> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tryassist.in/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 IAM Role

Authorize the S3 connector using an AWS IAM Role with an assume role policy.

## When to use this method

* When you need to separate permissions by granting targeted S3 access without altering your EC2 instance's primary role
* When temporary, frequently rotated credentials are required for S3 access, eliminating the need to manage long-lived access keys
* When operating across multiple AWS accounts, allowing cross-account S3 access through role assumption

## Setting up the IAM Role

1. **Create the S3 Access Role**
   * In AWS Console, go to **IAM › Roles** and click **Create role**
   * For **Trusted entity type**, select **Custom trust policy**
   * In the Custom trust policy JSON editor, configure who can assume this role. You can choose from:
   * **IAM Role**: `"AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YourExistingEC2Role"`
   * **AWS Service**: `"Service": "ec2.amazonaws.com"` (for EC2 instances)
     Example for EC2 role (replace `YOUR_AWS_ACCOUNT_ID` and `YourExistingEC2Role`):
   ```text theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YourExistingEC2Role"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```
   * Click **Next**
   * Attach **AmazonS3ReadOnlyAccess** policy or create a custom policy for specific buckets:
   ```text theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:GetObject",
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::your-source-bucket-name",
           "arn:aws:s3:::your-source-bucket-name/*"
         ]
       }
     ]
   }
   ```
   * Give the role a name (e.g., `ASSISTAIS3AccessRole`) and click **Create role**
   * Copy the **Role ARN** from the role summary page (e.g., `arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME`)
2. **Grant AssumeRole to EC2 instance role**
   * Go back to **IAM > Roles** and find your EC2 instance’s existing role
   * Click on the role and go to the **Permissions** tab
   * Click **Add permissions > Create inline policy**
   * Switch to JSON and add this policy (replace with your actual account ID and role name):
   ```text theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME"
       }
     ]
   }
   ```
   * Name the policy (eg - `AllowAssumeASSISTAIS3Role`) and click **Create policy**

Your EC2 instance will now use its existing instance profile to obtain temporary credentials for the ASSISTAIS3AccessRole, which can then securely communicate with your designated S3 buckets.

## Credential Entry in ASSIST AI

When setting up the S3 connector in ASSIST AI:

1. **Open the IAM Role tab**
   Click on the IAM Role tab within the connector configuration.
2. **Enter Role ARN**
   Enter the **Role ARN** you copied earlier (e.g., `arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/YOUR_CREATED_ROLE_NAME`)

Once your IAM Role ARN is ready, refer back to the indexing steps in the overview to complete your S3 connector setup.
