# Integrating with S3
[Prerequisites](#prerequisites)
[Amazon S3 Setup](#amazon-s3-setup)\
[Integration Methods](#integration-methods)\
[Method 1: Using Access Key and Secret](#method-1-using-access-key-and-secret)\
[Step 1: Create an IAM policy](#step-1-create-an-iam-policy)\
[Step 2: Create User](#step-2-create-user)\
[Step 3: Generate the Access key and secret](#step-3-generate-the-access-key-and-secret)\
[Step 4: Integration details](#step-4-integration-details)\
[Method 2: Using the IAM role](#method-2-using-iam-role)\
[Step 1: Create an IAM policy](#step-1-create-an-iam-policy-1)\
[Step 2: Create an IAM role](#step-2-create-an-iam-role)\
[Step 3: Adding permissions to the S3 bucket](#step-3-adding-permissions-to-the-s3-bucket)\
[Step 4: Integration details](#step-4-integration-details-1)
## Prerequisites
To connect your Amazon S3 bucket to Drivetrain, you need:
* An S3 bucket containing files with CSV file types and encodings
* For private or encrypted buckets, an AWS account with the ability to grant Drivetrain permission and to read from the bucket
## Amazon S3 Setup
We recommend disabling Access Control Lists (ACLs) on each S3 bucket so that the bucket contents are controlled by the bucket's access control settings and not the original file owner's settings. For more information about disabling ACLs for your bucket, see [Amazon S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html).
## Integration Methods
Method 1: Using the Access key and Secret
* Bucket name
* Folder path
* Access key
* Access secret
* AWS Region
Method 2: Using Roles (More secure)
* Bucket name
* Folder path
* AWS Region
## Method 1: Using Access Key and Secret
### Step 1: Create an IAM Policy
{% hint style="info" %}
You must create an IAM policy for both the IAM Role and Access Key and Secret approaches.
{% endhint %}
{% hint style="info" %}
For encrypted buckets, follow [Amazon S3 bucket instructions](https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-default-encryption/) to modify the AWS KMS key's policy to grant Drivetrain permissions to download files from your encrypted bucket
{% endhint %}
1. Open your [Amazon IAM console](https://console.aws.amazon.com/iam/home#home).
2. Go to **Policies**, then click **Create Policy**
3. Go to the **JSON** tab
4. Copy the following policy and paste it into the visual editor. Replace `{your-bucket-name}` with the name of your S3 bucket. After that, click **Next: Tags**.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{your-bucket-name}/*",
"arn:aws:s3:::{your-bucket-name}"
]
}
]
}
```
\
5\. ***(Optional)*** If you use a customer-managed KMS key, add the following policy to the Action section of the IAM policy to provide read access to the encrypted files.
```
Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
]
```
6. In the Add tags step, you can optionally add custom tags that will be associated with your bucket. Click **Next: Review**.
7. In the Review policy step, specify the name of your policy, for example "Drivetrain-S3-Access", then click **Create policy.**
### Step 2: Create User
1. Open your [Amazon IAM console](https://console.aws.amazon.com/iam/home#home).
2. Go to **Users**, then click **Add users**.
3. Enter the user name, then click **Next**.
4. Select the **Attach policies directly** option, then choose the "Drivetrain-S3-Access" policy you created in Step 1.
5. Click **Next**, then click **Create User.**
### Step 3: Generate the access key and secret
1. In the **Users** tab, open the User you created.
2. Go to the **Security credentials** tab and navigate to the **Access keys** section.
3. Click the **Create access key**.
4. From the **Use Case** options, select the **Third-party service** option and then click **Next**.
5. Enter a **Description tag** value and then click the **Create access key**.
6. Copy the **Access key** and **Secret access key** values. You will need them to configure the integration.
### Step 4: Integration details
Share the following details with the Drivetrain team:
1. Bucket name
2. Folder path
3. Access key
4. Access secret
5. AWS Region
## Method 2: Using IAM Role
### Step 1: Create an IAM Policy
Follow the same steps as in [Step 1](#step-1-create-an-iam-policy) of Method 1.
### Step 2: Create an IAM Role
1. Go to Roles, then click **Create role.**
2. Select AWS account, then enter Drivetrain’s AWS Account ID, `865992467666`, in the **Account ID** field.
3. In the **Add permissions** step, select the "Drivetrain-S3-Access" policy you created, then click **Next.**
4. Enter the name Drivetrain-Integration check Trust policy settings and attached policy and click Create Role.
### Step 3: Adding permissions to the S3 bucket
To assign permissions to your S3 bucket, follow the below steps:
1. Select the bucket to which you want to assign permissions.
2. Navigate to the **Permissions** tab.
3. Go to **Bucket Policy.**
4. Click **Edit**. Copy the below policy and paste it into the visual editor. Replace `{your-bucket-name}` with the name of your S3 bucket.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::865992467666:role/Drivetrain-Integration"
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{your-bucket-name}/*",
"arn:aws:s3:::{your-bucket-name}"
]
}
]
}
```
4. Click 'Save' to apply the changes.
### Step 4: Integration details
Share the following details with the Drivetrain team:
1. Bucket name.
2. Folder path.
3. AWS Region
