Securely Access VPC-Protected Amazon S3 Buckets in Microsoft Fabric with Entra Integration (Preview)
When we first introduced Amazon S3 shortcut integration with Microsoft Entra ID, customers gained a powerful new way to connect S3 data to Microsoft Fabric — without storing or rotating AWS access keys. Using OpenID Connect (OIDC), Fabric authenticates directly with AWS Identity and Access Management (IAM), enabling secure, identity-based access to cloud storage.
However, many enterprises keep their S3 buckets locked down inside Virtual Private Clouds (VPCs) or behind corporate firewalls. In these environments, Entra OIDC can authenticate identities, but it cannot provide network access — so Fabric still cannot reach the S3 endpoint. That changes today.
With support for the on-premises data gateway, Microsoft Fabric can now securely access S3 buckets that reside behind a VPC or firewall, bridging identity-based Entra OIDC authentication with the private network reach your environment requires.
Why This Integration Matters
Enterprises in regulated sectors often face a trade-off between security and agility. They need to keep data inside private clouds or corporate networks, but they also want to unlock the insights that Fabric’s unified analytics platform delivers.
This new capability removes that trade-off. By combining Microsoft Entra ID based OIDC authentication with the on-premises data gateway, Fabric can securely reach S3 buckets that live inside VPCs or behind corporate firewalls — without ever exposing data to the public internet. You maintain strict network boundaries while still enabling governed, analytics-driven experiences in Fabric.
Key Benefits
- Private, Secure Access – Access S3 data privately without opening public endpoints or relaxing firewall rules.
- Zero-Trust Identity Control – Maintain strong identity governance using Microsoft Entra ID and OIDC, eliminating reliance on long-lived AWS access keys.
- Simplified Management – No secrets, no key rotation, and no IAM user lifecycle to manage.
- Unified Governance and Auditing – Maintain full cross-cloud visibility as Fabric governs usage and AWS CloudTrail logs all S3 access and Microsoft Entra role assumptions.
Setting This Up
This capability builds on two existing flows:
- Identity & OIDC setup using Microsoft Entra service principals for Amazon S3 shortcuts.
- Private network connectivity to VPC-protected S3 buckets using the on-premises data gateway.
Below is the high-level sequence, with links to the detailed step-by-step guides.
Step 1: Configure Entra–AWS trust for S3 shortcuts
First, set up Microsoft Entra ID and AWS IAM so that Fabric can use a Microsoft Entra service principal with OIDC to assume an AWS role and access your S3 bucket.
- Register a service principal in Microsoft Entra ID.
- Configure an OIDC trust relationship between Entra and AWS IAM.
- Create an IAM role and policy that grants the required S3 permissions.
To configure the identity trust between Entra and AWS, follow the steps outlined in the Access Amazon S3 Shortcuts Securely and Seamlessly with Microsoft Entra Service Principals (Preview) blog post.
Step 2: Enable private access to your VPC-protected S3 bucket
Next, make sure Fabric can reach your S3 bucket over a private network path via the on-premises data gateway.
- Configure your VPC endpoint / network path to S3.
- Install and configure the on-premises data gateway in your network.
- Verify that the gateway can reach the S3 endpoint privately.
For a full walkthrough, refer to the Creating a shortcut to a VPC-protected Amazon S3 bucket blog post.
Step 3: Create the Fabric S3 shortcut using both identity and network paths
Finally, bring it all together in Fabric:
- Create (or reuse) a Fabric connection that uses your Entra service principal–based integration.
- When creating the Amazon S3 shortcut, select the connection and the on-premises data gateway.
- Browse to the VPC-protected bucket or folder and complete the shortcut creation.
At this point, identity flows through Microsoft Entra and AWS IAM, network traffic flows through your private gateway, and Fabric can query S3 data securely without exposing it to the public internet.
Security Best Practices
- Use a unique service principal per AWS IAM role for strong isolation and auditability.
- Rotate service principal secrets regularly and store them securely.
- Monitor AWS CloudTrail logs for STS activity and role assumptions.
Current Limitations
- This Microsoft Entra integration currently supports only the service-principal based approach. OAuth and workspace identity support are not yet available.
Try it Today
If your organization is already using Microsoft Entra and S3, we encourage you to try it out and see how it can simplify your data access and governance. Setup is straightforward, and you’ll be able to take advantage of secure, efficient access to your data from day one.
