Creating Storage Connections

Storage Connections enable AI applications to access your Amazon S3 buckets through Vendia MCP Server. This guide covers the complete setup process, including AWS IAM configuration and creating storage connections in the Vendia platform.

Prerequisites

Before creating Storage Connections, ensure you have:

1. AWS IAM Role: A role with appropriate permissions for the S3 buckets you want to access

2. S3 Bucket Access: Access to the S3 bucket(s) you want to use through AI applications. If you do not have an S3 bucket or AWS account, see How to Create an AWS S3 Bucket for step-by-step instructions.

3. Vendia Account Permissions: Permissions to configure Storage Connections in your Vendia account

Note

In the free tier, you have permissions to configure Storage Connections by default.

Step 1: Start Storage Connection Configuration in Vendia

Start the configuration process in Vendia to obtain the required AWS account numbers:

1. In your Vendia dashboard, click Go to my MCP Project.

   

2. Go to Storage Connections.

3. Click the + Connection button.

   

4. Note the Vendia AWS account numbers displayed in the UI — you will need these to configure the IAM trust relationship.

   

Step 2: Configure IAM Trust Relationship

Using the account numbers from Step 1, configure the AWS IAM role that Vendia will assume to access your S3 bucket(s).

Grant Vendia access to your S3 bucket by adding a trust relationship to your IAM role:

1. Go to the AWS IAM dashboard (click All Services > IAM).

2. In the left navigation, click Roles. On the Roles page, either select an existing role or create a new role, then follow these steps:

3. Click Create role.

   

4. Under Select trusted entity, select Custom trust policy.

   

5. Under Custom trust policy, add or merge the trust relationship by copy-pasting the policy shown below.

   

   Note

   Use the Vendia AWS account numbers displayed in the UI from Step 1 and replace them with VENDIA_ACCOUNT_ID1 and VENDIA_ACCOUNT_ID2 fields respectively in the policy below.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": [
             "arn:aws:iam::VENDIA_ACCOUNT_ID1:root",
             "arn:aws:iam::VENDIA_ACCOUNT_ID2:root"
           ]
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }

6. Click Next.

7. On the Add permissions step, click Next.

8. On the Name, review and create step, enter the role name (e.g., vendia-mcp-access) and add a description.

   

9. Review your trusted entities and click Create role.

   

Step 3: Configure IAM Permissions

Choose the appropriate permission set based on your intended use case:

Permission Options

You can configure permissions for read-only access, write access (which includes read), complete access (which includes read, write, and delete), or use a segregated approach for enhanced security.

1. Click the Permissions tab for the selected IAM role.

2. Click Add permissions and then click Create inline policy.

   

3. On the Specify permissions page, you can either select Visual or JSON in the policy editor.

   For most users, we recommend using the JSON editor for precise control and security. See below for JSON policy examples and instructions.

   If you prefer the visual editor, see Visual IAM Policy Editor Guide.

Choose one of the following policy approaches based on your needs:

Option A: Read-Only Access (Full Bucket)

Important

This policy grants read-only access to the entire bucket at the IAM level. However, you can use Vendia Access Policies to further restrict which specific files and folders are actually accessible to AI agents, providing fine-grained control without modifying your IAM configuration.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
    }
  ]
}

Option B: Read and Write Access (Full Bucket)

Important

This policy grants both read and write access to the entire bucket at the IAM level. You can then use Vendia Access Policies to restrict AI agents to specific folders or file types — for example, allowing reads everywhere but limiting writes to designated output directories.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"],
      "Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
    }
  ]
}

Option C: Complete Access (Read, Write, and Delete - Full Bucket)

Important

This policy grants full access to the entire bucket at the IAM level, including the ability to delete files. While this provides maximum flexibility, you can use Vendia Access Policies to enforce strict controls — such as limiting deletes to temporary folders while allowing reads and writes elsewhere — without needing to modify your IAM role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::my-s3-bucket", "arn:aws:s3:::my-s3-bucket/*"]
    }
  ]
}

Option D: Segregated Directories (Recommended for Enhanced Security)

Security Best Practice

This approach provides defense-in-depth by segregating read, write, and delete operations at the IAM level. Alternatively, you can grant broader IAM permissions (like Options A-C) and achieve similar segregation using Vendia Access Policies — this gives you the flexibility to adjust which folders AI agents can access without modifying your IAM role each time.

Replace my-s3-bucket, my-read-folder, my-write-folder, and my-temp-folder with your actual bucket and folder names.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::my-s3-bucket"
    },
    {
      "Sid": "AllowReadFromSpecificFolder",
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::my-s3-bucket/my-read-folder/*"
    },
    {
      "Sid": "AllowWriteToSpecificFolder",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::my-s3-bucket/my-write-folder/*"
    },
    {
      "Sid": "AllowDeleteInSpecificFolder",
      "Effect": "Allow",
      "Action": ["s3:DeleteObject"],
      "Resource": "arn:aws:s3:::my-s3-bucket/my-temp-folder/*"
    }
  ]
}

Copy-paste your chosen policy into the editor and click Next.

1. On the Review and create step, enter the policy name (e.g., vendia-mcp-s3-policy) and review the permissions.

   

2. Click Create policy to finish.

Visual Policy Editor Option

For step-by-step instructions using the AWS visual policy editor (for read and write access), see Visual IAM Policy Editor Guide.

Step 4: Complete Storage Connection Configuration in Vendia

Return to Storage Connections in the Vendia dashboard to complete the configuration:

1. Provide the following information in the Storage Connection configuration dialog (from Step 1):

   • Name: A friendly name to identify this storage connection configuration

   • Role ARN: The ARN of the AWS role that Vendia will assume (configured in Step 2 and Step 3; you can copy-paste it from the role information page in the IAM dashboard)

     

   • S3 Bucket Name: The name of the S3 bucket you want to access

   • Bucket Region: The AWS region where your S3 bucket is located (create your bucket in a region that is supported by Vendia)

2. Configure Access Policies:

   You’ll be asked: “Give AI agents full access to all files and folders in this S3 bucket?”

   • Select Yes to grant AI agents full access (FILE_ALL) to all files and folders in the bucket
   • Select No, I’d like to decide exactly which files/folders are accessible after creating this Storage Connection to configure specific access policies after creation, allowing you to control exactly which files and folders AI agents can access and what operations they can perform

   Access Policy Recommendation

   For enhanced security, select No and configure specific access policies that limit AI agent access to only the necessary files and operations. See Access Policies for detailed configuration guidance.

3. Advanced Settings (Optional):

   Expand the “Advanced settings” section if you need to configure client-side encryption:

   • Encryption Key (Optional): The encryption master key if using client-side encryption

4. Click Create Storage Connection to complete the setup:

   You will see your newly created Storage Connection in the list:

5. If you selected No in step 2 above, configure access policies now:

   • Navigate to the Access Policy tab of your newly created Storage Connection
   • Click + Add Path to define which files and folders AI agents can access
   • See Access Policies for detailed instructions on how to specify which files and folders are accessible, set granular permissions, and manage AI agent access to your S3 bucket.

Using Your Storage Connection

After configuration, you can:

• View S3 file metadata from within Vendia: Browse your connected S3 bucket and see file names, sizes, last modified timestamps, and file types directly in the Vendia interface

• Enable AI Application Access: Allow MCP-compatible AI applications to access files in your connected S3 buckets

• Manage access configurations: Modify or delete storage connection configurations as needed

Need Help?

If you encounter issues during setup or have questions about creating Storage Connections:

Free Tier Support

• Review the MCP Free Tier FAQ for Free Tier-specific questions
• Submit questions via our contact form (online support only)

Enterprise Tier Support

• Review our MCP Server FAQ for common questions
• Contact Vendia Support for technical assistance