S3 To Sharepoint

S3 To Sharepoint

Reading time1 min
#Cloud#Enterprise#Integration#AWSS3#SharePoint#MicrosoftGraph

Seamless S3–SharePoint Integration for Modern Enterprise Storage

Centralized file storage in AWS S3 plus collaboration in SharePoint: standard pattern, familiar pain. Security teams want a unified audit trail, end-users prefer single-pane document access, but most corporates end up with parallel (and divergent) file systems. Unsurprisingly, this leads to version sprawl, broken governance, and wasted storage—not to mention frustrated users.

Not every integration requires a costly data migration. In most real-world deployments, moving petabytes from S3 isn’t on the table. Instead, focus on just-in-time access and sync, leveraging serverless capabilities and native APIs.

Integration: Drivers, Gotchas, and Trade-offs

Why connect S3 and SharePoint directly?

  • Unified document management. Everything visible in SharePoint—regardless of actual back-end storage origin.
  • Apply Microsoft 365 compliance controls, DLP, and auditing to S3-origin files.
  • Eliminate manual upload/download cycles (and risk-prone “shadow IT” workarounds).
  • Avoid redundant copies—especially for analytics datasets or bulk archives.

Gotcha: S3 = object storage; SharePoint = document management. Metadata models, sharing boundaries, and access patterns diverge. Watch for edge cases in filename encoding, ACL mappings, and mutation latency.

Architectural Patterns: What Actually Works

PatternProsCons / Limits
3rd-party middleware (e.g. SkySync, AvePoint, Cloud FastPath)Fast to deploy, vendor supportOngoing license, black-box behaviors, potential throttling
Serverless event-driven sync (Lambda + Graph API)Fully customizable, pay-per-useDevelopment/maintenance overhead, API rate limits, stricter error handling needed
Low-code platform (Power Automate, Logic Apps)No/minimal code, integrates with M365 controlsNot feasible for bulk/high-volume or custom logic

No “best” choice. For most mid-to-large enterprises unconstrained by integration licenses, middleware may win on TCO. But for those with bespoke workflow requirements—or high sensitivity to platform lock-in—serverless wins.

Practical Example: Near Real-Time S3–SharePoint Sync with AWS Lambda and Microsoft Graph

No-nonsense setup—Python 3.11, boto3 ≥ 1.28, requests ≥ 2.31.0. Assume:

  • S3 bucket: corp-data-ingest
  • SharePoint site: eng-team
  • Permissions mapped via Azure AD Application.

1. Register Azure AD App for Graph Permissions

  • Register in Azure Portal.
  • Set permissions:
    • Files.ReadWrite.All
    • Sites.ReadWrite.All
  • Add a secret (consider short expiry; store in AWS Secrets Manager, not plaintext, for production).
  • From the registration: collect client_id, tenant_id, secret.

Known issue: Graph permissions often require admin consent; bottleneck this early.

2. Lambda Function: Core Logic

Key Points:

  • S3 event triggers Lambda (PUT events only)
  • Lambda fetches object, authenticates to Graph API, and uploads to SharePoint library root
  • Handles only new file or update; no deletes, no conflict resolution (basic version)
import os
import boto3
import requests

TENANT_ID = os.environ['TENANT_ID']
CLIENT_ID = os.environ['CLIENT_ID']
CLIENT_SECRET = os.environ['CLIENT_SECRET']
SP_SITE_ID = os.environ['SP_SITE_ID']
SP_DRIVE_ID = os.environ['SP_DRIVE_ID']

def get_graph_token():
    url = f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token"
    data = {
        "grant_type": "client_credentials",
        "client_id": CLIENT_ID,
        "client_secret": CLIENT_SECRET,
        "scope": "https://graph.microsoft.com/.default"
    }
    resp = requests.post(url, data=data)
    resp.raise_for_status()
    return resp.json()["access_token"]

def lambda_handler(event, ctx):
    s3 = boto3.client("s3")
    token = get_graph_token()
    for rec in event['Records']:
        bucket = rec['s3']['bucket']['name']
        key = rec['s3']['object']['key']

        obj = s3.get_object(Bucket=bucket, Key=key)
        content = obj['Body'].read()
        sp_url = f"https://graph.microsoft.com/v1.0/sites/{SP_SITE_ID}/drives/{SP_DRIVE_ID}/root:/{key.split('/')[-1]}:/content"
        
        resp = requests.put(
            sp_url,
            headers={
                "Authorization": f"Bearer {token}",
                "Content-Type": "application/octet-stream",
            },
            data=content,
        )

        # Debugging/logging
        if resp.status_code != 201 and resp.status_code != 200:
            print(f"Error uploading {key} to SharePoint: {resp.status_code} {resp.text}")

# Sample event payload (AWS Console > S3 > Properties > Event notifications).

Tip: Use environment variables for credentials, not hardcoding—critical for rotation and ops sanity.

3. S3 Event Notification Setup

Via AWS Console or Terraform:

resource "aws_s3_bucket_notification" "lambda_trigger" {
  bucket = "corp-data-ingest"
  lambda_function {
    lambda_function_arn = aws_lambda_function.s3_to_sp.arn
    events              = ["s3:ObjectCreated:Put"]
  }
}

Real-World Practices

  • Map folder paths intentionally: S3 keys can be arbitrarily deep, but SharePoint does not support “infinite” nesting or all special characters. Pre-process if needed.
  • Handle timeouts: Large S3 objects (>20MB) may timeout on lambda-to-Graph PUT. Chunked uploads not covered above—investigate if needed.
  • API throttling: Graph enforces rate limits. For high-frequency buckets, batch events or introduce backoff logic.
  • Track error logs: Lambda logs are accessible via CloudWatch. Query for Error uploading to spot failures.
  • Metadata preservation: S3 tags ≠ SharePoint columns. If you need to sync custom metadata, extend the upload to PATCH metadata fields via Graph.

Non-Obvious Issues

  • SharePoint file name restrictions: Avoid files with #, %, and length > 400 characters. Fails silently in some API versions.
  • S3 objects with no content-type default to binary/octet-stream in SharePoint. Adjust if downstream M365 workflows care about file type.

Conclusion

Forget migrations. Instead, bridge S3 and SharePoint using serverless + Graph—or a reputable connector for less-specialized cases. Focus on key error paths, permissions, and operations visibility. This method minimizes user disruption, enforces governance, and fits real enterprise requirements.

If compliance or high-throughput needs grow, revisit architecture. Otherwise: minimal ops, maximal continuity.

Unaddressed: Two-way sync and delete propagation. These are possible, but add risk and complexity not every enterprise accepts.

Alternative: Some teams have migrated reference-quality data to SharePoint via DataBox/ Azure Mover, but this is batch, not sync, and not covered here.

Related Articles

S3 To Sharepoint

Seamlessly Integrating AWS S3 with SharePoint for Enterprise File Management

1 min

Aws Introduction To Cloud Computing

How to Confidently Architect Your First AWS Cloud Environment: A Practical Introduction to Cloud Computing

1 min

Azure To Google Cloud

Seamlessly Migrating Enterprise Workloads from Azure to Google Cloud: A Step-by-Step Blueprint

1 min
← Back to Blog