Skip to main content

Documentation Index

Fetch the complete documentation index at: https://heyhumm.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Humm can sync SaaS data into an S3 bucket in your AWS account instead of storing that synced data in Humm-managed storage. In this setup:
  • The synced data lives in your S3 bucket.
  • Humm still manages the Glue catalog and query path.
  • Humm and Airbyte assume a role in your AWS account to write, validate, and query the synced data.

Before You Start

You will need:
  • Permission in your AWS account to create or update an S3 bucket, IAM policy, and IAM role, and IAM user
  • Organization admin access in Humm

1. Create or Choose an S3 Bucket

Create a new bucket or choose an existing one for Humm sync data. Recommendations:
  • Use a dedicated bucket for Humm sync data
  • Keep Block Public Access enabled
  • Choose the AWS region you want Humm to use for sync storage
  • Avoid pointing Humm at a bucket that contains unrelated production data
Important Humm uses the bucket as the root warehouse location. Use a dedicated bucket instead of a shared bucket with unrelated objects. Do not allow any other processes to write to this bucket.

2. Create an IAM Permission Policy

Create an IAM policy that gives the Humm sync role access to the bucket. Replace YOUR_BUCKET_NAME and YOUR_GLUE_ACCOUNT_ID 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject*",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket*"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME",
        "arn:aws:s3:::YOUR_BUCKET_NAME/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase",
        "glue:GetDatabases",
        "glue:CreateDatabase",
        "glue:UpdateDatabase",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetTableVersion",
        "glue:GetTableVersions",
        "glue:CreateTable",
        "glue:UpdateTable",
        "glue:DeleteTable",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:BatchGetPartition",
        "glue:BatchCreatePartition",
        "glue:BatchDeletePartition"
      ],
      "Resource": [
        "arn:aws:glue:us-east-1:YOUR_GLUE_ACCOUNT_ID:catalog",
        "arn:aws:glue:us-east-1:YOUR_GLUE_ACCOUNT_ID:database/*",
        "arn:aws:glue:us-east-1:YOUR_GLUE_ACCOUNT_ID:table/*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:StartQueryExecution",
        "athena:StopQueryExecution"
      ],
      "Resource": "*"
    }
  ]
}
Why these permissions are needed:
  • s3:ListBucket* lets Humm discover objects and prefixes
  • s3:PutObject lets Humm write synced data and run connection validation
  • s3:DeleteObject lets Humm clean up connector-owned data and remove the validation file
  • s3:GetObject* lets Humm query synced data
  • glue:* allows Humm to create and manage databases and tables on your behalf
  • athena:* allows Humm to execute queries against the data warehouse

3. Create an IAM User for Humm

Create an IAM user for Humm; attach the policy above directly, or via a role definition. Generate

5. Enter the Settings in Humm

In Humm:
  1. Go to Settings > Data Storage
  2. Select Customer-hosted
  3. Enter your S3 bucket name, AWS region, Access Key ID, and Secret Access Key
  4. Click Test connection
  5. If successful, click Save
The test connection verifies that Humm can:
  • Reach the bucket
  • Write a temporary validation object
  • Delete that validation object
During validation, Humm writes and deletes a temporary file at .humm/validation.txt.

6. Start or Re-run Your Sync

Once the storage settings are saved, create a new Data Sync connector or re-run setup for an existing one. Humm will then:
  • Configure itself to write into your S3 bucket
  • Keep the Glue catalog in Humm-managed AWS
  • Query the synced data through Athena

Do I Need a Bucket Policy?

Usually, no. In the standard setup, the IAM role permissions are enough. You only need additional bucket policy changes if your AWS environment uses explicit deny rules or other organization-level controls.

Need Help?

If you want, Humm can review your proposed trust policy and role ARN before you save the configuration.