{"metadata":{"image":[],"title":"","description":""},"api":{"url":"","auth":"required","settings":"","results":{"codes":[]},"params":[]},"next":{"description":"","pages":[]},"title":"Amazon Web Services Simple Storage Service (S3) volumes","type":"basic","slug":"amazon-web-services-simple-storage-service-s3-volumes","excerpt":"","body":"This page contains information on configuring a volume that is associated with an S3 bucket in Amazon Web Services (AWS) cloud storage.\n\n## Authentication and authorization on Cavatica\n\nCavatica provides the option of connecting your Amazon Web Services S3 bucket (volume) to be able to read and write files to and from Cavatica. After connection is established, your S3 bucket (volume) behaves like your external storage for Cavatica. Authentication of Cavatica is done through AWS Identity and Access Management (IAM) services and you can choose between two authentication options, [IAM user](#section-about-aws-iam-users) or [IAM role](#section-about-aws-iam-roles). Authorization of Cavatica, which defines the actions that can be done on your volume, is defined in a custom IAM policy that is attached to an IAM user or IAM role.\n\n### About AWS IAM users\n\nAn AWS Identity and Access Management (IAM) User is an entity that you create to represent a person or service that uses it to interact with your AWS resources. For each IAM user you need to define one or more policies to determine what actions on which AWS resources and under what conditions that user can do. In order to connect your S3 bucket as a volume to Cavatica, you will need to attach an appropriate policy provided by Seven Bridges to your IAM user and use _Access keys_ (_access key ID_ and _secret access key_) for authentication to make programmatic calls from Cavatica to your AWS resources.\n\n### About AWS IAM roles\n\nAn IAM Role is an entity, similar to an IAM user, that represents an AWS identity for which you set permission policies to define what other identity associated with your role can and cannot do with your AWS resources. A role is either intended to be assumed by more than one person or service. For connecting Cavatica with your S3 bucket, we recommend creating a role only for that purpose. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides temporary security credentials for your role session. Cavatica automatically renews these IAM role credentials, so authorized users can access the volume without interruption.\n\n### Connecting an S3 bucket to Cavatica\n\nPrerequisites:\n\n* An [Amazon Web Service (AWS)](https://aws.amazon.com/) account.\n* One or more S3 buckets within the AWS account.\n\n**Procedure:**\n1. [Create a custom IAM policy](#section-create-a-custom-iam-policy)\n2. Depending on your preferred authentication option:\n    * [Set up an IAM user](#section-set-up-an-iam-user)\n    * [Set up an IAM role](#section-set-up-an-iam-role)\n\n### Create a custom IAM policy\n\nFor both authentication methods, _IAM user_ and _IAM role_, the same policy should be attached to them to define permissions that Cavatica will have when connecting with your AWS S3 bucket (volume). So, the first step is to create a custom IAM policy that you will attach to your IAM user or IAM role later on. To create the policy, follow these steps:\n1. Go to the [AWS Management Console](https://console.aws.amazon.com).\n2. In the top menu select **Services** and then choose **IAM**.\n3. In the left navigation menu select **Policies**.\n4. Click **Create policy** and select the **JSON** tab.\n5. Copy and paste the following custom policy. *Make sure to select the right policy depending on whether you're mounting the volume in **Read-only** or **Read-write** mode*. Also, make sure to replace **&lt;BUCKET_NAME>** in the policy with the name of your S3 bucket, and either replace **&lt;ROOT>** with the subdirectory in the bucket to which you want to restrict access when browsing the mounted volume from Cavatica, or simply exclude the **&lt;ROOT>** parameter and set `Resource` in the policy to  `arn:aws:s3:::<BUCKET_NAME>` if you want to make the entire content of the bucket available.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n    \\\"Version\\\": \\\"2012-10-17\\\",\\n    \\\"Statement\\\": [\\n        {\\n            \\\"Sid\\\": \\\"GrantReadOnBuckets\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:ListBucket\\\",\\n                \\\"s3:GetBucketCORS\\\",\\n                \\\"s3:GetBucketLocation\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::<BUCKET_NAME>\\\"\\n            ]\\n        },\\n        {\\n            \\\"Sid\\\": \\\"GrantReadOnObjects\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:GetObject\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\\\"\\n            ]\\n        }\\n    ]\\n}\",\n      \"language\": \"json\",\n      \"name\": \"Read-only\"\n    },\n    {\n      \"code\": \"{\\n    \\\"Version\\\": \\\"2012-10-17\\\",\\n    \\\"Statement\\\": [\\n        {\\n            \\\"Sid\\\": \\\"GrantReadOnBuckets\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:ListBucket\\\",\\n                \\\"s3:GetBucketCORS\\\",\\n                \\\"s3:GetBucketLocation\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::<BUCKET_NAME>\\\"\\n            ]\\n        },\\n        {\\n            \\\"Sid\\\": \\\"GrantReadOnObjects\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:GetObject\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\\\"\\n            ]\\n        },\\n        {\\n            \\\"Sid\\\": \\\"GrantWriteOnObjects\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:PutObject\\\",\\n                \\\"s3:GetObjectAcl\\\",\\n                \\\"s3:PutObjectAcl\\\",\\n                \\\"s3:AbortMultipartUpload\\\",\\n                \\\"s3:ListMultipartUploadParts\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\\\"\\n            ]\\n        },\\n        {\\n            \\\"Sid\\\": \\\"RequestReadOnCopySourceObjects\\\",\\n            \\\"Action\\\": [\\n                \\\"s3:GetObject\\\"\\n            ],\\n            \\\"Effect\\\": \\\"Allow\\\",\\n            \\\"Resource\\\": [\\n                \\\"arn:aws:s3:::pgc-main/*\\\"\\n            ]\\n        }\\n    ]\\n}\",\n      \"language\": \"json\",\n      \"name\": \"Read-write\"\n    }\n  ]\n}\n[/block]\n6. Click **Review policy** and enter a policy name, e.g. `sb-access-policy` (remember this policy name as you will need to attach it later to IAM user or IAM role).\n7. (Optional) Enter the policy description.\n8. Click **Create policy** to finish process of policy creation.\n\nThe custom IAM policy you have created can be attached to your IAM user or IAM role you will use to connect your AWS S3 bucket with Cavatica.\n\n### Set up an IAM user \n\nFollow these steps to create an AWS IAM user that you will use to connect an S3 bucket (volume) to Cavatica:\n1. Log in to the [AWS Management Console](https://console.aws.amazon.com).\n2. In the top menu select **Services** and then choose **IAM**.\n3. In the left navigation menu select **Users**, and then choose **Add user**.\n4. Enter the **User name** for the user you are creating.\n5. In the **Access type** section, select **Programmatic access**.\n6. Click **Next: Permissions**.\n7. In the **Set permissions** section select **Attach existing policies directly**.\n8. Use search bar to find and select the policy you created earlier (e.g. `sb-access-policy`)\n9. Click **Next: Tags**.\n10. (Optional) Add tags to the user. These are key-value pairs that contain additional information about the IAM user and are not necessary for the process of attaching a volume to Cavatica.\n11. Click **Next: Review**. The user details screen is displayed. Check once again that all entered information is correct.\n12. Click **Create user**. You will see a message that the user is successfully created.\n13. On the confirmation screen, copy the provided **Access key ID** and **Secret access key** and use them for volume creation on Cavatica.\n14. Click **Close**.\n\nWith the created IAM user you can connect your AWS S3 bucket as a volume to Cavatica. As stated in step 13 above, the credentials you will need are:\n\n* **Access key ID** \n* **Secret access key**\n\nIf you forget your **Secret access key**, you can still create new Access keys:\n1. Click on the name of your IAM user in the list of all available users\n2. Click the **Security credentials** tab\n3. In the Access keys section click **Create access key**. Newly created **Access key ID** and **Secret access key** are displayed in the pop-up window. Use them for connecting your S3 bucket to Cavatica.\n\n### Set up an IAM role \n\nFollow these steps to create an AWS IAM role that you will to connect an S3 bucket (volume) to Cavatica:\n1. Log in to the [AWS Management Console](https://console.aws.amazon.com).\n2. In the top menu select **Services** and then choose **IAM**.\n3. In the left navigation menu select **Roles,** and then choose**Create role**.\n4. In the **Select type of trusted entity**section, choose **Another AWS account**.\n5. Enter the following values:\n    * **Account ID**: 151136852077\n    * Check **Require External ID** and enter at least 6 characters (strongly recommended).\n6. Click **Next: Permissions**.\n7. Use the search bar to find and select the policy you created earlier (e.g. `sb-access-policy`)\n8. Click **Next: Tags**.\n9. (Optional) Add tags to the role. These are key-value pairs that contain additional information about the IAM role and are not necessary for the process of attaching a volume to Cavatica.\n10. Click **Next: Review**. \n11. Enter **Role name** and its optional description.\n12. Click **Create role** to complete the process of role creation. List of all available roles opens.\n13. Click the name of your newly created role to see the necessary details.\n14. Under the **Trust relationships** tab, click **Edit trust relationship** and replace the **Policy Document** with the policy shown below. Make sure to select the right policy depending on whether you have set an **External ID** in step 5 above. If you have configured an **External ID**, make sure to use its value instead of the **<EXTERNAL_ID>** placeholder in the policy below.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n    \\\"Version\\\": \\\"2012-10-17\\\",\\n    \\\"Statement\\\": {\\n        \\\"Effect\\\": \\\"Allow\\\",\\n        \\\"Principal\\\": {\\n            \\\"AWS\\\": \\\"arn:aws:iam::151136852077:user/sevenbridges_volumes\\\"\\n        },\\n        \\\"Action\\\": \\\"sts:AssumeRole\\\",\\n        \\\"Condition\\\": {\\n            \\\"StringEquals\\\": {\\n                \\\"sts:ExternalId\\\": \\\"<EXTERNAL_ID>\\\"\\n            }\\n        }\\n    }\\n}\",\n      \"language\": \"json\",\n      \"name\": \"With External ID\"\n    },\n    {\n      \"code\": \"{\\n    \\\"Version\\\": \\\"2012-10-17\\\",\\n    \\\"Statement\\\": {\\n        \\\"Effect\\\": \\\"Allow\\\",\\n        \\\"Principal\\\": {\\n            \\\"AWS\\\": \\\"arn:aws:iam::151136852077:user/sevenbridges_volumes\\\"\\n        },\\n        \\\"Action\\\": \\\"sts:AssumeRole\\\"\\n    }\\n}\",\n      \"language\": \"json\",\n      \"name\": \"Without External ID\"\n    }\n  ]\n}\n[/block]\n15. Click **Update Trust Policy** to save the update.\n\nIf you followed all the steps described above you are ready now to connect your S3 bucket as a volume to Cavatica using the newly created IAM role. The credentials you will need are:\n\n* **Role ARN** - click the name of your role in the list of all roles and copy Role ARN.\n* **External ID** - click the **Trust relationships** tab. In the **Conditions** section, this is the value of the **sts:ExternalId** key.\n\n**External ID** is an additional security parameter that will be used to authenticate Cavatica when accessing your AWS bucket. This parameter is not mandatory but is highly recommended.\n\n### Additional configuration\n\nThe IAM policy is usually sufficient to permit Cavatica to access your S3 bucket. In certain situations, however, it may be necessary to set up additional configuration on the bucket itself. Read how to do this by [enabling cross-origin resource sharing (CORS)](https://docs.sevenbridges.com/docs/enabling-cross-origin-resource-sharing-cors).","updates":[],"order":999,"isReference":false,"hidden":false,"sync_unique":"","link_url":"","link_external":false,"_id":"5f0839eedc46ed0064c02304","createdAt":"2020-07-10T09:50:38.950Z","user":"5767bc73bb15f40e00a28777","category":{"sync":{"isSync":false,"url":""},"pages":[],"title":"Connect cloud storage","slug":"connect-cloud-storage","order":19,"from_sync":false,"reference":false,"_id":"5f0839d3f4b24e005ebbbc29","createdAt":"2020-07-10T09:50:11.713Z","version":"5773dcfc255e820e00e1cd50","project":"5773dcfc255e820e00e1cd4d","__v":0},"version":{"version":"1.0","version_clean":"1.0.0","codename":"","is_stable":true,"is_beta":false,"is_hidden":false,"is_deprecated":false,"categories":["5773dcfc255e820e00e1cd51","5773df36904b0c0e00ef05ff","577baf92451b1e0e006075ac","577bb183b7ee4a0e007c4e8d","577ce77a1cf3cb0e0048e5ea","577d11865fd4de0e00cc3dab","578e62792c3c790e00937597","578f4fd98335ca0e006d5c84","578f5e5c3d04570e00976ebb","57bc35f7531e000e0075d118","57f801b3760f3a1700219ebb","5804d55d1642890f00803623","581c8d55c0dc651900aa9350","589dcf8ba8c63b3b00c3704f","594cebadd8a2f7001b0b53b2","59a562f46a5d8c00238e309a","5a2aa096e25025003c582b58","5a2e79566c771d003ca0acd4","5a3a5166142db90026f24007","5a3a52b5bcc254001c4bf152","5a3a574a2be213002675c6d2","5a3a66bb2be213002675cb73","5a3a6e4854faf60030b63159","5c8a68278e883901341de571","5cb9971e57bf020024523c7b","5cbf1683e2a36d01d5012ecd","5dc15666a4f788004c5fd7d7","5eaff69e844d67003642a020","5eb00899b36ba5002d35b0c1","5eb0172be179b70073dc936e","5eb01b42b36ba5002d35ebba","5eb01f202654a20136813093","5eb918ef149186021c9a76c8","5f0839d3f4b24e005ebbbc29"],"_id":"5773dcfc255e820e00e1cd50","__v":34,"createdAt":"2016-06-29T14:36:44.812Z","releaseDate":"2016-06-29T14:36:44.812Z","project":"5773dcfc255e820e00e1cd4d"},"project":"5773dcfc255e820e00e1cd4d","__v":0}

Amazon Web Services Simple Storage Service (S3) volumes


This page contains information on configuring a volume that is associated with an S3 bucket in Amazon Web Services (AWS) cloud storage. ## Authentication and authorization on Cavatica Cavatica provides the option of connecting your Amazon Web Services S3 bucket (volume) to be able to read and write files to and from Cavatica. After connection is established, your S3 bucket (volume) behaves like your external storage for Cavatica. Authentication of Cavatica is done through AWS Identity and Access Management (IAM) services and you can choose between two authentication options, [IAM user](#section-about-aws-iam-users) or [IAM role](#section-about-aws-iam-roles). Authorization of Cavatica, which defines the actions that can be done on your volume, is defined in a custom IAM policy that is attached to an IAM user or IAM role. ### About AWS IAM users An AWS Identity and Access Management (IAM) User is an entity that you create to represent a person or service that uses it to interact with your AWS resources. For each IAM user you need to define one or more policies to determine what actions on which AWS resources and under what conditions that user can do. In order to connect your S3 bucket as a volume to Cavatica, you will need to attach an appropriate policy provided by Seven Bridges to your IAM user and use _Access keys_ (_access key ID_ and _secret access key_) for authentication to make programmatic calls from Cavatica to your AWS resources. ### About AWS IAM roles An IAM Role is an entity, similar to an IAM user, that represents an AWS identity for which you set permission policies to define what other identity associated with your role can and cannot do with your AWS resources. A role is either intended to be assumed by more than one person or service. For connecting Cavatica with your S3 bucket, we recommend creating a role only for that purpose. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides temporary security credentials for your role session. Cavatica automatically renews these IAM role credentials, so authorized users can access the volume without interruption. ### Connecting an S3 bucket to Cavatica Prerequisites: * An [Amazon Web Service (AWS)](https://aws.amazon.com/) account. * One or more S3 buckets within the AWS account. **Procedure:** 1. [Create a custom IAM policy](#section-create-a-custom-iam-policy) 2. Depending on your preferred authentication option: * [Set up an IAM user](#section-set-up-an-iam-user) * [Set up an IAM role](#section-set-up-an-iam-role) ### Create a custom IAM policy For both authentication methods, _IAM user_ and _IAM role_, the same policy should be attached to them to define permissions that Cavatica will have when connecting with your AWS S3 bucket (volume). So, the first step is to create a custom IAM policy that you will attach to your IAM user or IAM role later on. To create the policy, follow these steps: 1. Go to the [AWS Management Console](https://console.aws.amazon.com). 2. In the top menu select **Services** and then choose **IAM**. 3. In the left navigation menu select **Policies**. 4. Click **Create policy** and select the **JSON** tab. 5. Copy and paste the following custom policy. *Make sure to select the right policy depending on whether you're mounting the volume in **Read-only** or **Read-write** mode*. Also, make sure to replace **&lt;BUCKET_NAME>** in the policy with the name of your S3 bucket, and either replace **&lt;ROOT>** with the subdirectory in the bucket to which you want to restrict access when browsing the mounted volume from Cavatica, or simply exclude the **&lt;ROOT>** parameter and set `Resource` in the policy to  `arn:aws:s3:::<BUCKET_NAME>` if you want to make the entire content of the bucket available. [block:code] { "codes": [ { "code": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"GrantReadOnBuckets\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetBucketCORS\",\n \"s3:GetBucketLocation\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::<BUCKET_NAME>\"\n ]\n },\n {\n \"Sid\": \"GrantReadOnObjects\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\"\n ]\n }\n ]\n}", "language": "json", "name": "Read-only" }, { "code": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"GrantReadOnBuckets\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetBucketCORS\",\n \"s3:GetBucketLocation\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::<BUCKET_NAME>\"\n ]\n },\n {\n \"Sid\": \"GrantReadOnObjects\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\"\n ]\n },\n {\n \"Sid\": \"GrantWriteOnObjects\",\n \"Action\": [\n \"s3:PutObject\",\n \"s3:GetObjectAcl\",\n \"s3:PutObjectAcl\",\n \"s3:AbortMultipartUpload\",\n \"s3:ListMultipartUploadParts\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*\"\n ]\n },\n {\n \"Sid\": \"RequestReadOnCopySourceObjects\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::pgc-main/*\"\n ]\n }\n ]\n}", "language": "json", "name": "Read-write" } ] } [/block] 6. Click **Review policy** and enter a policy name, e.g. `sb-access-policy` (remember this policy name as you will need to attach it later to IAM user or IAM role). 7. (Optional) Enter the policy description. 8. Click **Create policy** to finish process of policy creation. The custom IAM policy you have created can be attached to your IAM user or IAM role you will use to connect your AWS S3 bucket with Cavatica. ### Set up an IAM user  Follow these steps to create an AWS IAM user that you will use to connect an S3 bucket (volume) to Cavatica: 1. Log in to the [AWS Management Console](https://console.aws.amazon.com). 2. In the top menu select **Services** and then choose **IAM**. 3. In the left navigation menu select **Users**, and then choose **Add user**. 4. Enter the **User name** for the user you are creating. 5. In the **Access type** section, select **Programmatic access**. 6. Click **Next: Permissions**. 7. In the **Set permissions** section select **Attach existing policies directly**. 8. Use search bar to find and select the policy you created earlier (e.g. `sb-access-policy`) 9. Click **Next: Tags**. 10. (Optional) Add tags to the user. These are key-value pairs that contain additional information about the IAM user and are not necessary for the process of attaching a volume to Cavatica. 11. Click **Next: Review**. The user details screen is displayed. Check once again that all entered information is correct. 12. Click **Create user**. You will see a message that the user is successfully created. 13. On the confirmation screen, copy the provided **Access key ID** and **Secret access key** and use them for volume creation on Cavatica. 14. Click **Close**. With the created IAM user you can connect your AWS S3 bucket as a volume to Cavatica. As stated in step 13 above, the credentials you will need are: * **Access key ID**  * **Secret access key** If you forget your **Secret access key**, you can still create new Access keys: 1. Click on the name of your IAM user in the list of all available users 2. Click the **Security credentials** tab 3. In the Access keys section click **Create access key**. Newly created **Access key ID** and **Secret access key** are displayed in the pop-up window. Use them for connecting your S3 bucket to Cavatica. ### Set up an IAM role  Follow these steps to create an AWS IAM role that you will to connect an S3 bucket (volume) to Cavatica: 1. Log in to the [AWS Management Console](https://console.aws.amazon.com). 2. In the top menu select **Services** and then choose **IAM**. 3. In the left navigation menu select **Roles,** and then choose**Create role**. 4. In the **Select type of trusted entity**section, choose **Another AWS account**. 5. Enter the following values: * **Account ID**: 151136852077 * Check **Require External ID** and enter at least 6 characters (strongly recommended). 6. Click **Next: Permissions**. 7. Use the search bar to find and select the policy you created earlier (e.g. `sb-access-policy`) 8. Click **Next: Tags**. 9. (Optional) Add tags to the role. These are key-value pairs that contain additional information about the IAM role and are not necessary for the process of attaching a volume to Cavatica. 10. Click **Next: Review**.  11. Enter **Role name** and its optional description. 12. Click **Create role** to complete the process of role creation. List of all available roles opens. 13. Click the name of your newly created role to see the necessary details. 14. Under the **Trust relationships** tab, click **Edit trust relationship** and replace the **Policy Document** with the policy shown below. Make sure to select the right policy depending on whether you have set an **External ID** in step 5 above. If you have configured an **External ID**, make sure to use its value instead of the **<EXTERNAL_ID>** placeholder in the policy below. [block:code] { "codes": [ { "code": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::151136852077:user/sevenbridges_volumes\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {\n \"StringEquals\": {\n \"sts:ExternalId\": \"<EXTERNAL_ID>\"\n }\n }\n }\n}", "language": "json", "name": "With External ID" }, { "code": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::151136852077:user/sevenbridges_volumes\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n}", "language": "json", "name": "Without External ID" } ] } [/block] 15. Click **Update Trust Policy** to save the update. If you followed all the steps described above you are ready now to connect your S3 bucket as a volume to Cavatica using the newly created IAM role. The credentials you will need are: * **Role ARN** - click the name of your role in the list of all roles and copy Role ARN. * **External ID** - click the **Trust relationships** tab. In the **Conditions** section, this is the value of the **sts:ExternalId** key. **External ID** is an additional security parameter that will be used to authenticate Cavatica when accessing your AWS bucket. This parameter is not mandatory but is highly recommended. ### Additional configuration The IAM policy is usually sufficient to permit Cavatica to access your S3 bucket. In certain situations, however, it may be necessary to set up additional configuration on the bucket itself. Read how to do this by [enabling cross-origin resource sharing (CORS)](https://docs.sevenbridges.com/docs/enabling-cross-origin-resource-sharing-cors).