External Data Sources
Audience can import files from a Kevel-provided S3 bucket (the simplest option, with no extra configuration) or directly from locations you manage — your own S3 bucket, an SFTP server, or an HTTP endpoint. This page explains each option and what is required to set it up.
The Kevel-Provided Uploads Bucket
By default, every Audience instance comes with a dedicated S3 bucket managed by Kevel. This is the recommended starting point for data imports:
- The bucket lives within Kevel's AWS infrastructure.
- Audience accesses it automatically — no credential configuration is needed on your side.
- You upload files to it using credentials provided by your Customer Success Manager during onboarding, or directly through the dashboard UI.
See Upload Files for instructions on how to upload data to this bucket.
Accessing Your Own S3 Bucket
If your data already lives in an S3 bucket in your own AWS account and you would like Audience to read directly from it, Kevel needs to be granted access to that bucket. There are two ways to do this.
IAM Role (Recommended)
Using an IAM role is the most secure option. Credentials never leave AWS, there are no expiration dates to manage, and access can be revoked by updating the bucket policy at any time.
The process is as follows:
- Contact Kevel Support and provide the name of the S3 bucket Audience should access.
- Kevel will create a dedicated IAM role for that bucket and send you back its ARN.
- Add a bucket policy to your S3 bucket granting that role the necessary permissions. The policy should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AudienceBulkImportsAccess",
"Effect": "Allow",
"Principal": {
"AWS": "<ROLE_ARN_PROVIDED_BY_KEVEL>"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<YOUR_BUCKET_NAME>",
"arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
]
}
]
}
- Let Kevel Support know once the policy is in place so the configuration can be finalized and tested.
The mapping between IAM roles and buckets is one-to-one. If Audience needs access to multiple buckets in your account, each bucket requires its own role ARN and a corresponding policy statement.
IAM Access Keys
If IAM role assumption is not feasible, Audience can authenticate using an IAM user's access key. This method is suitable for initial testing or short-term use, but should be replaced with the IAM role approach when possible.
- Create an IAM user in your AWS account with read access to the relevant bucket (
s3:GetObject,s3:ListBucket,s3:GetBucketLocation). - Generate an access key pair for that user.
- Contact Kevel Support and provide the bucket name, access key ID, and secret access key. Kevel will store the secret securely and configure the system.
Access keys should be rotated regularly in line with your organization's security policies. Plan to migrate to the IAM role approach when possible to avoid the overhead of key management.
Accessing an SFTP Server
Audience can pull files directly from an SFTP server. The server's hostname is used to match the correct credentials, so each hostname can have its own configuration.
Contact Kevel Support with the connection details that correspond to one of the following authentication methods.
Username and Password
Provide Kevel with:
- Hostname (or IP address) of the SFTP server
- Username
- Password
Kevel will store the password in secure secrets management and configure the system accordingly.
SSH Key Pair
Provide Kevel with:
- Hostname (or IP address) of the SFTP server
- Username
- Private key file (and passphrase, if the key is protected) — Kevel will deploy the key securely on the Audience infrastructure
HTTP and HTTPS Sources
Files accessible over plain HTTP or HTTPS can be used directly as import sources without any additional configuration — just enter the URL when setting up the import.
Authenticated HTTP sources (e.g. URLs requiring a token or login) are not currently supported.
How to Request Configuration
All external source configurations require changes on Kevel's side. To get started, contact Kevel Support and include:
- The protocol you need (S3, SFTP, etc.)
- For S3: the bucket name and your preferred access method (IAM Role is recommended)
- For SFTP: the hostname, username, and preferred authentication method
Once the configuration is deployed, Kevel may confirm access by running a dry-run import so you can verify that everything is working before scheduling live imports.