Skip to main content
Scale Plan10 minutesIntermediate

Warehouse export to AWS S3

Push your daily Zenovay analytics aggregates to your own AWS S3 bucket on a schedule. Available on the Scale plan and above.

warehouses3awsexportscale
Last updated:
Scale Plan

Zenovay can push your daily analytics aggregates to your own AWS S3 bucket on a schedule. You bring your own bucket and IAM credentials; Zenovay signs the PUT requests with AWS SigV4. The data is yours, in your account, with your retention policy — Zenovay just writes to it.

What gets exported

V1 exports analytics_daily aggregates: one row per website per date with the same numbers you see on your dashboard.

ColumnDescription
website_idUUID of the website the row belongs to
dateThe date the row aggregates (UTC)
total_visitorsTotal visitors that day
unique_visitorsUnique visitors that day
pageviewsPageviews that day
bounce_rateBounce rate (0–1)
avg_session_durationAverage session duration in seconds

Future expansion (BigQuery, Snowflake, and richer datasets like custom events) is on the roadmap. This article covers S3 only.

What you'll need

  • An AWS account
  • An S3 bucket (any region)
  • An IAM user (or role) with s3:PutObject on the prefix you'll configure — no other permissions are needed
  • Access key ID + secret access key for that IAM user
  • A Zenovay team on the Scale plan or above

Step 1 — Create the IAM policy

In the AWS IAM console, create a policy with this minimal permission set. Replace your-bucket and zenovay/ with the bucket and prefix you'll use.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ZenovayWarehouseExportPut",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::your-bucket/zenovay/*"
    }
  ]
}

Zenovay never lists, reads, or deletes objects in your bucket. The policy gives only PutObject on a single prefix.

Step 2 — Create an IAM user

Attach the policy from Step 1 to a new IAM user. Generate an access key for the user and copy the access key ID + secret access key — you'll paste them into Zenovay in Step 4.

Step 3 — (Optional) lifecycle policy on your bucket

Each scheduled run writes to:

s3://your-bucket/<prefix><team_id>/<date>/analytics_daily.csv

The object key is idempotent — re-running for the same date overwrites the same key. You can configure an S3 lifecycle policy to:

  • Transition older objects to S3 Glacier or Glacier Deep Archive for cheaper long-term storage
  • Expire objects after N days/years if you don't need long-term retention

This is fully under your control; Zenovay does not manage lifecycle on your bucket.

Step 4 — Connect the destination in Zenovay

  1. Open your website's dashboard and go to its Settings, then under the Data section open the Warehouse tab
  2. Click Add S3 destination
  3. Fill in the form:
FieldValue
Bucket nameyour-bucket
AWS regionThe region your bucket is in (e.g. eu-central-1)
Access key IDFrom Step 2
Secret access keyFrom Step 2
Object key prefixzenovay/ (or any prefix; must match your IAM policy)
ScheduleDaily or hourly

Zenovay encrypts your secret access key at rest with AES-GCM and never echoes it back in API responses.

Step 5 — Test the destination

After saving, click Run now on the destination row. Zenovay will:

  1. Read the most recent day's analytics_daily rows from your data
  2. Format as CSV
  3. PUT to s3://your-bucket/<prefix><team_id>/<yesterday>/analytics_daily.csv

The result shows up in seconds. If it fails, the error message tells you what AWS rejected — usually a typo in the bucket name, region mismatch, or missing IAM permission.

Schedule cadence

  • Daily: runs once every 24 hours per destination
  • Hourly: runs every hour at minute 0

Zenovay's hourly cron processes up to 200 destinations per tick; if your team has many destinations, runs may stagger by a few minutes.

Pause, resume, delete

  • Pause stops scheduled runs without losing the configuration. Manual "Run now" still works.
  • Resume turns scheduled runs back on with the same next_run_at clock.
  • Delete removes the destination configuration AND its run history. Existing files in your S3 bucket are not touched — they remain under your control.

Privacy and account deletion

  • Aggregates only; no individual visitor IPs or PII leave Zenovay
  • Credentials stored encrypted at rest with AES-GCM
  • Deleting your Zenovay account purges the encrypted credentials and the destination configuration as part of the standard right-to-be-forgotten cascade

Frequently asked

Can I use a non-AWS S3-compatible store like MinIO, R2, or Wasabi? Yes. In the destination form, expand Advanced (S3-compatible endpoints) and paste your provider's S3 endpoint URL (for example https://abc123.r2.cloudflarestorage.com). For Cloudflare R2 and other non-AWS targets, pick the Auto (Cloudflare R2 / S3-compatible) region. The endpoint must be publicly reachable — to test against a local MinIO instance, expose it through a tunnel (cloudflared or ngrok) and use the public URL.

What about BigQuery and Snowflake? Coming in a follow-up release. The same scheduling, plan-gating, and credential storage will apply; only the connector differs.

Can I export to my own bucket in a different AWS account? Yes — that's the supported model. Your IAM user, your bucket, your account. Zenovay just signs the PUT.

How do I download the data once it's in S3? Standard AWS tools — aws s3 cp, the AWS console, or any S3 client. From there it's yours: query with Athena, load into Glue/Redshift/BigQuery, or feed into your own pipelines.

What region should I pick for the bucket? Wherever your downstream tools live. Zenovay charges no data-egress fees — those are between you and AWS. EU customers usually pick eu-central-1 for residency reasons.

Was this article helpful?