Cloud Storage Access (Beta)
To ingest assets from your AWS S3 bucket into the Coactive platform, you first need to establish a secure connection that allows Coactive to access your data. There are two supported methods:
- IAM Role - create a role in your AWS account that Coactive can assume, offering fine-grained control and audibility.
- Bucket Policy - where you directly grant Coactive’s role permission to access your bucket without needing to manage IAM roles.
Both methods ensure secure, read-only access and are designed to fit different levels of technical complexity and security requirements.
🔍 Prerequisites
You’ll need:
- Your AWS account logged in at https://console.aws.amazon.com
- Your S3 bucket name that has the assets to be uploaded
- Your AWS Account ID
- The Coactive IAM Role ARN:
Method 1: IAM Role Assumption
Step 1: Go to the IAM Console
- Go to the AWS Console: https://console.aws.amazon.com/iam
- In the left sidebar, click “Policies”
- In the top-right corner, click the “Create policy” button
🔐 Step 2: Create a Custom S3 Access Policy
You’ll now define a policy to allow Coactive to read your dataset.
1. In the “Create Policy” screen:
- Click the “JSON” tab at the top
2. Add this statement with your given S3 Bucket name
- Please replace
<bucket-name>
with your bucket name. arn:aws:s3:::<bucket-name>
refers to the bucket itself — this allows Coactive to perform bucket-level operations such as listing objects (e.g.,s3:ListBucket
). This is required to view the contents or structure of the bucket during ingestion.arn:aws:s3:::<bucket-name>/*
refers specifically to all objects inside the bucket You are also able to specify a prefix here witharn:aws:s3:::<bucket-name>/prefix/*
. This grants Coactive permission to read the actual image and video files within that folder (e.g.,s3:GetObject
).
Together, these ensure that Coactive can:
- See what objects exist in the dataset folder
- Access and ingest the individual assets for processing
This approach adheres to AWS best practices by limiting access to only the necessary bucket and subfolder.
3. Click Next (bottom-right)
4. Add Policy Details
- Add a policy name: A clear and descriptive name indicating that this policy grants access to a specific S3 bucket, intended for Coactive’s ingestion process.
- Add a description (optional): Policy that allows Coactive to access images and videos in my S3 bucket.
- Click Create policy
- You’ll be returned to the “Policies” page. Your policy is now ready to attach to a role.
🛠️ Step 3: Create a New IAM Role
- In the left sidebar, click “Roles”
- In the top-right corner, click “Create role”
🧑🤝🧑 Step 4: Choose Trusted Entity
You’ll now define who can use (assume) this role.
-
Under “Trusted entity type”, select: AWS account
-
Under “An AWS account ID”, select Another AWS account and paste:
(This is Coactive’s production AWS account)
-
Leave “Require external ID” unchecked
-
Click Next
📎 Step 5: Attach Your Custom S3 Access Policy
-
In the “Add permissions” screen:
- Click the 🔄 refresh icon at the top-right of the list
- In the search box, search for the policy name that you have just created
-
Check the box next to that policy to select it
-
Click Next (bottom-right)
🏷 Step 6: Name and Create the Role
-
In the “Role name” field, enter a role name:
-
(Optional) Description:
IAM Role for Coactive to access my personal S3 demo dataset.
-
Click Create role
-
The role has now been created!
🔁 Step 7: Edit the Trust Relationship
Now you’ll tell AWS to trust only Coactive’s IAM role.
- On the roles list page, click on the role name that you have created.
- Click the “Trust relationships” tab
- Click “Edit trust policy”
- Replace the existing text with this:
Click “Update policy”
🔑 Step 8: Copy the Role ARN
You’ll need this to register the role with Coactive.
- Still on the role details page, look for the “ARN” at the top
- Copy it — it should look like this:
Step 9: Use our Create Connection API to create the connection
Creat a new Connection using the Role ARN. Please use the API https://docs.coactive.ai/v-1/api-reference/api-reference/connections/create-connection and an example body is:
Method 2: Connect Coactive Using a Bucket Resource Policy
This approach grants access directly to Coactive’s role via a bucket policy and no IAM role assumption is needed.
Step 1: Copy the Coactive Bucket Policy Template
Replace all instances of YOUR_BUCKET_NAME
with your actual bucket name:
Step 2: Add the Policy to Your S3 Bucket
- Go to the AWS Console: https://console.aws.amazon.com/s3
- Click on your bucket
- Go to the “Permissions” tab
- Scroll down to “Bucket policy”
- Click Edit
- Paste the updated JSON into the editor
- Click Save changes. Now Coactive’s role has read access to your bucket!