# Export data to Amazon S3

Automate recurring data exports from Stripe to your AWS S3 Storage bucket.

Data pipeline can deliver all your Stripe data as Parquet files into your Amazon S3 storage bucket. It includes a directory of files for each table that’s delivered and updated every 3 hours.
[Watch on YouTube](https://www.youtube.com/watch?v=AJu-We2Jhmk)
## Prerequisites

Before starting the integration, make sure you have an active AWS account and permission to:

1. Create an Amazon S3 bucket.
1. Create an IAM role enabling Stripe to create objects in the provisioned bucket.
1. Access the Stripe Dashboard with an admin or developer role.

## Create a bucket

1. Navigate to your [Amazon S3 console](https://s3.console.aws.amazon.com/) in your chosen account region.
1. If needed, create a new storage bucket.
   - If you don’t currently have an S3 bucket, follow the [AWS guidelines for creating your first bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html). We recommend including “stripe” in the name, such as “<name>-stripe-data.”
1. Take note of this bucket name and the region because you’ll need them for future steps.

## Start the onboarding process

1. Visit the [Data Pipeline Dashboard](https://dashboard.stripe.com/settings/stripe-data-pipeline).
1. Click **Get started**.
1. Select Amazon S3.
1. On this permissions step, you see code blocks that you can use to create the IAM role and trust policy.

## Create a new permission policy

To create a new permission policy:

1. In your [AWS IAM console](https://console.aws.amazon.com/iam/), click **Policies** > **Create policy** > **JSON**.
1. Paste in the supplied JSON snippet from the Stripe onboarding step.
1. In the Resource section of the JSON snippet, replace `<BUCKET_RESOURCE>` with your bucket name.
1. Provide a name for the new policy (for example, `stripe-data-pipeline-policy`).
1. Click **Create Policy**.

## Create a new trust role using a custom policy

To create a new role using a custom policy:

1. In your [AWS IAM console](https://console.aws.amazon.com/iam/), click **Roles** > **Create role** > **Custom Trust Policy**.
1. Paste in the supplied JSON snippet from the Stripe onboarding step.
1. Click **Next**, then select the newly created permission policy from step 4.
1. Save the role with the following name: `stripe-data-pipeline-s3-role`. You must use this exact name.

## Establishing your AWS S3 connection

1. Return to the Stripe Data Pipeline onboarding process.
1. Enter the AWS Account ID, bucket name and region generated in the previous step.
1. Select your data encryption option. If you chose to use a customer managed key, upload your public key. Check the step to [generate encryptions keys](https://docs.stripe.com/stripe-data/access-data-in-warehouse/cloud-storage/aws-s3-storage.md#generate-encryption-keys) to see how to create one.
1. Click **Next**. Clicking **Next** sends test data to the bucket you provided, but not production data.
1. When you confirm test data delivery, go to your [S3 bucket](https://s3.console.aws.amazon.com/).
1. Open the bucket, go to the **penny\_test** directory and open the **acct\_** or **org\_** prefixed sub-directory to locate the delivered `account_validation.csv` test file.
1. Download the `account_validation.csv` file.
1. Upload this test file in your data pipeline onboarding step.
1. Click **Confirm value**.
1. When you confirm the test value, click **Subscribe**. This subscribes you to the product and schedules the initial full load of data for delivery to your Amazon S3 bucket, a process that can take 6-12 hours.

## Optional: Generate encryption keys

Stripe offers the ability to encrypt data transfers from Stripe to your storage bucket using PGP encryption with a customer-owned key. This provides an additional layer of protection, ensuring your data remains secure in transit and at rest.

While you can disable PGP encryption, doing so increases the risk of data exposure if you misconfigure something or if unauthorised parties access your bucket. Keeping encryption enabled ensures your data has the highest level of protection.

1. Open the command line interface (terminal).
1. Execute the command `gpg --full-generate-key` to create a key pair.
1. When prompted, select your preferred type, size and expiry of the key. We suggest:
   - **Kind**: (1) RSA and RSA (default)
   - **Bit Length**: 4096
   - **Key is valid for**: 0 (doesn’t expire)
1. Confirm this is correct by typing “y” and pressing **Enter**.
1. Find your account ID (`acct_1234`) at Settings > Business > Account Details and enter it as the real name. Leave the email and comments blank.
1. Type “O” and click **Enter** to confirm.
1. At the passphrase prompt, *don’t enter one*. Instead, press **Enter** and select “Yes, protection isn’t needed.” Repeat this step to confirm your choice.
1. In the output in your command line interface (terminal), locate the key you just generated and note the key ID (the long hexadecimal string at the end of the `pub` line).
1. To export the public key, enter the command `gpg --output acct_1234.key --armor --export your-key-id`, replacing `your-key-id` with the hexadecimal key ID you found in the previous step.
1. The public key file (acct_1234.key) is now saved in the current directory.

> Stripe encrypts your data with a key you provide and you decrypt in Amazon S3.