> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prequel.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon S3

> Connect your S3 bucket as a source

By default, S3 authentication uses role-based access. You create an IAM role in your own AWS account that holds the read permissions described below, and our identity is granted permission to assume it. No long-lived credentials are shared, and you can revoke access at any time through your IAM settings.

## Step 1: configure AWS authentication

Choose the authentication method that fits your security policy.

<Tabs>
  <Tab title="IAM role (recommended)">
    <Steps>
      <Step title="Create an IAM policy">
        In the AWS IAM console, navigate to the **Policies** tab and click **Create policy**. Click the **JSON** tab and paste the following policy, replacing `BUCKET_NAME` with the name of the bucket you want to read from.

        ```json title="IAM policy" icon="brackets-curly" expandable theme={null}
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "s3:GetObject",
                    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
                },
                {
                    "Effect": "Allow",
                    "Action": "s3:ListBucket",
                    "Resource": "arn:aws:s3:::BUCKET_NAME"
                }
            ]
        }
        ```

        <Note>
          If your S3 bucket uses KMS encryption (CMK), add the following statement to the `Statement` array to allow decryption with your KMS key. Replace `REGION_NAME`, `ACCOUNT_ID`, and `KEY_ID` with your values.

          ```json title="KMS decrypt statement" icon="brackets-curly" theme={null}
          {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:REGION_NAME:ACCOUNT_ID:key/KEY_ID"
          }
          ```
        </Note>

        Name the policy, add a description, and click **Create policy**.
      </Step>

      <Step title="Create an IAM role">
        In the AWS IAM console, navigate to the **Roles** tab and click **Create role**. Select **Custom trust policy** and paste the trust policy below to allow our identity to assume the role. Reach out to your account representative for the value of `<some_service_account_identifier>`.

        ```json title="Trust policy" icon="brackets-curly" expandable theme={null}
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "sts:AssumeRoleWithWebIdentity"
              ],
              "Principal": {
                "Federated": "accounts.google.com"
              },
              "Condition": {
                "StringEquals": {
                  "accounts.google.com:sub": "<some_service_account_identifier>"
                }
              }
            }
          ]
        }
        ```

        Click **Next**, attach the permissions policy you created in the previous step, enter a **Role name**, for example, `source-s3`, and click **Create role**.
      </Step>

      <Step title="Note the role ARN">
        Once the role is created, search for it in the Roles list, click the role name, and make a note of its **ARN** (for example, `arn:aws:iam::123456789012:role/source-s3`). You will provide this ARN in Step 2.
      </Step>
    </Steps>
  </Tab>

  <Tab title="AWS access keys">
    <Steps>
      <Step title="Create an IAM user">
        In the AWS IAM console, navigate to the **Users** tab and click **Add users**. Enter a **User name** for the service, for example, `source-service`, and select programmatic access.
      </Step>

      <Step title="Attach the policy">
        Attach the read policy described in the IAM role tab (`s3:GetObject` and `s3:ListBucket` on the target bucket) directly to the user.
      </Step>

      <Step title="Generate access keys">
        Generate an access key pair for the user and make a note of the **access key ID** and the **secret access key**. You will provide these values in Step 2.
      </Step>
    </Steps>
  </Tab>
</Tabs>

<Note>
  If your bucket policy restricts access by IP, allow the static IP so we can reach the bucket. Reach out to your account representative for the static IP address to use.
</Note>

## Step 2: submit your connection details

Provide the following details to complete the source setup:

1. The **name** is a descriptive name of the source.
2. The **bucket name** of the bucket you want to read from.
3. The **AWS region** the bucket is hosted in.
4. The authentication credentials from Step 1:
   * If using an **IAM role**: the **role ARN**.
   * If using **AWS access keys**: the **access key ID** and the **secret access key**.
