Skip to main content

Amazon S3 Vectors Engine

🎓 Learn how it works with the Amazon S3 Vectors with Spice engineering blog post.

Amazon S3 Vectors, announced in public preview at AWS Summit New York 2025, is a new S3 bucket type designed for storing and querying vector embeddings at scale. It supports billions of vectors with sub-second similarity queries, reducing costs by up to 90% compared to traditional vector databases by separating storage from compute. Spice AI integrates S3 Vectors as a vector index backend, managing embedding indexing, lifecycle, and queries for hybrid search experiences.

To use Amazon S3 Vectors as a Vector Engine, specify s3_vectors as the engine, and configure the associated location and AWS credentials.

datasets:
- from: spice.ai:dataset.with.embeddings
name: my_dataset
vectors:
enabled: true
engine: s3_vectors
params:
s3_vectors_bucket: my-s3-vector-bucket
columns:
- name: 'body'
embeddings:
- from: bedrock_titan

embeddings:
- name: bedrock_titan
# ... Define an embedding model to use.

Parameters​

ParameterDescriptionExample Value
s3_vectors_arnThe S3 vectors index to use. Incompatible with s3_vectors_bucket and s3_vectors_index.arn:aws:s3vectors:123456654321/bucket/a-bucket/index/index-of-important-embeddings
s3_vectors_aws_access_key_idOptional. The access key ID for the S3 vectors index. If not specified, credentials will be loaded from the environment.-
s3_vectors_aws_regionThe AWS region for the S3 vectors index.us-east-1
s3_vectors_aws_secret_access_keyOptional. The secret access key for the S3 vectors index. If not specified, credentials will be loaded from the environment.-
s3_vectors_aws_session_tokenOptional. Session token for the S3 vectors index.-
s3_vectors_bucketThe S3 vectors bucket to use. If s3_vectors_index is not specified, an index will be created based on the underlying embedding column. Incompatible with s3_vectors_arna-bucket
s3_vectors_indexThe name of the s3 vectors index to use or create. Incompatible with s3_vectors_arn.index-of-important-embeddings
Limitations
  • s3_vectors_index and s3_vectors_arn specify a single index for the dataset and therefore should not be used with a dataset containing more than one embedding column.
  • S3 Vectors uses approximate nearest neighbor (ANN) algorithms for performance, providing probabilistically closest results.

Overview​

Amazon S3 Vectors exposes two core operations: upsert vectors (assign a vector to a key with optional metadata) and vector similarity queries (find closest vectors by metrics like cosine or Euclidean distance). It stores vectors durably in S3 and executes queries on transient compute, avoiding always-on servers. This enables petabyte-scale storage at low cost, ideal for semantic search, recommendations, and RAG in AI applications.

Configuration​

Annotate dataset schemas to specify columns for embedding and models. Spice supports local or hosted models like Amazon Titan Embeddings. When data ingests, Spice generates embeddings and stores them in the configured S3 Vectors index. Spice handles index creation, updates, and synchronization with data changes.

Example with AWS Titan model:

datasets:
- from: oracle:"CUSTOMER_REVIEWS"
name: reviews
vectors:
enabled: true
engine: s3_vectors
params:
s3_vectors_bucket: my-s3-vector-bucket
columns:
- name: body
embeddings:
from: bedrock_titan

embeddings:
- from: bedrock:amazon.titan-embed-text-v2:0
name: bedrock_titan
params:
aws_region: us-east-2
dimensions: '256'

Querying​

Perform vector searches via HTTP API or SQL table-valued function vector_search(dataset, query).

HTTP example:

curl -X POST http://localhost:8090/v1/search \
-H "Content-Type: application/json" \
-d '{
"datasets": ["reviews"],
"text": "issues with same day shipping",
"additional_columns": ["rating", "customer_id"],
"where": "created_at >= now() - INTERVAL '7 days'",
"limit": 2
}'

SQL example:

SELECT review_id, rating, customer_id, body, score
FROM vector_search(reviews, 'issues with same day shipping')
WHERE created_at >= to_unixtime(now() - INTERVAL '7 days')
ORDER BY score DESC
LIMIT 2;

Results include matching snippets, additional fields, primary keys, scores, and dataset names.

Managing Embeddings​

Spice manages the vector lifecycle: embedding data on ingestion, upserting to S3 Vectors with primary keys as identifiers, and handling updates/deletions. Vectors can be pre-stored in S3 for scalability, avoiding memory limits in accelerators or slow just-in-time computations.

Query Execution​

Spice pushes similarity computations to S3 Vectors, retrieving top matches as (id, score) pairs. These form a temporary table joinable with the dataset for full records, reducing processing to candidates only.

Handling Filters​

Mark columns as filterable metadata to push filters into S3 Vectors queries:

columns:
- name: created_at
metadata:
vectors: filterable

This ensures results respect constraints like time ranges during similarity search.

Optimizations​

Store non-filterable columns as metadata to avoid joins:

columns:
- name: rating
metadata:
vectors: non-filterable

Queries can then retrieve all needed data directly from the index, improving latency for read-heavy workloads.

Advanced Features​

Spice supports hybrid search (vector + full-text via BM25, merged with RRF), multi-vector queries (weighting columns), and re-ranking (e.g., keyword first-pass then vector on candidates). Compose via SQL CTEs and joins.

Hybrid RRF example:

WITH
vector_results AS (
SELECT review_id, RANK() OVER (ORDER BY score DESC) AS vector_rank
FROM vector_search(reviews, 'issues with same day shipping')
),
text_results AS (
SELECT review_id, RANK() OVER (ORDER BY score DESC) AS text_rank
FROM text_search(reviews, 'issues with same day shipping')
)
SELECT
COALESCE(v.review_id, t.review_id) AS review_id,
(1.0 / (60 + COALESCE(v.vector_rank, 1000)) +
1.0 / (60 + COALESCE(t.text_rank, 1000))) AS fused_score
FROM vector_results v
FULL OUTER JOIN text_results t ON v.review_id = t.review_id
ORDER BY fused_score DESC
LIMIT 50;

Multi-column example (weighting title higher):

WITH
body_results AS (
SELECT review_id, score AS body_score
FROM vector_search(reviews, 'issues with same day shipping', col => 'body')
),
title_results AS (
SELECT review_id, score AS title_score
FROM vector_search(reviews, 'issues with same day shipping', col => 'title')
)
SELECT
COALESCE(body.review_id, title.review_id) AS review_id,
COALESCE(body_score, 0) + 2.0 * COALESCE(title_score, 0) AS combined_score
FROM body_results
FULL OUTER JOIN title_results ON body_results.review_id = title_results.review_id
ORDER BY combined_score DESC
LIMIT 5;

Authentication​

If AWS credentials are not explicitly provided in the configuration, the connector will automatically load credentials from the following sources in order.

  1. Environment Variables:

    • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    • AWS_SESSION_TOKEN (if using temporary credentials)
  2. Shared AWS Config/Credentials Files:

    • Config file: ~/.aws/config (Linux/Mac) or %UserProfile%\.aws\config (Windows)

    • Credentials file: ~/.aws/credentials (Linux/Mac) or %UserProfile%\.aws\credentials (Windows)

    • The AWS_PROFILE environment variable can be used to specify a named profile, otherwise the [default] profile is used.

    • Supports both static credentials and SSO sessions

    • Example credentials file:

      # Static credentials
      [default]
      aws_access_key_id = YOUR_ACCESS_KEY
      aws_secret_access_key = YOUR_SECRET_KEY

      # SSO profile
      [profile sso-profile]
      sso_start_url = https://my-sso-portal.awsapps.com/start
      sso_region = us-west-2
      sso_account_id = 123456789012
      sso_role_name = MyRole
      region = us-west-2
    tip

    To set up SSO authentication:

    1. Run aws configure sso to configure a new SSO profile
    2. Use the profile by setting AWS_PROFILE=sso-profile
    3. Run aws sso login --profile sso-profile to start a new SSO session
  3. AWS STS Web Identity Token Credentials:

    • Used primarily with OpenID Connect (OIDC) and OAuth
    • Common in Kubernetes environments using IAM roles for service accounts (IRSA)
  4. ECS Container Credentials:

    • Used when running in Amazon ECS containers
    • Automatically uses the task's IAM role
    • Retrieved from the ECS credential provider endpoint
    • Relies on the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI which are automatically injected by ECS.
  5. AWS EC2 Instance Metadata Service (IMDSv2):

    • Used when running on EC2 instances.
    • Automatically uses the instance's IAM role.
    • Retrieved securely using IMDSv2.

The connector will try each source in order until valid credentials are found. If no valid credentials are found, an authentication error will be returned.

IAM Permissions

Regardless of the credential source, the IAM role or user must have appropriate S3 Vectors permissions (e.g., s3vectors:QueryVectors, s3vectors:GetVectors) to access the vectors. If the Spicepod connects to multiple different AWS services, the permissions should cover all of them.

Required IAM Permissions​

The IAM role or user needs the following minimum permissions to access S3 Vectors:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowApplicationVectorAccess",
"Effect": "Allow",
"Action": [
"s3vectors:QueryVectors",
"s3vectors:GetIndex",
"s3vectors:PutVectors",
"s3vectors:ListVectors"
],
"Resource": [
"arn:aws:s3vectors:aws-region:123456789012:bucket/amzn-s3-demo-vector-bucket/index/*",
]
},
{
"Sid": "AllowGetVectorBucket",
"Effect": "Allow",
"Action": "s3vectors:GetVectorBucket",
"Resource": "arn:aws:s3vectors:aws-region:123456789012:bucket/*"
},
{
"Sid": "AllowCreateVectorBucket",
"Effect": "Allow",
"Action": "s3vectors:CreateVectorBucket",
"Resource": "arn:aws:s3vectors:aws-region:123456789012:bucket/*"
},
{
"Sid": "AllowCreateVectorBucketIndex",
"Effect": "Allow",
"Action": "s3vectors:CreateIndex",
"Resource": "arn:aws:s3vectors:aws-region:123456789012:bucket/amzn-s3-demo-vector-bucket/index/*"
}
]
}

Permission Details​

PermissionPurpose
s3vectors:GetIndexRequired. Used to verify if the index already exists or needs to be created.
s3vectors:GetVectorBucketRequired. Used to verify if the vector bucket already exists or needs to be created.
s3vectors:ListVectorsRequired. Used to populate the *_embeddings column on vector tables in Spice.
s3vectors:PutVectorsRequired. Used to populate the vector index with Spice-computed embeddings.
s3vectors:QueryVectorsRequired. Used to query for vectors using the vector_search table function.
s3vectors:CreateIndexOptional. Spice can automatically create indexes if this permission is given.
s3vectors:CreateVectorBucketOptional. Spice can automatically create the vector bucket if this permission is given.

Cookbook​

  • A cookbook recipe to configure a dataset with an S3 vectors engine in Spice. S3 Vectors engine

References​