Cloud Storage Access (Beta)
Cloud Storage Access (Beta)
To ingest assets from your AWS S3 bucket into the Coactive platform, you first need to establish a secure connection that allows Coactive to access your data. There are two supported methods:
- IAM Role - create a role in your AWS account that Coactive can assume, offering fine-grained control and audibility.
- Bucket Policy - where you directly grant Coactiveâs role permission to access your bucket without needing to manage IAM roles.
Both methods ensure secure, read-only access and are designed to fit different levels of technical complexity and security requirements.
Managing connections in the UI
You can also create, edit, test, and delete connections directly from the Coactive web interface. Go to Profile Menu â Settings â Connections to access the Connections management page. The UI supports AWS IAM Role (with S3 or Bedrock scope), HTTPS Basic Auth, and HTTPS Bearer Token connection types.
The Connections page always displays a default Coactive connection at the top of the list. This Coactive-managed connection is used with the bucket policy method (see Method 2 below) and cannot be edited or deleted.
Note: The Settings menu is only visible to Organization Admins.
đ Prerequisites
Youâll need:
- Your AWS account logged in at https://console.aws.amazon.com
- Your S3 bucket name that has the assets to be uploaded
- Your AWS Account ID
- The Coactive IAM Role ARN:
Method 1: IAM Role Assumption
Step 1: Go to the IAM Console
- Go to the AWS Console: https://console.aws.amazon.com/iam
- In the left sidebar, click âPoliciesâ
- In the top-right corner, click the âCreate policyâ button

đ Step 2: Create a Custom S3 Access Policy
Youâll now define a policy to allow Coactive to read your dataset.
1. In the âCreate Policyâ screen:
- Click the âJSONâ tab at the top
2. Add this statement with your given S3 Bucket name
- Please replace
<bucket-name>with your bucket name. arn:aws:s3:::<bucket-name>refers to the bucket itself â this allows Coactive to perform bucket-level operations such as listing objects (e.g.,s3:ListBucket). This is required to view the contents or structure of the bucket during ingestion.arn:aws:s3:::<bucket-name>/*refers specifically to all objects inside the bucket You are also able to specify a prefix here witharn:aws:s3:::<bucket-name>/prefix/*. This grants Coactive permission to read the actual image and video files within that folder (e.g.,s3:GetObject).
Together, these ensure that Coactive can:
- See what objects exist in the dataset folder
- Access and ingest the individual assets for processing
This approach adheres to AWS best practices by limiting access to only the necessary bucket and subfolder.

3. Click Next (bottom-right)
4. Add Policy Details
- Add a policy name: A clear and descriptive name indicating that this policy grants access to a specific S3 bucket, intended for Coactiveâs ingestion process.
- Add a description (optional): Policy that allows Coactive to access images and videos in my S3 bucket.
- Click Create policy

- Youâll be returned to the âPoliciesâ page. Your policy is now ready to attach to a role.
đ ď¸ Step 3: Create a New IAM Role
- In the left sidebar, click âRolesâ
- In the top-right corner, click âCreate roleâ
đ§âđ¤âđ§ Step 4: Choose Trusted Entity
Youâll now define who can use (assume) this role.
-
Under âTrusted entity typeâ, select: AWS account
-
Under âAn AWS account IDâ, select Another AWS account and paste:
(This is Coactiveâs production AWS account)
-
Leave âRequire external IDâ unchecked
-
Click Next

đ Step 5: Attach Your Custom S3 Access Policy
-
In the âAdd permissionsâ screen:
- Click the đ refresh icon at the top-right of the list
- In the search box, search for the policy name that you have just created
-
Check the box next to that policy to select it
-
Click Next (bottom-right)

đˇ Step 6: Name and Create the Role
-
In the âRole nameâ field, enter a role name:
-
(Optional) Description:
IAM Role for Coactive to access my personal S3 demo dataset.
-
Click Create role

-
The role has now been created!
đ Step 7: Edit the Trust Relationship
Now youâll tell AWS to trust only Coactiveâs IAM role.
- On the roles list page, click on the role name that you have created.
- Click the âTrust relationshipsâ tab
- Click âEdit trust policyâ
- Replace the existing text with this:
Click âUpdate policyâ

đ Step 8: Copy the Role ARN
Youâll need this to register the role with Coactive.
- Still on the role details page, look for the âARNâ at the top
- Copy it â it should look like this:
Step 9: Create the Connection in Coactive
Create a new Connection using the Role ARN from the previous step. You can do this through the UI or via the API.
Option A: Create via UI
- In the Coactive web interface, go to Profile Menu â Settings â Connections (visible to Organization Admins only)
- Click New connection
- Select AWS IAM Role as the connection type
- Select a Scope:
- S3: For accessing assets in your S3 bucket (default)
- Bedrock: For connecting to AWS Bedrock services
- Fill in the required fields:
- Name: A unique name for your connection (e.g.,
my_s3_connection) - IAM Role ARN: Paste the ARN from Step 8
- Bucket name: Your S3 bucket name (S3 scope only)
- Session TTL (optional): Duration in seconds (60-3600, defaults to 3600)
- Test location (optional): An S3 path to verify the connection works (S3 scope only)
- Name: A unique name for your connection (e.g.,
- Click Create
Bedrock connections
For Bedrock connections, contact your Coactive representative or email support@coactive.ai to complete the connection setup. Bedrock connections do not require a bucket name or test location.
Option B: Create via API
Use the Create Connection API with the following request body:
Method 2: Connect Coactive Using a Bucket Resource Policy
This approach grants access directly to Coactiveâs role via a bucket policy and no IAM role assumption is needed.
Step 1: Copy the Coactive Bucket Policy Template
Replace all instances of YOUR_BUCKET_NAME with your actual bucket name:
Step 2: Add the Policy to Your S3 Bucket
- Go to the AWS Console: https://console.aws.amazon.com/s3
- Click on your bucket
- Go to the âPermissionsâ tab
- Scroll down to âBucket policyâ
- Click Edit
- Paste the updated JSON into the editor
- Click Save changes. Now Coactiveâs role has read access to your bucket!
Step 3: Ingest Using the Default Coactive Connection
You do not need to create a connection â the default Coactive connection is already available and visible on the Connections management page (Profile Menu â Settings â Connections, visible to Organization Admins only). Reference connection_name: "coactive" in your ingestion call.
Hereâs a tailored example for you:
