For external access to your [Simon Data hosted S3 bucket](🔗) please contact your Account Manager and provide your [AWS account number](🔗).

We'll create a role for your organization that can provide temporary credentials to principals within your account via [AWS’s Security Token Service](🔗).

📘

Read/Write Access

Follow the steps in this guide to grant _both_ read and write access.

Once your Account Manager has shared the role ARN with you, follow the below steps to complete the setup.

# Prerequisites

• An AWS account

• Access to [manage IAM](🔗) to create a new policy

• A [principal](🔗) which the new policy will be attached to. (This principal must have programmatic access enabled.)

# Setup account permissions to allow an AWS Principal to assume the Simon Data role

## Setup via the AWS Console

1. Log in to the AWS console with a principal who has IAM administrator privileges

2. Navigate to the IAM Console

3. On the left-side menu, click **Policies**, then **Create Policy**

4. Click the JSON tab, and paste the policy specified below in the JSON text box. (Update `role-arn` to the ARN we provided you.)

5. Click **Next: Tags**, **Next: Review**

6. Enter a policy name (i.e.`SimonDataCrossAccount`) and a description

7. Click **create policy**

8. On the **attach policy** page, select the principal you want to have access to the S3 bucket then click **attach policy**.

## Setup via the AWS Command Line Interface

1. Log in to AWS via the CLI with a principal who has IAM administrator privileges.

2. Run the following to create the `SimonDataCrossAccount` policy. (Update `role-arn` to the ARN we provided you.)

3. Run the following to attach the policy to a role. (Update `role-example` to the role name we provided you with).

4. To verify that the policy has been successfully attached to the IAM role, run the list-attached-role-policies command:

# Test Programmatic Access

1. Log into your AWS account via the CLI with a principal who was granted the ability to assume the role.

2. To assume the role, run this command.

• Update `role-arn` to the ARN we provided you.

• Update `AWSCLI-Session name` to an identifier (this will show in cloudtrail logs).

3. Create three variables to assume the IAM role:

4. Verify that you assumed the IAM role by running this command:

The AWS CLI command should output the ARN as `arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session` which verifies that you assumed the `clientname_external_sts` role.

5. Verify access to your S3 bucket by running the following command:

6. To return to your previous IAM principal, remove the environment variables: