Grant Index Exchange access to your Amazon S3 bucket

Integration Partners
Last Updated: February 13, 2026

This topic explains how you can securely grant Index Exchange (Index) read access to an Amazon S3 bucket using cross-account Identity and Access Management (IAM) roles.

Workflow

Before you begin: Request the following information from Index:

  • Index AWS Account ID
  • Index IAM Role ARN(Amazon Resource Name) that will assume your role

To grant access to Index, you must follow this workflow:

  1. You create an IAM role in your AWS account.

  2. You allow an Index IAM role to assume that role.

  3. You grant that role read access to your S3 bucket.

  4. You share the Role ARN with Index.

You will reference this Role ARN in the trust policy configured later.

Create an IAM role in your AWS account

  1. Sign in to the AWS Management Console.

  2. Go to IAMRoles.

  3. Click Create role.

  4. Choose Custom trust policy.

  5. Name the role.

    Example: indexexchange-s3-read-role

This role will be assumed by Index to access your S3 bucket.

Configure the trust relationship

The trust policy defines who is allowed to assume this role.

Update the role’s Trust relationship with the following JSON, replacing the placeholder with the Role ARN provided by Index:

{ 
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "<INDEX_INTERNAL_ROLE_ARN>"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Notes:

  • <INDEX_INTERNAL_ROLE_ARN> must be the exact Role ARN provided by Index.

  • An ExternalId condition may be added if required by your security team or requested by Index.

Grant S3 bucket permissions

Attach a permissions policy to the role that grants read access to your S3 bucket and replace <PARTNER_BUCKET_NAME> with your S3 bucket name:

  1. In the role, go to Permissions.

  2. Click Add permissionsCreate inline policy.

  3. Choose JSON and paste the following policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>"
		},
		{
			"Effect": "Allow",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::<PARTNER_BUCKET_NAME>/*"
		}	
	]
}

Optional (recommended):

  • If access should be limited to a specific prefix, restrict the s3:GetObject resource accordingly (for example: arn:aws:s3:::bucket-name/path/*).

Share the role ARN with Index

After the role and policies are created:

  • Copy the Role ARN from the IAM console.

  • Share the Role ARN securely with Index.

  • Share the region of your bucket.

Index will configure their internal systems to assume this role.

After you finish: Index will validate access by assuming the role and attempting to read from the bucket. No further action is required unless permissions need to be adjusted.