Grant Index Exchange access to your Amazon S3 bucket

Integration Partners
Last Updated: March 27, 2026

This topic explains how you can securely grant Index Exchange (Index) read/write access to an Amazon S3 bucket using cross-account Identity and Access Management (IAM) roles.

Workflow

To grant access to Index, you must follow this workflow:

  1. Create an IAM role in your AWS account.

  2. Grant that role read access to your S3 bucket.

  3. Allow an Index IAM role to assume your AWS IAM role.

  4. Share the Role ARN with Index.

Note: Contact your Index Representative to request the Index IAM Role ARN (Amazon Resource Name) that will assume your AWS IAM role. You'll need this Role ARN when configuring the trust relationship.

Create an IAM role in your AWS account

Create an IAM role that will be assumed by Index to access your S3 bucket:

  1. Sign in to the AWS Management Console.

  2. Go to IAM > Roles.

  3. Click Create role.

  4. Choose Custom trust policy.

  5. Name the role.

    For example: indexexchange-s3-role.

Grant S3 bucket permissions

Note: For both read and write permissions, it is optional but recommended that you restrict the s3:GetObject resource accordingly. For example: arn:aws:s3:::bucket-name/path/*.

Read permission

Attach a permissions policy to the role that grants read access to your S3 bucket, replacing <PARTNER_BUCKET_NAME> with your S3 bucket name:

  1. In the role, go to Permissions.

  2. Click Add permissions > Create inline policy.

  3. Choose JSON and paste the following policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>"
		},
		{
			"Effect": "Allow",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>/*"
		}	
	]
}

Write permission

Attach a permissions policy to the role that grants write access to your S3 bucket, replacing <PARTNER_BUCKET_NAME> with your S3 bucket name:

  1. In the role, go to Permissions.

  2. Click Add permissions > Create inline policy.

  3. Choose JSON and paste the following policy:

    4. {
	"Version": "2012-10-17",
	"Statement": [
		{
			Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>"
		},
		{
			"Effect": "Allow",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>/*"
		}	
	]
}

Configure the trust relationship

The trust relationship defines who is allowed to assume the role. Update the role’s trust relationship with the following JSON, replacing <INDEX_INTERNAL_ROLE_ARN> with the Role ARN provided by Index:

{ 
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "<INDEX_INTERNAL_ROLE_ARN>"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Notes:

  • <INDEX_INTERNAL_ROLE_ARN> must be the exact Role ARN provided by Index.

  • An ExternalId condition may be added if required by your security team or requested by Index.

Share the Role ARN with Index

After the role and policies are created, copy the Role ARN from the IAM console and share it securely with Index, along with your bucket's name, URL, and region. Index will configure their internal systems to assume this role.

After you finish: Index will validate access by assuming the role and attempting to read from the bucket. No further action is required unless permissions need to be adjusted.