S3 storage
Last updated
Last updated
[SINCE Orbeon Forms 2024.1.1, 2025.1]
When sending an email using , you can store attachments in an S3 bucket. This is done by setting the s3-store parameter to true and providing the s3-config and s3-path parameters to the action.
is a cloud storage service provided by , but any S3-compatible service can be used, such as , , , and many others.
The following email action parameters are specific to S3 storage:
s3-store: If true, email attachments are stored in an S3 bucket in addition to being sent via email. If false or absent, attachments are only sent via email.
s3-config: Specifies the name of the S3 configuration to use. The S3 configuration properties are described below.
s3-path: Defines the XPath expression used to determine the storage path for attachments. The path is relative to the root of the S3 bucket. It is evaluated against the XML data of the form. If the XPath expression evaluates to an empty string, attachments are stored at the root of the S3 bucket. This expression has the same constraints as .
If s3-config or s3-path are not provided as parameters, the properties oxf.fr.email.s3-config.*.* or oxf.fr.email.s3-path.*.* are used instead.
If a property is not found for the S3 configuration name, default is used as the S3 configuration name.
A default value for the oxf.fr.email.s3-path.*.* property is provided, which uses the app name, form name, etc. to generate a path. It is however recommended to provide a custom path that fits your needs.
An S3 configuration consists of a set of properties that follow the naming convention:
[configuration-name]: The name of the S3 configuration.
[s3-property]: One of the following properties:
endpoint: The S3 endpoint (default: s3.amazonaws.com)
region: The AWS region (e.g. eu-south-1 or us-east-1)
bucket: The name of the S3 bucket.
accesskey: The access key for authentication.
secretaccesskey: The secret access key for authentication.
No default S3 configuration is provided. You must define at least one S3 configuration to use the s3-store parameter.
Your S3 configuration properties could define an S3 configuration named form-submissions-bucket that looks as follows:
With the example path above, the S3 objects would be stored with keys such as:
my-app/my-form/1/2025-03-12T03:43:43.334-07:00-175279c65b1cc95d1b027f3c92c3beebc85c05aa/My form.xml
my-app/my-form/1/2025-03-12T03:43:43.334-07:00-175279c65b1cc95d1b027f3c92c3beebc85c05aa/My form.pdf
my-app/my-form/1/2025-03-12T03:43:43.334-07:00-175279c65b1cc95d1b027f3c92c3beebc85c05aa/user-attachment.jpg
my-app/my-form/1/2025-03-12T03:43:43.334-07:00-175279c65b1cc95d1b027f3c92c3beebc85c05aa/user-attachment.doc
This is a general description of how to get access and secret access keys for AWS. The process will be different for other S3-compatible services.
A simple policy that restricts access to a single bucket might look like the following:
Note that bucket names need to be unique across all of AWS.
You then reference the form-submissions-bucket configuration in an email action, which might look as the example below. This example uses the default value for s3-path; if that default works for you, you can skip this parameter. This example includes only S3-specific parameters, but you may want to add other parameters documented on the page.
You will typically define a policy in that allows access to the S3 bucket. You then create a user in IAM, attach the policy to the user, and generate a new pair of access and secret access keys under "Security credentials" > "Access keys". You can then use these keys in the S3 configuration properties. Alternatively, you can also attach the policy to a user group or a role, and then assign the user to the group or the role.