> For the complete documentation index, see [llms.txt](https://upsolver.gitbook.io/content/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://upsolver.gitbook.io/content/how-to-guides-1/setup/deploy-upsolver-on-aws/role-based-aws-credentials.md).

# Role-Based AWS Credentials

Upsolver connections store access credentials such as IAM roles, access and secret keys, and connection strings. Connection objects are managed by administrators and referenced by users when creating data processing jobs. Connections are a simple and secure way to authenticate access to resources without the need to pass around sensitive credentials.

The bird's-eye view of the authentication scheme is using IAM roles, linked to your intended policy,  with a trust relationship that contains an external id. Then, using that role and external id you can create Upsolver connections. If you would like to expand on IAM roles, you can find the AWS documentation [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).

The steps to manage credentials in Upsolver using AWS roles are: 

1. Create an IAM policy with required permissions 
2. Create an IAM role

## 1. Create an IAM policy with required permissions 

The connection you create in Upsolver allows you to manage the credentials needed to list, read, write, and delete objects. It is up to you to determine which specific permissions you need when developing your Upsolver jobs.

The following instructions describe how to create an IAM policy and add the necessary permissions to allow Upsolver to access your data.

1. Log into the **AWS Management Console**.
2. On the dashboard, search for IAM and select Identity & Access Management (**IAM**):

<figure><img src="https://lh3.googleusercontent.com/KGLeFNHjHDLJw1_2YNamgPk5cZoY6w5CbGZ0ezja1bAT3ryKhw-CK7aQI88acRpEvoiZ3zWTTUMka6mlYHQvN2rpt7KmLbaAtVPadG6rGu2vdEh-Ye9PZYx2_VIiDtrjRuYBNLjLtM_NtFX5YAWS-q3caqEWQ3ukaKmXUD_xVPaDFbCZ7UcUngDTv2x2" alt=""><figcaption></figcaption></figure>

3. Choose **Account Settings** from the menu on the left-hand side.
4. Expand the **Security Token Service Regions** list, find the AWS region corresponding to the region where your account resides, and choose **Activate** if it is **Inactive**.&#x20;
5. Choose **Policies** from the menu on the left-hand side, and click **Create Policy**.
6. Click the **JSON** tab:

<figure><img src="https://lh6.googleusercontent.com/Ciuh8rNyjhfZpnbhBiw7tkrnJvvHmkqXz11kAvpGgGuwF4Vs1UkpjiRQJ2OvunMklnIP5SLIz86sPXrj_Q8r1110pt4jMN1MPVXPEZn_bMW-wkfn89-11UAIgCW2TVUjxxa0G9gweLfBZHH5Apd6lBTeTP05JTdq34_IFvKqkwUAKs7ixWY6CHXC8iWV" alt=""><figcaption></figcaption></figure>

7. Add the policy statement that allows Upsolver to access your data. You can find an Amazon S3 example [here](/content/how-to-guides-1/connectors/configure-access/amazon-s3.md).
8. Click **Review Policy**.
9. Enter the name and description of the policy and click **Create Policy.**

## 2. Create an IAM role

In the AWS IAM Console, create an IAM role that grants access to the data.

1. From the IAM Console, select **Roles** from the menu on the left-hand side.&#x20;
2. Click **Create Role**.
3. Select **Custom trust policy** as the **Trusted Identity Type**.
4. From Upsolver's Security Information page, you can copy the trusted entity that Upsolver assigned to your organization and paste it here:

<figure><img src="/files/HyOkH1noChIOdvRrYM64" alt=""><figcaption></figcaption></figure>

Here is a trusted entity example:

```json
{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Effect": "Allow",
        	"Principal": {
            	"AWS": "arn:aws:iam::428641199958:role/upsolver-role-355e3b5f-960d-406b-afa7-12f4fd8327eb"
        	},
        	"Action": "sts:AssumeRole",
        	"Condition": {
            	"StringEquals": {
                	"sts:ExternalId": "GTWKRE6K"
            	}
        	}
    	}
	]
}

```

{% hint style="success" %}
You have now updated the IAM role trust policy to allow a specific Upsolver role to assume and use these permissions to access data in your AWS account.
{% endhint %}

{% hint style="info" %}
Note: The IAM role configured in the trust policy is auto-generated and attached to your Upsolver organization. Only your organization is allowed to assume your role and access data in your AWS account.
{% endhint %}

5. Click **Next**.
6. Locate the policy you created in [Step 1](#1.-create-an-iam-policy-with-required-permissions) and add it to the role.
7. Click **Next**.
8. Enter the name and description of the role and click **Create role**.

{% hint style="success" %}
You’ve now created an IAM role that allows Upsolver to access your data.
{% endhint %}

9. Note down the **Role ARN** by selecting your role from the role summary page.&#x20;

<figure><img src="https://lh4.googleusercontent.com/cnDHoDkv1FHYhxqE2mNHOdnJQKgwZyRZ6wxz3z3aiNxBAmb8iu3ZLC-PolAY9hddZXKxaYTwN1J9EGRfAOqYo_DX9N3Ovg21LeeNd-O4LfeAnM2CsVfA2EwaK8u88KBLr2mSac-qU5ABZp0tf2XXqiPdVozxbnlVLDsiSC4oEjSr1TkH3tY2O7u6q8mJ" alt=""><figcaption></figcaption></figure>

Now you are able to create an Upsolver connection using the role you created in [Step 2](#2.-create-an-iam-role) and the external id generated by Upsolver in the trusted entity JSON.

For example, creating an Amazon S3 connection:

<figure><img src="/files/x3JW1xqcpleeza5J4XLn" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://upsolver.gitbook.io/content/how-to-guides-1/setup/deploy-upsolver-on-aws/role-based-aws-credentials.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.