Zoho Creator gives you a low-code platform for building custom business applications, but its built-in file storage has limits. For teams handling thousands of documents, contracts, images, or compliance records, those limits surface quickly. A Zoho Creator and AWS S3 integration solves this by offloading file storage to Amazon’s virtually unlimited object storage while keeping your Creator app as the user interface. This guide walks through building a document management application in Zoho Creator that uploads files to AWS S3 using Deluge’s invokeurl task, generates pre-signed URLs for secure downloads, implements folder structures, and handles file versioning. By the end, you will have a production-grade system that combines Creator’s rapid app development with S3’s durability and scale.
Zoho Creator allocates storage based on your plan tier, typically between 1 GB and 25 GB for most subscriptions. For a document management app processing hundreds of files per week, that ceiling creates operational risk. AWS S3 offers 99.999999999% (11 nines) durability, meaning the statistical probability of losing a stored object is nearly zero. The cost model is pay-per-use: roughly $0.023 per GB per month for S3 Standard, dropping to $0.004 per GB for Infrequent Access.
Beyond raw storage, S3 provides built-in versioning, lifecycle policies that automatically transition old files to cheaper storage classes, and server-side encryption at rest. These features make it a natural fit for regulated industries where document retention and audit trails are mandatory. Combining this with Zoho Creator’s low-code app builder gives you a front end that non-technical users can navigate while keeping enterprise-grade storage infrastructure underneath.
The integration follows a three-layer pattern. Zoho Creator serves as the presentation and logic layer, where users interact with forms, views, and reports. Deluge, Creator’s scripting language, handles business logic including file validation, metadata extraction, and API calls. AWS S3 acts as the storage layer, receiving files via authenticated REST API requests.
The data flow works like this: a user uploads a file through a Creator form. A Deluge workflow script captures the file, constructs the required AWS Signature V4 authentication headers, and sends the file to a designated S3 bucket using invokeurl. The S3 object key (file path) is stored back in a Creator field along with metadata like file size, upload timestamp, and version number. When a user requests the file, another Deluge script generates a time-limited pre-signed URL and returns it to the browser.
Before writing any Deluge code, configure the S3 side. Create a dedicated bucket with a clear naming convention such as company-docs-prod. Enable versioning on the bucket from the Properties tab, this ensures every overwrite creates a new version rather than replacing the original. Enable default encryption using SSE-S3 or SSE-KMS depending on your compliance requirements.
Create an IAM user specifically for this integration. Attach a policy that grants only the permissions your Creator app needs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::company-docs-prod",
"arn:aws:s3:::company-docs-prod/*"
]
}
]
}Generate an access key and secret key for this IAM user. Store these in a Creator form configured as a settings table (one record, restricted to admin access) rather than hardcoding them in scripts. This approach lets you rotate credentials without modifying code.
AWS requires every API request to carry a Signature V4 authentication header. This involves creating a canonical request, deriving a signing key from your secret, and computing an HMAC-SHA256 signature. Deluge does not have native HMAC functions, so the practical approach is to use an intermediary: either an API gateway or webhook endpoint that handles signing, or a lightweight AWS Lambda function that generates pre-signed URLs on demand.
Deploy a small Lambda function (Node.js or Python) behind an API Gateway endpoint. The function accepts a file name, content type, and folder path, then returns a pre-signed PUT URL valid for 5 minutes. Your Deluge script calls this endpoint, gets the URL, and uploads directly:
// Deluge: Get pre-signed upload URL from Lambda
payload = Map();
payload.put("fileName", input.file_name);
payload.put("contentType", "application/pdf");
payload.put("folder", input.department + "/" + input.year);
response = invokeurl
[
url: "https://your-api-id.execute-api.us-east-1.amazonaws.com/prod/get-upload-url"
type: POST
parameters: payload.toString()
headers: {"Content-Type": "application/json", "x-api-key": api_key}
];
upload_url = response.get("uploadUrl");
object_key = response.get("objectKey");If your team prefers a no-code path, Zoho Flow can bridge Creator and S3 using its built-in Amazon S3 connector. Configure a Flow that triggers when a new record is created in your Creator document form, extracts the file, and pushes it to S3. This eliminates Signature V4 complexity entirely but adds a dependency on Flow’s execution limits and introduces slight latency.
Create a new Zoho Creator application with three core forms: Documents (the main file registry), Folders (organizing hierarchy), and Settings (AWS credentials and configuration).
| Field Name | Type | Purpose |
|---|---|---|
| File_Upload | File Upload | Accepts the user’s file (max 50 MB in Creator) |
| Folder | Lookup | Links to Folders form for organization |
| S3_Object_Key | Single Line | Stores the full S3 path after upload |
| S3_Version_ID | Single Line | Tracks the S3 version identifier |
| File_Size_KB | Number | Recorded at upload for reporting |
| Upload_Timestamp | Date-Time | Auto-set on record creation |
| Download_URL | URL | Populated on demand with pre-signed URL |
| Description | Multi Line | User-entered file description |
| Tags | Multi Select | Categorization for search and filtering |
Mirror your S3 key structure to your Creator folder hierarchy. A common pattern uses /{department}/{year}/{month}/ as the prefix. For example, a finance invoice uploaded in March 2026 would have the S3 key finance/2026/03/invoice-00451.pdf. This structure maps directly to S3’s prefix-based listing, making bulk operations and lifecycle policies straightforward.
In the Folders form, include fields for Department, Parent_Folder (self-lookup for nesting), and S3_Prefix (auto-computed). A workflow on the Folders form concatenates the hierarchy into the S3 prefix whenever a folder is created or moved.
The upload workflow fires on the Documents form’s successful submission. It reads the file from the upload field, calls your Lambda endpoint for a pre-signed URL, and sends the file to S3.
// Deluge: Document upload workflow
file = input.File_Upload;
folder_prefix = input.Folder.S3_Prefix;
timestamp = zoho.currenttime.toString("yyyyMMdd_HHmmss");
object_key = folder_prefix + timestamp + "_" + input.File_Upload.getFileName();
// Get pre-signed URL
params = Map();
params.put("fileName", object_key);
params.put("contentType", file.getFileType());
sign_response = invokeurl
[
url: settings_record.Lambda_Endpoint
type: POST
parameters: params.toString()
headers: {"Content-Type":"application/json","x-api-key":settings_record.API_Key}
];
presigned_url = sign_response.get("uploadUrl");
// Upload file to S3
upload_response = invokeurl
[
url: presigned_url
type: PUT
files: file
headers: {"Content-Type": file.getFileType()}
];
// Store metadata back in Creator
input.S3_Object_Key = object_key;
input.S3_Version_ID = sign_response.get("versionId");
input.File_Size_KB = file.getFileSize() / 1024;
input.Upload_Timestamp = zoho.currenttime;Note the 5 MB limit on Deluge’s invokeurl for file transfers. For files exceeding this, implement a client-side upload pattern: return the pre-signed URL to the user’s browser and let the browser upload directly to S3, bypassing Deluge’s file size constraint entirely.
Pre-signed URLs grant temporary, scoped access to a specific S3 object without exposing your AWS credentials. When a user clicks “Download” on a document record, a Deluge script calls your Lambda function with the object key and desired expiry time, then returns the URL.
// Deluge: Generate download URL
params = Map();
params.put("objectKey", input.S3_Object_Key);
params.put("expiresIn", 300); // 5 minutes
dl_response = invokeurl
[
url: settings_record.Lambda_Endpoint + "/download"
type: POST
parameters: params.toString()
headers: {"Content-Type":"application/json","x-api-key":settings_record.API_Key}
];
download_url = dl_response.get("downloadUrl");
openUrl(download_url, "same window");Set expiry times as short as practical. Five minutes is sufficient for an immediate download. For shared links sent via email or digital signature workflows, you might extend to 24 hours but never longer than 7 days (the S3 maximum).
With S3 versioning enabled, every PUT to the same key creates a new version. Your Lambda function can return the version ID with each upload, which you store in Creator’s S3_Version_ID field. To display version history, create a subform or related list that records each upload event: version ID, timestamp, uploading user, and file size.
For restoring previous versions, call the S3 GetObject API with a specific versionId parameter. Your Lambda function handles this by generating a pre-signed URL that includes the version ID in the request. This gives users the ability to browse and restore any previous version directly from the Creator interface, a critical feature for compliance-driven team document management.
Configure S3 lifecycle rules to manage storage costs automatically. A common policy transitions objects to S3 Infrequent Access after 90 days and to S3 Glacier after 365 days. Delete non-current versions after 180 days unless regulatory requirements demand longer retention. These rules run at the bucket or prefix level, which is why a well-designed folder structure matters.
Production deployments need fault tolerance. Wrap every invokeurl call in try-catch blocks and log failures to a Creator error log form. Common failure modes include expired pre-signed URLs (if the user took too long), network timeouts (Deluge’s 40-second limit), and file size violations.
// Deluge: Error handling wrapper
try
{
upload_response = invokeurl
[
url: presigned_url
type: PUT
files: file
headers: {"Content-Type": file.getFileType()}
];
if(upload_response.getStatusCode() != 200)
{
// Log error
insert into Error_Log
[
Timestamp = zoho.currenttime
Operation = "S3 Upload"
Status_Code = upload_response.getStatusCode()
Details = upload_response.toString()
Document_ID = input.ID
];
alert("Upload failed. The operations team has been notified.");
}
}
catch(e)
{
sendmail
[
from: zoho.adminuserid
to: "ops-alerts@company.com"
subject: "S3 Upload Failure - Doc ID: " + input.ID
message: e.toString()
];
}Before going live, test these scenarios: single file upload under 5 MB, file upload at exactly 5 MB, attempted upload over 5 MB (should trigger client-side fallback), concurrent uploads from multiple users, pre-signed URL expiry behavior, version restoration, and folder path generation with special characters. Use a staging S3 bucket with its own IAM credentials to isolate test data from production.
For teams already using Zoho CRM with external integrations, this pattern extends naturally. CRM deal records can link to Creator’s document repository, giving sales teams access to contracts and proposals stored in S3 without leaving their CRM workflow. The same Lambda endpoint serves both applications.
Monitor ongoing costs using AWS Cost Explorer filtered by the S3 bucket. Set billing alerts at thresholds that make sense for your document volume. For reference, storing 100 GB on S3 Standard costs approximately $2.30 per month, making it orders of magnitude cheaper than most SaaS document management platforms.
Can Zoho Creator upload files directly to AWS S3 without a Lambda function?
Technically yes, but it requires computing AWS Signature V4 headers in Deluge, which lacks native HMAC-SHA256 functions. The Lambda approach is more practical and maintainable. Alternatively, Zoho Flow’s built-in S3 connector handles the authentication automatically for no-code setups.
What is the maximum file size Deluge invokeurl can handle?
Deluge’s invokeurl task supports file transfers up to 5 MB. For larger files, generate a pre-signed URL in Deluge and return it to the client browser, letting the browser upload directly to S3 without the 5 MB constraint. This client-side pattern supports files up to S3’s 5 GB single-PUT limit.
How long can an S3 pre-signed URL remain valid?
Pre-signed URLs generated with IAM user credentials can be valid for up to 7 days (604,800 seconds). URLs generated with temporary STS credentials are limited to the session duration, typically 1 to 12 hours. For document downloads, 5 to 15 minutes is recommended to minimize exposure.
Does S3 versioning increase storage costs?
Yes, each version is stored as a separate object and billed at standard rates. Use lifecycle policies to delete non-current versions after a defined retention period (such as 180 days) to control costs. You can also transition older versions to cheaper storage classes like S3 Glacier.
Can this integration work with Zoho Creator’s free plan?
Zoho Creator’s free plan has limited Deluge API call quotas and restricted workflow capabilities. For a production document management system with regular S3 uploads, the Professional or Enterprise plan is necessary to get sufficient API call limits and workflow triggers.
Aaxonix builds custom Zoho Creator applications integrated with AWS services, including S3 storage backends, Lambda functions, and automated document workflows. Book a free consultation to get an architecture review of your document management requirements and a scoped implementation plan.
Book a free consultationA Zoho Creator and AWS S3 integration turns Creator from a simple form builder into a full document management platform backed by enterprise cloud storage. The combination of Creator’s rapid UI development, Deluge’s automation capabilities, and S3’s durability gives mid-market teams a system that scales from hundreds to millions of documents without re-architecture. Start with a single department’s document workflow as a pilot, validate the upload and retrieval patterns, then expand across the organization as the system proves itself.
On this page Implementing a CRM is one of the most impactful decisions a growing…
Connect Zoho Desk with Slack for real-time ticket alerts, SLA breach escalations, channel-per-department routing, and…
On this page NetSuite demand planning inventory forecasting becomes operationally necessary when a business crosses…
Our team builds systems that actually work. No fluff, just honest architecture and clean implementation.