> ## Documentation Index > Fetch the complete documentation index at: https://api-reference.scale.com/llms.txt > Use this file to discover all available pages before exploring further. # AWS S3 > AWS S3 S3 IAM Access If you use AWS S3 to store data, if you submit tasks with attachments as s3: protocol URIs, rather than http: or https:, we will use the S3 API to fetch your data. For example, instead of sending htt # AWS S3 ## **S3 IAM Access** If you use AWS S3 to store data, if you submit tasks with attachments as `s3:`\*\* protocol URIs\*\*, rather than `http:` or `https:`, we will use the S3 API to fetch your data. For example, instead of sending `https://s3-us-west-2.amazonaws.com/bucket/key`, you would send `s3://bucket/key`. We can either fetch your data using **IAM Delegated Access** (preferred, more secure) or **Cross-account Access**. ### **IAM Delegated Access** To access S3 data in your AWS account, Scale can **[assume a role in your account](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html)**, which has permission to access data in your S3 buckets. This role must be named `ScaleAI-Integration`. To set up IAM Delegated Access: 1. As a team admin or manager, go to **[dashboard.scale.com/settings/integrations](https://dashboard.scale.com/settings/integrations)**. 2. In another window, create a new role in the **[AWS IAM Console](https://console.aws.amazon.com/iam/home?#/roles)** * Select `Another AWS account` for the Role Type. * Enter `307185671274` (Scale's Account ID) as the Account ID. * Check `Require external ID`, and enter the external ID displayed in the AWS section of the Integrations Settings page. * Do not check `Require MFA`. 1. For permissions, either attach a policy that grants appropriate access, or create a policy. A sample role policy is shown below. 2. Name the role `ScaleAI-Integration`. 3. Return to the Scale Dashboard and enter your AWS account ID. 4644 > Sample Role Policy for IAM Delegated Access ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "scales3access", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME" ], } ] } ``` Note that if you enable the AWS integration for your account, we will not attempt to fetch attachments from our account (`307185671274`) directly; the policies described in **Cross-account Access** will not work. ### **Cross-account Access** If IAM delegated access is not configured, we will directly fetch attachments from your S3 bucket, using AWS account ID `307185671274` (canonical ID `ae2259599e139df6cedb60b6300bcafa1c652aff129aa3d887477b6d4abf2e47`), which you can grant access to on a **[per-object basis using ACLs](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-object-permissions.html)** or using **[bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html)**. For most customers, we recommend setting a **Bucket Policy** that shares the bucket's contents with Scale's account. A sample Bucket Policy below - please be sure to replace `YOUR_BUCKET_NAME` with the name of your bucket, leaving the `/*` as shown or replacing it with a more specific bucket path to further restrict access. Please note that if using Access Control Lists (ACLs), each object must have its ACL individually updated to grant read access to our account, as Bucket ACLs cannot grant read permissions to the objects inside. > Sample Bucket Policy for Cross-account Access ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "scale-s3-access", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::307185671274:root" ] }, "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" } ] } ``` Please note that this authentication mechanism suffers from the **[confused deputy problem](https://en.wikipedia.org/wiki/Confused_deputy_problem)** — a third party that can guess your S3 URLs will be able to submit tasks with your data.