Refonte AI

AWS S3

S3 IAM Access

If you use AWS S3 to store data, if you submit tasks with attachments as `s3:` protocol URIs, rather than `http:` or `https:`, we will use the S3 API to fetch your data. For example, instead of sending `https://s3-us-west-2.amazonaws.com/bucket/key`, you would send `s3://bucket/key`.

IAM Delegated Access

To access S3 data in your AWS account, Refonte.Ai can assume a role in your account, which has permission to access data in your S3 buckets. This role must be named `Refonte.Ai-Integration`.

To set up IAM Delegated Access:

  • As a team admin or manager, go to dashboard.refonteai.com/settings/integrations.
  • In another window, create a new role in the AWS IAM Console
    • Select `Another AWS account` for the Role Type.
    • Enter `307185671274` (Renfote.AI's Account ID) as the Account ID.
    • Check `Require external ID`, and enter the external ID displayed in the AWS section of the Integrations Settings page.
    • Do not check `Require MFA`.
  • For permissions, either attach a policy that grants appropriate access, or create a policy. A sample role policy is shown below.
  • Name the role `RefonteAI-Integration`.
  • Return to the Refonte.Ai Dashboard and enter your AWS account ID.
overview

"Sample Role Policy for IAM Delegated Access"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "refontes3access",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME/*",
        "arn:aws:s3:::YOUR_BUCKET_NAME"
      ]
    }
  ]
}

Note that if you enable the AWS integration for your account, we will not attempt to fetch attachments from our account (`307185671274`) directly; the policies described in Cross-account Access will not work.

Cross-account Access

If IAM delegated access is not configured, we will directly fetch attachments from your S3 bucket, using AWS account ID `307185671274`, which you can grant access to on a per-object basis using ACLs or using bucket policies.

For most customers, we recommend setting a Bucket Policy that shares the bucket's contents with Refonte.Ai's account.

A sample Bucket Policy below - please be sure to replace `YOUR_BUCKET_NAME` with the name of your bucket, leaving the `/*` as shown or replacing it with a more specific bucket path to further restrict access.

Please note that if using Access Control Lists (ACLs), each object must have its ACL individually updated to grant read access to our account, as Bucket ACLs cannot grant read permissions to the objects inside.

"Sample Bucket Policy for Cross-account Access"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "refonte-s3-access",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::307185671274:root"
        ]
      },
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    }
  ]
}

Please note that this authentication mechanism suffers from the confused deputy problem — a third party that can guess your S3 URLs will be able to submit tasks with your data.

Updated about 2 months ago