Skip to main content

Cloud Storage Sync

Cloud Storage Sync enables automatic, scheduled synchronization of documents from external cloud storage services into your Progress Knowledge Box.

Supported Providers

Cloud Storage Sync supports the following external storage services:

  • Google Drive (Authentication via OAuth)
  • Microsoft SharePoint & OneDrive (Authentication via OAuth or Certificate credentials)
  • Dropbox (Authentication via OAuth)
  • AWS S3 (Authentication via Cross-account IAM Assume Role)
  • ShareFile (Authentication via OAuth)

How it Works

Cloud Storage Sync lets you upload all files from your cloud storage into a Knowledge Box and keep them automatically synchronized over time. Once you set up a connection, the service will:

  1. Import your files: All files from the selected cloud storage location are uploaded into your Knowledge Box as NucliaDB resources.
  2. Keep everything in sync: The service periodically checks for changes. New files are added, modified files are updated, and (where supported) deleted files are removed — all automatically.

Initial vs. Incremental Sync

  • Initial sync: The first time a sync runs, all files from your cloud storage are imported into your Knowledge Box.
  • Incremental sync: On every subsequent run, only new or modified files are processed. Files that haven't changed are skipped, making syncs fast and efficient.

Deletion Handling

When a file is deleted from your cloud storage, whether it is automatically removed from your Knowledge Box depends on the provider:

ProviderAutomatic deletion
Google Drive✅ Yes
SharePoint/OneDrive✅ Yes
Dropbox✅ Yes
AWS S3❌ No
ShareFile❌ No

For providers that do not support automatic deletion, files removed from the source will remain in your Knowledge Box until you manually remove them.

Setup Guide

To set up synchronization with a cloud provider, follow the provider-specific instructions below.

Provider-Specific Configuration

Google Drive

Connect via standard OAuth 2.0. Follow the prompts to authorize Progress to read your Google Drive files.

Microsoft SharePoint & OneDrive

SharePoint and OneDrive connections can use standard OAuth or an Azure App's Certificate credentials.

OAuth

Follow the prompts to authorize Progress to read your SharePoint or OneDrive files. The OAuth flow uses the Sites.Selected scope, which means the connector can only access sites that have been explicitly granted to the Progress application. An admin or Site Owner must grant access to each specific SharePoint site you want to sync. See Step 5: Configure site-level access for details on how to do this.

Certificate Credentials

Certificate credentials use the app-only OAuth 2.0 client credentials flow (no user interaction). This requires an Azure App Registration with a certificate uploaded and the appropriate Application Permissions granted by an admin.

Step 1: Register an App in Azure

  1. Go to the Azure Portal and navigate to Microsoft Entra ID (formerly Azure Active Directory) > App registrations > New registration. For detailed instructions, see Register an application in Microsoft Entra ID.
  2. Give the app a name (e.g., "Progress Cloud Storage Sync") and register it.
  3. Once created, note the following values from the app's Overview page:
    • Application (client) ID — listed at the top of the Overview page.
    • Directory (tenant) ID — listed right below the Client ID on the same page.

Step 2: Generate a .pfx certificate

You can generate a self-signed certificate using openssl. Run the following commands in your terminal:

# Generate a private key and self-signed certificate (valid for 1 year)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes \
  -subj "/CN=ProgressCloudStorageSync"

# Package the key and certificate into a .pfx file
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem

You will be prompted to set an export password for the .pfx file. Remember this password — you will need it when configuring the connection in Progress.

Step 3: Upload the certificate to Azure

  1. In the Azure Portal, go to your App Registration > Certificates & secrets > Certificates tab.
  2. Click Upload certificate and select the cert.pem file generated above.

Step 4: Configure Application Permissions

  1. In your App Registration, go to API permissions > Add a permission > Microsoft Graph > Application permissions.
  2. Add the following permissions:
  3. Click Grant admin consent to activate the permissions.
note

Only a Global Administrator or Privileged Role Administrator can grant admin consent for Application permissions. A SharePoint Site Owner alone is not sufficient for this step.

Step 5: Configure site-level access (if using Sites.Selected)

If you chose Sites.Selected instead of Sites.Read.All, you must also grant the app explicit access to each SharePoint site. This is done via the Microsoft Graph API:

# Grant read access to a specific SharePoint site
curl -X POST "https://graph.microsoft.com/v1.0/sites/{site-id}/permissions" \
  -H "Authorization: Bearer {admin-access-token}" \
  -H "Content-Type: application/json" \
  -d '{
    "roles": ["read"],
    "grantedToIdentities": [{
      "application": {
        "id": "<YOUR_APP_CLIENT_ID>",
        "displayName": "Progress Cloud Storage Sync"
      }
    }]
  }'

Access control summary:

PermissionWho can grant itWhat the connector can see
Sites.Read.AllGlobal AdminAll files across all SharePoint site collections and OneDrive
Sites.SelectedGlobal Admin (consent) + Site Admin (per-site grant)Only files in explicitly granted SharePoint sites

Sites.Selected is recommended for least-privilege access — the connector will only see files in sites you explicitly authorize.

Step 6: Configure the connection in Progress

In the Progress interface, provide:

  • Tenant ID and Client ID (from Step 1)
  • The .pfx certificate file and its export password (from Step 2)

Dropbox

Connect via standard OAuth. Follow the prompts to authorize Progress to read your Dropbox files.

AWS S3

AWS S3 connections use cross-account IAM Assume Role instead of static access keys. The service assumes an IAM role in your AWS account to obtain temporary credentials for S3 access.

Step 1: Create an IAM Role in AWS

  1. Log in to your AWS account.
  2. In the IAM service, go to the Roles page and click Create role.
  3. Under Trusted entity type, select AWS account.
  4. Choose Another AWS account and enter the following IDs (shown in the Progress interface):
    • Account ID: (provided by Progress)
    • External ID: (provided by Progress)
  5. Skip the Add Permissions section by clicking Next.
  6. Enter the role name shown in the Progress interface.
  7. Click Create role.

Step 2: Add S3 permissions to the role

  1. Search for the newly created role in the IAM console.
  2. Click Add Permissions and choose Create inline policy.
  3. Select JSON format and insert the following policy (replace your-s3-bucket-name with your actual bucket name):
{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::your-s3-bucket-name",
      "Sid": "ListBucket"
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::your-s3-bucket-name/*",
      "Sid": "GetObjects"
    }
  ],
  "Version": "2012-10-17"
}
  1. Set a policy name and click Create policy.

Step 3: Finalize the connection in Progress

Enter the ARN of the created role in the Progress interface to complete the setup.

ShareFile

Connect via standard OAuth. Follow the prompts to authorize Progress to read your ShareFile items.

Advanced Configuration

File Filtering

You can filter which files are synced based on name or path pattern matching.

  • Mode: Choose between include (sync only matching files) or exclude (sync everything except matching files).
  • Match rules: Filter by a list of extensions (e.g., ["pdf", "docx"]) or specific glob_patterns applied to the file's relative path (e.g., ["docs/**/*.pdf"]).

Applying Labels

You can streamline classification by attaching specific NucliaDB classification labels to every resource created by a specific sync configuration. This requires designating the target labelset and the label value.

Modified Time Range

You can restrict synchronization to files whose last-modified timestamp falls within a specific time window (from / to bounds).

note

This filter also applies to deletions. If a provider reports a file as deleted, but the file's last-known modified time is outside the configured range, the deletion is skipped, and the resource is preserved in NucliaDB. If the provider does not expose a modified time on a deletion event (e.g., typical for Dropbox), the filter is ignored and the deletion always proceeds.