Skip to main content
This guide explains how to configure AWS IAM policies and roles to grant Visual Layer secure access to your private S3 buckets.

AWS Access Control Requirements

Visual Layer requires the following permissions on an S3 bucket to access files:
  • s3:GetBucket
  • s3:GetObject
  • s3:GetObjectVersion
  • s3:ListBucket

Create an IAM Policy

Configure access permissions for Visual Layer in your AWS Management Console.
  1. Log into the AWS Management Console.
  2. From the home dashboard, search for and select IAM.
  3. From the left-hand navigation pane, select Account settings.
  4. From the left-hand navigation pane, select Policies.
  5. Select Create Policy.
  6. For Policy editor, select JSON.
  7. Add a policy document that will allow Visual Layer to access the S3 bucket by copying and pasting the following text into the policy editor.
Replace <bucket> with your actual bucket name.
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:GetObjectVersion"
			],
			"Resource": "arn:aws:s3:::<bucket>/*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:GetBucket*"
			],
			"Resource": "arn:aws:s3:::<bucket>"
		}
	]
}

Create the IAM Role

Configure the IAM role that Visual Layer will assume to access your bucket.
  1. From the left-hand navigation pane in the Identity and Access Management (IAM) Dashboard, select Roles.
  2. Select Create role.
  3. Select AWS account as the trusted entity type.
  4. In the Account ID field, enter your own AWS account ID temporarily. You will modify the trust relationship later to grant access to Visual Layer.
  5. Select the Require external ID option. An external ID is used to grant access to your AWS resources (such as S3 buckets) to a third party like Visual Layer. Enter a placeholder ID such as 0000.
  6. Click Next.
  7. Select the policy you created above and click Next.
  8. Enter a name and description for the role, then select Create role.
  9. On the role summary page, locate and record the Role ARN value for later use.
You have now created an IAM policy for a bucket, created an IAM role, and attached the policy to the role.

Grant IAM User Permissions

Configure the trust relationship to allow Visual Layer to assume the IAM role.
  1. Log in to the AWS Management Console.
  2. Select IAM.
  3. From the left-hand navigation pane, select Roles.
  4. Select the role you created above.
  5. Select the Trust Relationships tab.
  6. Select Edit Trust Policy and insert the following policy document.
{
	"Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::027730031917:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
  1. Select Update Policy to save your changes.

Send the Role ARN to Visual Layer

After creating and configuring your IAM role, send the Role ARN to Visual Layer for configuration.
  1. Go to the summary page of the IAM Role you created above.
  2. Locate and record the Role ARN value.
  3. Send it to support@visual-layer.com with the subject line “Private S3 bucket.”
  4. Visual Layer will review and confirm receipt of your configuration.

Create a Dataset

Once Visual Layer confirms your IAM role configuration, you can create a dataset using your private S3 bucket.
  1. Create a new Dataset.
  2. Select “Public S3 Bucket” as the data source.
  3. Insert the URL to your private AWS S3 bucket.

Google Cloud Storage

Configure GCS bucket access for Visual Layer

Create Dataset Tutorial

Step-by-step guide to creating datasets