--- title: Adding an Amazon S3 deployment package store to PingAuthorize description: To use Amazon Simple Storage Service (S3) as your deployment package store, add read access for your S3 bucket to the PingAuthorize Server. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_amazons3_deploy_package canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_amazons3_deploy_package.html revdate: November 25, 2025 section_ids: before-you-begin: Before you begin steps: Steps result: Result: steps-2: Steps next-steps: Next steps --- # Adding an Amazon S3 deployment package store to PingAuthorize To use Amazon Simple Storage Service (S3) as your deployment package store, add read access for your S3 bucket to the PingAuthorize Server. Use the admin console or `dsconfig` to add the Amazon S3 deployment package store. If necessary, review your existing S3 bucket configurations on the S3 dashboard in the Amazon Web Services (AWS) Management Console. ## Before you begin You must create an access key and accompanying secret key for your S3 bucket. Learn more in [Configuring the IAM user](paz_amazon_deployment_store_setup.html#create_amazon_iam_user). * Admin console * dsconfig ### Steps 1. In the PingAuthorize admin console, go to **Configuration > Authorization and Policies > Deployment Package Stores**. 2. Click **New Deployment Package Store**. 3. In the **New Deployment Package Store** modal, select **S3 Deployment Package Store**. 4. Complete the **General Configuration**: 1. Enter a **Name** for the deployment package store. 2. In the **Poll Interval** field, enter a value, in seconds, for how often the Amazon S3 bucket should be polled for changes. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you set the poll interval to `0`, the server won't scan for new packages after initializing the store. The server will only load new deployment packages on restart. | 3. In the **S3 Bucket Name** field, enter the name of your Amazon S3 bucket as shown on the AWS services page. 4. In the **S3 Bucket Prefix** field, enter the S3 bucket prefix. 5. In the **S3 Server Endpoint** field, enter the S3 bucket endpoint. 6. In the **S3 Region Name** field, enter the AWS region for the S3 bucket. 7. Next to the **S3 Access Key ID** field, click **Set Value** and enter the S3 access key ID you copied in [Configuring the IAM user](paz_amazon_deployment_store_setup.html#create_amazon_iam_user). 8. Enter the S3 access key ID value again to confirm and click **OK**. | | | | - | ------------------------------------------------------------------------------------------------ | | | Your access key value isn't displayed after you enter it. The page still displays **Set Value**. | 9. Next to the **S3 Secret Key** field, click **Set Value** and enter the S3 secret key you copied in [Configuring the IAM user](paz_amazon_deployment_store_setup.html#create_amazon_iam_user). 10. Enter the S3 secret key value again to confirm and click **OK**. | | | | - | ------------------------------------------------------------------------------------------------ | | | Your secret key value isn't displayed after you enter it. The page still displays **Set Value**. | 5. If your S3 bucket uses a legacy path-style URL, select the **Enabled** checkbox under **S3 Use Path Style Access**. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Starting with PingAuthorize 11.0, the PingAuthorize Server expects virtual-hosted-style URLs by default when connecting to Amazon S3.Learn more in [Virtual hosting of general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the Amazon S3 documentation. | 6. (Optional) Complete the **Policy Security** configuration. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | If you select **Signed** in the **Deployment Package Security Level** list, you must select a **Deployment Package Trust Store**. | 7. Click **Save**. #### Result: Your Amazon S3 deployment package store is displayed on the **Deployment Package Stores** page. ### Steps * To create an Amazon S3 deployment package store, use the the `dsconfig create-deployment-package-store` command with the following arguments: | Argument | Required | Description | | -------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--type ` | Required | Set to `s3`. | | `--store-name: ` | Required | Specifies a unique name for the configuration object. | | `--set poll-interval:""` | Required | Specifies how often, in seconds, the PingAuthorize Server scans the deployment package store for new deployment packages.If you set the poll interval to `0`, the server won't scan for new packages after initializing the store. The server will only load new deployment packages on restart. | | `--set s3-bucket-name:` | Required | Specifies the name of the S3 bucket in AWS. | | `--set s3-bucket-prefix:` | Required | Specifies the prefix value for the S3 bucket. | | `--set s3-server-endpoint:` | Optional | Specifies the S3 service endpoint. | | `--set s3-region-name:` | Optional | Specifies the AWS region for the S3 bucket. | | `--set s3-access-key-id:` | Optional | Specifies the access key ID used to authenticate to the S3 bucket. | | `--set s3-secret-key:` | Optional | Specifies the secret key used to authenticate to the S3 bucket. | | `--set s3-use-path-style-access:true` | Optional | Enables legacy S3 path-style access. Defaults to `false`. Starting with PingAuthorize 11.0, the PingAuthorize Server uses virtual-hosted–style URLs by default when connecting to Amazon S3. Learn more in Virtual hosting of general purpose buckets in the Amazon S3 documentation. | ## Next steps [Configure the PingAuthorize Server to use embedded PDP mode with your deployment package store](paz_config_embedded_pdp.html#config_embedded_dps_store).