Skip to main content

Setting Up LiveRamp File Deliveries

For clients and partners who receive files from LiveRamp (such as through our File-Based Recognition workflow), LiveRamp can deliver files to the following locations:

  • Your SFTP server

  • Amazon Web Services (AWS) S3 buckets

  • Google Cloud Buckets

  • Microsoft Azure blobs

    Caution

    While we can deliver data files to AWS S3 buckets using the Authorize LiveRamp's User to Deliver Data to Your AWS S3 Bucket method and to Azure blobs, we will not be able to send a taxonomy file via those methods. For this reason, if you receive taxonomy files as part of your deliveries, we recommend that you use one of the other methods or check with your LiveRamp rep to see whether one of these methods will work for your integration.

Note

If none of these options work for your current configuration, contact your LiveRamp Implementation Manager.

To set up file deliveries, provide LiveRamp with the appropriate information for your desired delivery method.

Caution

Make sure to provide full read and write permissions to LiveRamp to ensure smooth data delivery.

  • Host name

  • Port

  • Username

  • Password

  • Root path

Utilizing an SSH Key

If you’d like us to authenticate to your SFTP server using SSH keys instead of a password, you can use our LiveRamp public SSH key for distributions or your own SSH key.

Caution

We do not create custom keys for customers.

Using the LiveRamp Public SSH Key

If you’d like us to authenticate to your SFTP server using SSH keys instead of a password, you can add our public RSA key to your server and provide us with the username to connect with.

Caution

Note that this public key is different from the LiveRamp public key that is used for uploading from a customer’s SFTP. See “Upload a File via Your SFTP” for more information.

  1. Download our public key for distributions.

  2. Once you've configured the key, contact your LiveRamp representative to confirm.

Using Your SSH Key

You can send us your private SSH key for us to use to authenticate to your server for distributions, but the key must be an RSA key. The first line in the key should include "BEGIN RSA PRIVATE KEY."

Caution

If the first line includes "BEGIN OPENSSH PRIVATE KEY", we cannot use it. Regenerate the key by running:

“ssh-keygen -t rsa”.

If you want files to be delivered to an AWS (Amazon Web Services) S3 cloud storage bucket, you can allow LiveRamp to deliver files to that bucket in one of two ways:

  • By authorizing LiveRamp’s user

  • By creating an IAM (Identity and Access Management) user

Caution

This information only pertains to S3 buckets to which LiveRamp delivers data. It does not apply to S3 buckets that you might have LiveRamp retrieve files from. For more information about allowing LiveRamp to retrieve data from an S3 bucket, see "Allow LiveRamp to Access Your AWS S3 Bucket."

Note

See Amazon's Bucket Owner Granting Cross-Account Bucket Permissions example documentation for more information.

See the sections below for more information on these methods.

Follow the instructions below to authorize LiveRamp's user to deliver data to your bucket.

Caution

While we can deliver data files to an AWS S3 bucket via this method, we will not be able to send a taxonomy file. For this reason, if you receive taxonomy files as part of your deliveries, we recommend that you use one of the other available delivery methods (such as Create an IAM User for LiveRamp to Deliver Data to Your S3 Bucket) or check with your LiveRamp rep to see whether this method will work for your integration.

Caution

You will not create a user under your own account for LiveRamp to use, and no secret credentials are shared. If you'd prefer to create an IAM (Identity and Access Management) user under your own account and share the credentials with LiveRamp, follow the steps in the "Create an IAM User for LiveRamp to Deliver Data to Your S3 Bucket" section of this article.

  1. Provide your AWS administrator with the information listed below:

    • User ARN: arn:aws:iam::609251445204:user/lr-distribution

    • Required Permissions:

      Note

      The asterisk after a permission means that if AWS adds new API operations in the future, key administrators will automatically be allowed to perform all new API operations that begin with that permission action.

      • PutObject*

      • ListBucket

      • GetObject

      • AbortMultipartUpload

      • ListMultipartUploadParts

    Note

    See this sample JSON S3 bucket policy for more information (this policy might vary slightly based on the specifics of your implementation).

  2. If server-side encryption is required, provide your AWS administrator with the kms:actions listed below:

    • Encrypt

    • Decrypt

    • ReEncrypt*

    • DescribeKey

    • GenerateDataKey*

  3. Contact your LiveRamp representative and provide them with the information listed below:

    Note

    If you do not have a designated LiveRamp representative, create a case in the LiveRamp Community portal.

    • The S3 bucket name

    • If applicable, the path(s) in your S3 bucket where the files should be delivered (default is the root path)

    • The ACL (access control list) grant. The default is "BUCKET_OWNER_FULL_CONTROL", but we also support the options listed below:

      • "PRIVATE"

      • "PUBLIC_READ"

      • "PUBLIC_READ_WRITE"

      • "AUTHENTICATED_READ"

      • "BUCKET_OWNER_READ"

      • "BUCKET_OWNER_FULL_CONTROL"

      • "LOG_DELIVERY_WRITE"

    • If server-side encryption is required, the SSE key

Follow the instructions below to create an IAM user under your AWS account with the ability to deliver data to your bucket.

Caution

Don't want to share credentials? This will require sharing secret credentials with LiveRamp. If you'd prefer not to share secret credentials, you can authorize LiveRamp's user to deliver to your bucket. See the "Authorize LiveRamp's User to Deliver Data to Your AWS S3 Bucket" section of this article for more information.

  1. Provide your AWS administrator with the required permissions listed below:

    Note

    The asterisk after a permission means that if AWS adds new API operations in the future, key administrators will automatically be allowed to perform all new API operations that begin that permission action.

    • PutObject*

    • ListBucket

    • GetObject

    • AbortMultipartUpload

    • ListMultipartUploadParts

  2. If server-side encryption is required, provide your AWS administrator with the kms:actions listed below:

    • Encrypt

    • Decrypt

    • ReEncrypt*

    • DescribeKey

    • GenerateDataKey*

  3. Contact your LiveRamp representative and provide them with the information listed below:

    Note

    If you do not have a designated LiveRamp representative, create a case in the LiveRamp Community portal.

    • The User Access Key

    • The User Secret Key

    • The S3 bucket name

    • If applicable, the path(s) in your S3 bucket where the files should be delivered (default is the root path)

    • The ACL (access control list) grant. The default is "BUCKET_OWNER_FULL_CONTROL", but we also support the options listed below:

      • "PRIVATE"

      • "PUBLIC_READ"

      • "PUBLIC_READ_WRITE"

      • "AUTHENTICATED_READ"

      • "BUCKET_OWNER_READ"

      • "BUCKET_OWNER_FULL_CONTROL"

      • "LOG_DELIVERY_WRITE"

    • If Server-Side Encryption is required, the SSE key

  • Service Account and Private Key in JSON Format (refer to the documentation here)

  • Bucket

  • Optional: Root path (Default: idl/mapping)

Note

If you'd prefer not to share bucket credentials, LiveRamp can pursue a permissions-based approach to delivering to a Google Cloud bucket. Contact your LiveRamp representative to learn more.

Caution

While we can deliver data files to Azure blobs, we will not be able to send them a taxonomy file. For this reason, if you receive taxonomy files as part of your deliveries, we recommend using one of the other methods or checking with your LiveRamp rep to see whether this method will work for your integration.

  • Account Key

  • Account Name

  • Container Name

When sending over your credentials, secure them by GPG/PGP-encrypting your file with our Public Key.

Note

For integration partners: By default, LiveRamp will prompt for a "client name" when a new distribution is being established by a client. LiveRamp will incorporate this string into the delivery file path to help you distinguish deliveries. For example, if BrandX is distributing segments to your platform, they would enter “BrandX” when setting up the distribution. LiveRamp would deliver this data to the path “/BrandX/<data file>” in your storage location.