Skip to content

Creating Storage Connections

Storage Connections enable AI applications to access your Amazon S3 buckets through Vendia MCP Server. This guide covers the complete setup process, including AWS IAM configuration and creating storage connections in the Vendia platform.

Prerequisites

Before creating Storage Connections, ensure you have:

  1. AWS IAM Role: A role with appropriate permissions for the S3 buckets you want to access

  2. S3 Bucket Access: Access to the S3 bucket(s) you want to use through AI applications. If you do not have an S3 bucket or AWS account, see How to Create an AWS S3 Bucket for step-by-step instructions.

  3. Vendia Account Permissions: Permissions to configure Storage Connections in your Vendia account

Step 1: Start Storage Connection Configuration in Vendia

Start the configuration process in Vendia to obtain the required AWS account numbers:

  1. In your Vendia dashboard, click Go to my MCP Project.

    MCP Project Dashboard

  2. Go to Storage Connections.

  3. Click the + Connection button.

    Create Storage Connection Interface

  4. Note the Vendia AWS account numbers displayed in the UI — you will need these to configure the IAM trust relationship.

    Vendia AWS Account Numbers

Step 2: Configure IAM Trust Relationship

Using the account numbers from Step 1, configure the AWS IAM role that Vendia will assume to access your S3 bucket(s).

Grant Vendia access to your S3 bucket by adding a trust relationship to your IAM role:

  1. Go to the AWS IAM dashboard (click All Services > IAM).

  2. In the left navigation, click Roles. On the Roles page, either select an existing role or create a new role, then follow these steps:

  3. Click Create role.

    Create Role Interface

  4. Under Select trusted entity, select Custom trust policy.

    Custom Trust Role Setup

  5. Under Custom trust policy, add or merge the trust relationship by copy-pasting the policy shown below.

    Custom Trust Policy Interface

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::VENDIA_ACCOUNT_ID1:root",
    "arn:aws:iam::VENDIA_ACCOUNT_ID2:root"
    ]
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }
  6. Click Next.

  7. On the Add permissions step, click Next.

  8. On the Name, review and create step, enter the role name (e.g., vendia-mcp-access) and add a description.

    Review Role Interface

  9. Review your trusted entities and click Create role.

    Review Trusted Entities

Step 3: Configure IAM Permissions

Choose the appropriate permission set based on your intended use case:

  1. Click the Permissions tab for the selected IAM role.

  2. Click Add permissions and then click Create inline policy.

    Create IAM Permissions Interface

  3. On the Specify permissions page, you can either select Visual or JSON in the policy editor.

    For most users, we recommend using the JSON editor for precise control and security. See below for JSON policy examples and instructions.

    If you prefer the visual editor, see Visual IAM Policy Editor Guide.

Choose one of the following policy approaches based on your needs:

Option A: Read-Only Access (Full Bucket)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
}
]
}

Option B: Read and Write Access (Full Bucket)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"],
"Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
}
]
}

Option C: Complete Access (Read, Write, and Delete - Full Bucket)

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
}
]
}

Replace my-s3-bucket, my-read-folder, my-write-folder, and my-temp-folder with your actual bucket and folder names.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::my-s3-bucket"
},
{
"Sid": "AllowReadFromSpecificFolder",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::my-s3-bucket/my-read-folder/*"
},
{
"Sid": "AllowWriteToSpecificFolder",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::my-s3-bucket/my-write-folder/*"
},
{
"Sid": "AllowDeleteInSpecificFolder",
"Effect": "Allow",
"Action": ["s3:DeleteObject"],
"Resource": "arn:aws:s3:::my-s3-bucket/my-temp-folder/*"
}
]
}

Copy-paste your chosen policy into the editor and click Next.

JSON Permissions Interface

  1. On the Review and create step, enter the policy name (e.g., vendia-mcp-s3-policy) and review the permissions.

    Review JSON Permissions Interface

  2. Click Create policy to finish.

Visual Policy Editor Option

For step-by-step instructions using the AWS visual policy editor (for read and write access), see Visual IAM Policy Editor Guide.

Step 4: Complete Storage Connection Configuration in Vendia

Return to Storage Connections in the Vendia dashboard to complete the configuration:

  1. Provide the following information in the Storage Connection configuration dialog (from Step 1):

    • Name: A friendly name to identify this storage connection configuration

    • Role ARN: The ARN of the AWS role that Vendia will assume (configured in Step 2 and Step 3; you can copy-paste it from the role information page in the IAM dashboard)

      Role ARN Location

    • S3 Bucket Name: The name of the S3 bucket you want to access

    • Bucket Region: The AWS region where your S3 bucket is located (create your bucket in a region that is supported by Vendia)

  2. Configure Access Policies:

    You’ll be asked: “Give AI agents full access to all files and folders in this S3 bucket?”

    • Select Yes to grant AI agents full access (FILE_ALL) to all files and folders in the bucket
    • Select No, I’d like to decide exactly which files/folders are accessible after creating this Storage Connection to configure specific access policies after creation, allowing you to control exactly which files and folders AI agents can access and what operations they can perform
  3. Advanced Settings (Optional):

    Expand the “Advanced settings” section if you need to configure client-side encryption:

    • Encryption Key (Optional): The encryption master key if using client-side encryption
  4. Click Create Storage Connection to complete the setup:

    Storage Connection Configuration Interface You will see your newly created Storage Connection in the list: Connected Buckets Management Interface

  5. If you selected No in step 2 above, configure access policies now:

    • Navigate to the Access Policy tab of your newly created Storage Connection
    • Click + Add Path to define which files and folders AI agents can access
    • See Access Policies for detailed instructions on how to specify which files and folders are accessible, set granular permissions, and manage AI agent access to your S3 bucket.

Using Your Storage Connection

After configuration, you can:

  • View S3 file metadata from within Vendia: Browse your connected S3 bucket and see file names, sizes, last modified timestamps, and file types directly in the Vendia interface

  • Enable AI Application Access: Allow MCP-compatible AI applications to access files in your connected S3 buckets

  • Manage access configurations: Modify or delete storage connection configurations as needed

Need Help?

If you encounter issues during setup or have questions about creating Storage Connections:

Free Tier Support

Enterprise Tier Support