Skip to main content
Authorize the S3 connector using an AWS IAM Role with an assume role policy.

When to use this method

  • When you need to separate permissions by granting targeted S3 access without altering your EC2 instance’s primary role
  • When temporary, frequently rotated credentials are required for S3 access, eliminating the need to manage long-lived access keys
  • When operating across multiple AWS accounts, allowing cross-account S3 access through role assumption

Setting up the IAM Role

  1. Create the S3 Access Role
    • In AWS Console, go to IAM › Roles and click Create role
    • For Trusted entity type, select Custom trust policy
    • In the Custom trust policy JSON editor, configure who can assume this role. You can choose from:
    • IAM Role: "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YourExistingEC2Role"
    • AWS Service: "Service": "ec2.amazonaws.com" (for EC2 instances) Example for EC2 role (replace YOUR_AWS_ACCOUNT_ID and YourExistingEC2Role):
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YourExistingEC2Role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
    • Click Next
    • Attach AmazonS3ReadOnlyAccess policy or create a custom policy for specific buckets:
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-source-bucket-name",
        "arn:aws:s3:::your-source-bucket-name/*"
      ]
    }
  ]
}
    • Give the role a name (e.g., ASSISTAIS3AccessRole) and click Create role
    • Copy the Role ARN from the role summary page (e.g., arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME)
  2. Grant AssumeRole to EC2 instance role
    • Go back to IAM > Roles and find your EC2 instance’s existing role
    • Click on the role and go to the Permissions tab
    • Click Add permissions > Create inline policy
    • Switch to JSON and add this policy (replace with your actual account ID and role name):
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME"
    }
  ]
}
    • Name the policy (eg - AllowAssumeASSISTAIS3Role) and click Create policy
Your EC2 instance will now use its existing instance profile to obtain temporary credentials for the ASSISTAIS3AccessRole, which can then securely communicate with your designated S3 buckets.

Credential Entry in ASSIST AI

When setting up the S3 connector in ASSIST AI:
  1. Open the IAM Role tab Click on the IAM Role tab within the connector configuration.
  2. Enter Role ARN Enter the Role ARN you copied earlier (e.g., arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME)
Once your IAM Role ARN is ready, refer back to the indexing steps in the overview to complete your S3 connector setup.