Access Amazon S3 Shortcuts Securely and Seamlessly with Microsoft Entra Service Principals (Preview)
Microsoft Fabric now offers a preview of support for Microsoft Entra service principals when using Amazon S3 Shortcuts. This feature allows the use of Entra service principals to securely access S3 buckets without the need for long-term AWS access keys.
Previously, S3 shortcuts required access keys. With this update, organizations can authorize access using Microsoft Entra credentials, simplify identity management, and improve security with short-lived, standards-based tokens.
Why This Integration Matters
Many organizations use both Microsoft and AWS platforms to support their data and analytics workflows, but managing identities across clouds can be complex, error-prone, and time-consuming.
This integration makes that much easier. By using OpenID Connect (OIDC), Microsoft Entra service principals can securely assume AWS roles without needing separate IAM users or long-lived access keys. Instead of static credentials, Entra issues short-lived tokens, which AWS trusts at the time of access. This reduces credential sprawl, simplifies security, and gives you centralized control through Entra’s identity policies. All activity is logged in AWS CloudTrail, providing full visibility into cross-cloud activity.
Key Benefits
- Cross-Cloud Identity Management – Use Microsoft Entra service principals to manage access to AWS S3, allowing consistent identity policies across both cloud platforms.
- Secure by Design – Leverage OIDC for modern, token-based authorization with short-lived credentials.
- Simplified Operations – Eliminate the need to create or manage IAM users, reducing complexity and credential sprawl.
- Auditable Access – Audit all role assumptions in AWS CloudTrail, giving you full visibility and traceability.
- Minimal Disruption – Works with your existing AWS setup, with only a few configuration steps required to get started.
Getting Started
To enable this integration, use the following steps, a detailed setup guide is available in the documentation.
- Register a Service Principal in Microsoft Entra
Create an app registration, generate a client secret, and capture the tenant ID, client ID, and object ID.
2. Configure AWS IAM
Set up an OIDC identity provider using your Entra tenant ID and create IAM roles with trust policies that reference your service principal.
3. Connect via Microsoft Fabric
Use the Fabric interface to create a connection to S3 using the role ARN and Entra credentials. Then, create S3 Shortcuts using OneLake’s shortcut interface.
Security Best Practices
- Use a unique service principal per AWS IAM role for strong isolation and auditability.
- Rotate service principal secrets regularly and store them securely.
- Monitor AWS CloudTrail logs for STS activity and role assumptions.
Current Limitations
- This integration currently supports only the service-principal based approach. OAuth and workspace identity support are not yet available.
- Access to S3 buckets behind firewalls, such as through On-premises Data Gateway connections, is not supported with this service principal–based integration.
Try it Today
If your organization is already using Microsoft Entra and S3, we encourage you to try it out and see how it can simplify your data access and governance. Setup is straightforward, and you’ll be able to take advantage of secure, efficient access to your data from day one. Get started now!
