Skip to main content
All CollectionsOnboarding and Configuration Guides
Integration Guide - Reco S3 Bring-Your-Own-Bucket
Integration Guide - Reco S3 Bring-Your-Own-Bucket
Reco Product Management avatar
Written by Reco Product Management
Updated over a month ago

This guide walks you through configuring an IAM role that allows Reco to securely access your existing S3 bucket. You will then provide the necessary details to Reco, and finally, inform Reco Customer Success before you integrate it.

Step 1: Create an IAM Role

We will start with the AWS Web Console instructions and provide alternative AWS CLI commands alongside for each step.

1.1 Open AWS IAM Console

  • Using Web Console: Log in to the AWS Management Console and navigate to the IAM service.

  • Using AWS CLI: No CLI alternative for logging into the console.

1.2 Create a Role

Web Console:

  • In the IAM dashboard, click on "Roles" and then "Create Role."

  • Select "Another AWS account" as the trusted entity.

  • Enter 495155430317 (Reco's AWS Account ID).

  • For the External ID, enter an agreed value between you and Reco (this ensures only Reco can assume this role).

CLI Alternative:

aws iam create-role --role-name RecoBucketAccessRole --assume-role-policy-document file://trust-policy.json

The trust-policy.json file should contain:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::495155430317:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<YOUR-EXTERNAL-ID>"
                }
            }
        }
    ]
}

Replace <YOUR-EXTERNAL-ID> with your agreed External ID.

1.3 Attach Bucket Permissions

Web Console:

  • After setting the trust relationship, proceed to the permissions section.

  • Click "Create Policy" and choose the "JSON" editor.

  • Paste the following policy, replacing <YOUR-BUCKET-NAME> with your bucket name:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:DeleteObject"
                ],
                "Resource": [
                    "arn:aws:s3:::<YOUR-BUCKET-NAME>/*",
                    "arn:aws:s3:::<YOUR-BUCKET-NAME>"
                ]
            }
        ]
    }

  • Save the policy, attach it to the role, and finish creating the role.

CLI Alternative:

aws iam put-role-policy --role-name RecoBucketAccessRole --policy-name RecoBucketAccessPolicy --policy-document file://bucket-access-policy.json

The bucket-access-policy.json should contain the same policy as above.

1.4 Retrieve the Role ARN

Web Console:

  • After creating the role, go to "Roles" in IAM, select your role, and copy the Role ARN (Amazon Resource Name). You'll need this for the integration fields.

CLI Alternative:

aws iam get-role --role-name RecoBucketAccessRole --query 'Role.Arn' --output text

Step 2: Fill in the Reco Integration Fields

Once the role is set up, gather the following information and provide it to Reco:

  1. Bucket Name: Your S3 bucket name (e.g., my-reco-bucket).

  2. Role ARN: The ARN of the IAM role you created (e.g., arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/RecoBucketAccessRole).

  3. External ID: The External ID you set in the trust relationship.

You will input this information in Reco’s integration form.

Step 3: Inform Reco Customer Success

Finally, contact Reco Customer Success and ask them to enable your S3 integration. This step is required for Reco to begin accessing and writing data to your bucket.

Did this answer your question?