> For the complete documentation index, see [llms.txt](https://upsolver.gitbook.io/content/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://upsolver.gitbook.io/content/how-to-guides-1/connectors/configure-access/amazon-s3.md).

# Amazon S3

In order to create an IAM role and a trust relationship, please read the [Role-Based AWS Credentials](/content/how-to-guides-1/setup/deploy-upsolver-on-aws/role-based-aws-credentials.md) documentation, and then use the following documentation to create the IAM policy with the required Amazon S3 permissions.

## Create an IAM policy with required Amazon S3 permissions&#x20;

Upsolver requires the following permissions:

```
s3:GetBucketLocation 
s3:ListBucket 
s3:GetObject 
s3:GetObjectVersion
```

The following permissions are required to perform additional SQL actions:

| Permission        | SQL action                                                                      |
| ----------------- | ------------------------------------------------------------------------------- |
| `s3:PutObject`    | Write data to the target location using `COPY FROM`, `INSERT`, and `MERGE` jobs |
| `s3:DeleteObject` | Enable table retention to delete old data                                       |

When creating an Amazon S3 connection in Upsolver, you can include the `PATH_DISPLAY_FILTERS` property, which allows you to restrict the Amazon S3 paths that users can see in the Upsolver navigation tree. However, this does not limit the user’s ability to read and write objects; that is still managed by the permissions in the IAM role attached to the connection. This property is not to be used to restrict access to data.

If the `PATH_DISPLAY_FILTERS` property is omitted, Upsolver attempts to list all buckets in the account. The available buckets are listed in the Upsolver navigation tree to make it easier for users to discover datasets. For this to function correctly, Upsolver requires the IAM policy to include `s3:ListAllMyBuckets`.

If `PATH_DISPLAY_FILTERS` is included when creating the Amazon S3 connection, you do not need to add the `s3:ListAllMyBuckets` permission.

&#x20;When creating the IAM policy, add the policy statements that allow Upsolver to access the data in your Amazon S3 location:

{% hint style="info" %}
Ensure you replace the `<bucket>` and `<prefix>` with your actual bucket name and folder prefix name.
{% endhint %}

```json
{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:ListAllMyBuckets"
        	],
        	"Resource": "*"
    	},
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:ListBucket",
            	"s3:GetBucketLocation"
        	],
        	"Resource": [
            	"arn:aws:s3:::<BUCKET_1>",
            	"arn:aws:s3:::<BUCKET_2>"
        	]
    	},
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:PutObject",
			"s3:DeleteObject",
			"s3:DeleteObjectVersion",
            	"s3:GetObject",
            	"s3:GetObjectVersion"
        	],
        	"Resource": [
            	"arn:aws:s3:::<BUCKET_1>/<PREFIX>/*",
            	"arn:aws:s3:::<BUCKET_2>/<PREFIX>/*"
        	]
    	}
	]
}
```

The above policy allows the Upsolver job to **read** **and** **write** data to the listed buckets. In the case where a **read-only** connection is needed, you can use the following policy:

```sql
{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:ListAllMyBuckets"
        	],
        	"Resource": "*"
    	},
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:ListBucket",
            	"s3:GetBucketLocation"
        	],
        	"Resource": [
            	"arn:aws:s3:::<BUCKET_1>",
            	"arn:aws:s3:::<BUCKET_2>"
        	]
    	},
    	{
        	"Effect": "Allow",
        	"Action": [
            	"s3:GetObject",
            	"s3:GetObjectVersion"
        	],
        	"Resource": [
            	"arn:aws:s3:::<BUCKET_1>/<PREFIX>/*",
            	"arn:aws:s3:::<BUCKET_2>/<PREFIX>/*"
        	]
    	}
	]
}
```

When you create an Amazon S3 connection using a read-only IAM role, as shown above, and include a `PATH_DISPLAY_FILTERS` property to limit which paths are discoverable in the Upsolver UI, you must also include the `READ_ONLY = TRUE` property. This tells Upsolver that the IAM permissions do not include `s3:PutObject` and to skip validation.

***

{% hint style="success" %}
**Learn More**

To learn more about setting permissions for Amazon S3, please read the[ Policies and Permissions in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) guide from AWS.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://upsolver.gitbook.io/content/how-to-guides-1/connectors/configure-access/amazon-s3.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
