Connecting S3 and S3-compatible buckets

Point a Wire container at an S3 bucket (or any S3-compatible storage) and Wire keeps the container in sync with what’s there. Add a file at the source, it appears in the container. Change a file, the container picks up the new version. Remove a file, Wire cleans it up. Your bucket is the source of truth; Wire just mirrors the slice of it you want available to your agents.

What works

Anything that speaks the S3 API works. Wire is tested against:

Provider	Notes
Amazon S3	Use a bucket in any region
Cloudflare R2	Use the S3-compatible endpoint, e.g. `<account>.r2.cloudflarestorage.com`
MinIO	Self-hosted or hosted, point at your endpoint
Backblaze B2	Use the S3-compatible endpoint, e.g. `s3.us-west-002.backblazeb2.com`
Wasabi	e.g. `s3.wasabisys.com`
DigitalOcean Spaces, Linode Object Storage, Cloudian, etc.	If it speaks the S3 API, it works

If a provider isn’t on this list but exposes the S3 API, the Custom endpoint option below will get you connected.

How it’s organized

Wire splits the connection in two:

Connector is the credential. Lives at the organization level. Connect a bucket once, give it a label, done. Anyone with permission can attach it to their containers without re-entering the access key.
Source is the slice of a bucket that flows into a specific container. Pick a bucket and an optional prefix. One connector can feed many containers, each with its own scope.

This lets a team share a single set of credentials while each container only sees the prefix that’s relevant to it.

Permissions

Action	Who can do it
Create / test / disconnect a connector at the org level	Owner, Admin
View the connectors list	All members
Attach a source to a container	Anyone with edit access to that container
Detach a source / sync a source	Anyone with edit access to that container

Step 1. Connect at the org level

Open Organization → Connectors in the Wire dashboard.
Click Add connector and pick Amazon S3 / S3-compatible.
Fill in:
- Endpoint (optional, defaults to AWS S3): the S3 endpoint host, e.g. s3.amazonaws.com, <account>.r2.cloudflarestorage.com, your MinIO host.
- Region (optional, defaults to us-east-1): the bucket’s region.
- Access key ID + Secret access key: an IAM user or service account with read access to the buckets you want Wire to see.
- Session token (optional): for STS / temporary credentials.
- Test bucket: a bucket name Wire will try to read so we can validate the credentials before storing them. This is required, so we don’t store credentials we can’t actually use.
Click Connect. Wire validates the credentials against the test bucket, encrypts them, and stores them.

If validation fails, the form shows why (invalid credentials, no access to test bucket, bucket not found, etc.) without storing anything.

What Wire needs

The minimum permission is read on the buckets and prefixes you want to sync from. Wire never writes back to your bucket, never deletes from it, and never lists buckets outside the prefixes you explicitly attach.

A typical IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::your-bucket/your-prefix/*"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::your-bucket",
      "Condition": {
        "StringLike": { "s3:prefix": ["your-prefix/*"] }
      }
    }
  ]
}

Step 2. Attach a bucket to a container

Open the container you want to feed.
Go to the Sources tab.
In the Amazon S3 row, click Setup (or Edit if you already have one attached).
Click Add bucket, pick the connector you just made, and fill in:
- Bucket: the bucket name.
- Prefix (optional): limit the source to a folder, e.g. reports/2026/. Leave empty to sync the whole bucket.
Click Add. Wire kicks off a backfill.

The source row shows its state with a pill:

Pill	Meaning
Pending	Queued, backfill hasn’t started yet
Syncing	Backfill is running, files are landing
Synced	Caught up with the bucket
Error	Something went wrong, hover the row for details

Files appear in the container’s Files list as they finish processing.

Keeping things in sync

After the initial backfill, Wire checks for changes on a regular cadence and pulls in anything new, updated, or removed. You don’t have to do anything.

If you’ve just made a change at the source and want to pull it immediately, hit Sync now on the source row. That fires off an incremental sync right away. If a sync is already in flight, the button waits for it to finish rather than firing a parallel one.

What an incremental sync does

New files in the prefix get pulled in and processed
Changed files (different etag at the source) replace the old version in the container
Files that disappear from the prefix get removed from the container

Files in the container that you didn’t put there (uploads, agent writes, other connectors) are never touched.

Detaching a source

Go back to the Sources tab, hit Edit, then the trash icon on the bucket row. Wire archives the source, then cleans up every file it ever pulled from that bucket out of the container, in the background. This includes entries, embeddings, and the stored copies of the files. Your bucket is never touched. Detaching only removes Wire’s mirror.

If you want to pause syncing without losing the files Wire already pulled, that’s not currently supported. Detach removes everything; re-attach starts a fresh backfill.

Disconnecting a connector

At the org level (Organization → Connectors → Disconnect), revoking the connector cascades through every container it ever fed. Each affected container has its synced files removed in the background, exactly as if you’d detached the source from each container individually.

Re-connecting later with the same credentials is fine, but existing sources need to be reattached.

Costs

Writes and syncs through S3 are free. There’s no per-file or per-sync cost; pulling 10,000 files in a backfill is the same price as uploading them by hand. Once files are in the container, the usual container charges apply to anything you do with them.

Privacy and security

Credentials are encrypted at rest with a key Wire never exposes to its own application code.
Every read of those credentials is logged. Wire’s compliance posture treats them as the most sensitive thing in the system.
Wire only fetches objects under the prefix you explicitly attach. It doesn’t list other buckets, list the bucket root, or read outside the configured prefix.
The bucket name, prefix, region, and last-checked timestamp are visible to anyone with read access to the connector at the org level. The credentials themselves never come back out.

Troubleshooting

Backfill stuck in Pending or Syncing Hit Sync now. If it stays stuck, check the Re-test button on the connector at the org level. If the credentials no longer work (rotated, expired STS, IAM policy changed), the connector’s status flips to invalid credentials and you need to reconnect.

A file’s contents at the source changed but the container still shows the old version Files are matched by their etag. If your source updated the file in a way that doesn’t change the etag (rare, but some providers behave differently here), Wire won’t see it as changed. Hit Sync now and check, or as a last resort, delete and re-upload the file at the source.

Sync is missing files Wire scans up to 100,000 objects per sync run. If a single prefix is bigger than that, split it into narrower prefixes and attach each one as a separate source.

A new connector won’t validate The most common cause is the test bucket being unreachable from the credentials given (typo in name, bucket in a different region than configured, or the IAM user lacks s3:ListBucket on it). Pick a bucket the credentials can definitely list.