.

  1. Cloudflare dashboard → R2Manage R2 API TokensCreate API token.
  2. Permissions: Object Read only. Scope to the specific bucket.
  3. Note the Access Key ID, Secret Access Key, and endpoint (https://<account-id>.r2.cloudflarestorage.com).
  4. In Cashmere, fill in the form the same way as Path A but:
  5. Endpoint URL: the R2 endpoint above.
  6. Region: leave blank — Cashmere sends auto, which R2 accepts.
  7. Click Test Connection, then Save.

Path C — MinIO / Backblaze B2 / other S3-compatible

  1. Generate a bucket-scoped read-only access key in the provider's console.
  2. Endpoint URL: the provider's S3 endpoint. Examples:
  3. MinIO: https://minio.example.com
  4. Backblaze B2: https://s3.<region>.backblazeb2.com
  5. Wasabi: https://s3.<region>.wasabisys.com
  6. Region: whatever the provider expects.
  7. MinIO: leave blank.
  8. Backblaze B2: must match the region embedded in the endpoint hostname (e.g. us-west-002).
  9. The rest of the form is identical to Path A.

Verifying the sync

Cashmere runs the S3 sync once per day. On the next scheduled run:

  • New files under your bucket (and optional prefix) will appear in your Cashmere publisher library.
  • The Last Synced timestamp on your S3 Ingest page updates.

To trigger a sync immediately, contact your account representative.

Updating or disconnecting

  • To change the configuration (different bucket, prefix, key, etc.), click Edit on the S3 Ingest page, update the form, and save.
  • To rotate the key, generate a new access key in your provider's console, paste it into the Cashmere config page, save, then delete the old key in your provider's console.
  • To disconnect, delete the access key in your provider's console (immediate revocation), then delete the configuration row in Cashmere.

Security notes

  • The secret access key is encrypted at rest in our database.
  • We never write to your bucket — the IAM policy in Step 2 only grants s3:ListBucket and s3:GetObject.
  • Cashmere's connection uses HTTPS for all S3 API calls.