> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon S3 Bucket

Configure an Amazon S3 bucket as the storage provider for your Maverics deployment. The Console publishes signed config bundles to S3, and Orchestrator instances poll the bucket for updates.

## Prerequisites

* **An active AWS account** -- with permissions to create and manage S3 buckets, IAM roles, and policies
* **A Maverics Console account** -- with access to create or edit deployments

## AWS Setup

<Steps>
  <Step title="Create an S3 Bucket">
    In the AWS Console, navigate to **S3** under the Services menu.

    Select the AWS region where you want the bucket.

    Click **Create bucket**.

    Enter a globally unique bucket name.

    Under **Object Ownership**, select **ACLs disabled (recommended)**.

    Under **Block Public Access settings**, keep **Block all public access** enabled.

    Click **Create bucket**.
  </Step>

  <Step title="Create IAM Policies">
    In the AWS Console, navigate to **IAM** and select **Policies**.

    Click **Create policy** and switch to the **JSON** editor.

    Create a **Console policy** with the following permissions (the Console needs read and write access to publish bundles):

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:DeleteObject"
          ],
          "Resource": [
            "arn:aws:s3:::YOUR-BUCKET-NAME",
            "arn:aws:s3:::YOUR-BUCKET-NAME/*"
          ]
        }
      ]
    }
    ```

    Name the policy (e.g., "MavericsConsoleBucketAccess") and click **Create policy**.

    Repeat to create an **Orchestrator policy** with read-only access (the Orchestrator only needs to read configuration):

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
      ]
    }
    ```

    Replace `YOUR-BUCKET-NAME` with your actual bucket name in both policies.
  </Step>

  <Step title="Create a Cross-Account IAM Role">
    In the AWS Console, navigate to **IAM** and select **Roles**.

    Click **Create role**.

    Under **Trusted entity type**, select **AWS account**.

    Select **Another AWS account** and enter the Strata Account ID for your region:

    | Region | Strata AWS Account ID |
    | ------ | --------------------- |
    | USA    | `322849791940`        |
    | UK     | `339713018853`        |

    Check **Require external ID** and enter a unique identifier. You will use this value in the Console's **External ID** field.

    Click **Next** and attach the Console policy you created in the previous step.

    Name the role (e.g., "MavericsConsoleRole") and click **Create role**.

    Open the newly created role and copy the **Role ARN** -- you will enter this in the Console's **Role ARN** field.
  </Step>
</Steps>

## Storage Configuration

Configure these fields in the Console when creating or editing a deployment with the **Amazon S3 Bucket** provider.

| Field                   | Required | Description                                                |
| ----------------------- | -------- | ---------------------------------------------------------- |
| Bucket Name             | Yes      | The bucket name in Amazon S3                               |
| Role ARN                | Yes      | The ARN of the role with access to your bucket             |
| External ID             | No       | A unique ID that ties the assume role request to your role |
| AWS Region              | Yes      | The AWS region where your bucket is located                |
| Configuration File Path | No       | The path to the configuration file within your S3 bucket   |

<Info>
  The Orchestrator uses the corresponding [config source](/reference/orchestrator/configuration/config-sources) type to retrieve bundles from the deployment provider. If the Console deploys to AWS S3, the Orchestrator uses the [S3 config source](/reference/orchestrator/configuration/config-sources/s3) to poll for updates.
</Info>

## Related Pages

<CardGroup cols={2}>
  <Card title="Publishing Deployment Configs Overview" icon="upload" href="/reference/console/config-publishing">
    Bundle format, signing, deployment lifecycle, and revision history
  </Card>

  <Card title="S3 Config Source" icon="aws" href="/reference/orchestrator/configuration/config-sources/s3">
    Orchestrator-side S3 configuration source reference
  </Card>

  <Card title="Deploy to Production" icon="rocket" href="/guides/operations/deploy">
    Production deployment guide for the Orchestrator
  </Card>
</CardGroup>
