The AWS S3 data connector allows you to connect any S3 bucket to Cloudglue, enabling you to use your S3 URIs directly with our endpoints without manually uploading files.

How It Works

This connector creates a secure bridge between your S3 buckets and Cloudglue:
  • Direct S3 access - We only access your files when you explicitly use them
  • No manual uploads - Skip the process of manually uploading files to Cloudglue
  • S3 URI support - Use your existing S3 URIs directly with Cloudglue endpoints

Security

Security is paramount, so we use AWS best practices with cross-account IAM roles. You’ll create an IAM role in your AWS account that Cloudglue can assume to access your buckets. This approach:
  • Maintains your control - You own and manage the role
  • Follows AWS security patterns - Uses standard cross-account role assumption
  • Provides granular permissions - Only grants the minimum access needed
  • Easy to revoke - Simply delete the role or modify permissions

Setup Options

We provide a CloudFormation template that automates the entire setup process:
  1. Copy and deploy the template in your AWS account
  2. Provide us the role ARN that gets created
  3. Configure the connector on our web platform
The CloudFormation template handles all the IAM role creation, policies, and trust relationships automatically.

CloudFormation Template

One click deployment with CloudFormation

AWSTemplateFormatVersion: '2010-09-09'
Description: 'CloudFormation template for Cloudglue external S3 access role'

Parameters:
BucketName:
Type: String
Description: 'S3 bucket name that you want to grant access to for Cloudglue'
Default: 'your-bucket-name-here'

ExternalId:
Type: String
Description: 'External ID to prevent confused deputy problem (required for third-party access)'
MinLength: 2
MaxLength: 1224
AllowedPattern: '^[a-zA-Z0-9+=,.@:/-]+$'

Resources:
CloudglueExternalS3AccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: cloudglue-external-s3-access-role
Description: 'IAM role for Cloudglue external S3 access with cross-account permissions'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement: - Effect: Allow
Principal:
AWS: arn:aws:iam::992382634011:root
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
ManagedPolicyArns: []
Policies: - PolicyName: CloudglueExternalS3AccessPolicy
PolicyDocument:
Version: '2012-10-17'
Statement: - Sid: AllowCrossAccountRoleReadAccess
Effect: Allow
Action: - s3:GetObject - s3:ListBucket - s3:GetBucketLocation
Resource: - !Sub 'arn:aws:s3:::${BucketName}'
              - !Sub 'arn:aws:s3:::${BucketName}/_' - Sid: AllowCrossAccountRoleWriteAccess
Effect: Allow
Action: - s3:PutObject
Resource: - arn:aws:s3:::cloudglue-external-transfer - arn:aws:s3:::cloudglue-external-transfer/_

Outputs:
RoleArn:
Description: 'ARN of the created IAM role'
Value: !GetAtt CloudglueExternalS3AccessRole.Arn
Export:
Name: !Sub '${AWS::StackName}-RoleArn'

RoleName:
Description: 'Name of the created IAM role'
Value: !Ref CloudglueExternalS3AccessRole
Export:
Name: !Sub '${AWS::StackName}-RoleName'
To use this template:
  1. Copy the YAML code above
  2. Create a new CloudFormation stack in your AWS account
  3. Paste the template and set your bucket name parameter
  4. Deploy the stack

Option 2: Manual Setup

If you prefer manual configuration, you can create the required IAM role and policies yourself:
Important: The IAM role MUST be named exactly cloudglue-external-s3-access-role or the connector will not work.
To create the role:
  1. Navigate to the IAM console
  2. Click on the Roles, under Access management
  3. Click on the Create role button
  4. Select AWS account as the trusted entity
  5. Under An AWS Account select Another AWS account and enter our account ID: 992382634011 AWS Role Step 1
  6. Under Add Permissions, click Next
  7. Enter the following as the role name: cloudglue-external-s3-access-role
  8. Click on the Create role button
Add the following policies to the role:
  • Add an inline policy to the role with the following JSON:

Role Policies

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountRoleReadAccess",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"],
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME",
        "arn:aws:s3:::YOUR_BUCKET_NAME/*"
      ]
    },
    {
      "Sid": "AllowCrossAccountRoleWriteAccess",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": [
        "arn:aws:s3:::cloudglue-external-transfer",
        "arn:aws:s3:::cloudglue-external-transfer/*"
      ]
    }
  ]
}
Remember to replace YOUR_BUCKET_NAME with your actual S3 bucket name in the manual policy setup.

Trust Relationship

The trust relationship is already attached to the role, so you can skip this step. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::992382634011:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "ID_YOU_GENERATE"
        }
      }
    }
  ]
}
Want to learn more about trust relationships? See the AWS documentation on trust policies with IAM roles. Need help with CloudFormation templates? Check out the AWS CloudFormation Templates resources.

Connecting to Cloudglue

  1. Set up the IAM role using either the CloudFormation template or manual setup
  2. Get the role ARN from your AWS account
For CloudFormation Role ARN with CloudFormation For manual IAM setup Role ARN with manual setup
  1. Configure the connector on our web platform with the role ARN
S3 Connector Architecture
  1. Start using S3 URIs directly with Cloudglue endpoints
  2. Add the external ID that you used in the CloudFormation template or manual setup to the connector on our web platform. This adds an additional layer of security to the connector.
Ready to set up your data connector? Visit our app to configure your S3 connector.
Need help setting up your data connector? Contact our team directly for assistance with the setup process.

Managing Access

You maintain full control over your data access. Remove this data connector by doing any of the following:
  • Revoke access by deleting the IAM role
  • Modify permissions by updating the role policies
  • Remove connection by revoking the connector on our website

Adding more buckets

If you need to add more buckets to the connector, you can do so by modifiying the policy attached to the role. All you need to do is add the new bucket to the Resource array. 
{
  "Action": [
    "s3:GetObject",
    "s3:ListBucket",
    "s3:GetBucketLocation"
  ],
  "Resource": [
    "arn:aws:s3:::YOUR_BUCKET_NAME",
    "arn:aws:s3:::YOUR_BUCKET_NAME/*",
    // Add more buckets here
    "arn:aws:s3:::YOUR_BUCKET_NAME2",
    "arn:aws:s3:::YOUR_BUCKET_NAME2/*"
  ],
  "Effect": "Allow",
  "Sid": "AllowCrossAccountRoleReadAccess"
},

How to use your S3 files with Cloudglue

To use S3 files, you can use the s3 URI for a file in your Cloudglue API requests. This would be prefixed with s3://. Example: 
s3://<bucket_name>/<path_to_file>

curl --request POST \
  --url https://api.cloudglue.dev/v1/describe \
  --header 'Authorization: Bearer YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{
  "url": "s3://<bucket_name>/<path_to_file>",
  "enable_summary": true,
  "enable_speech": true,
  "enable_visual_scene_description": true,
  "enable_scene_text": true,
}'