Prerequisites

  1. Ensure your EC2 instance has an IAM role attached.
  2. Verify the instance profile is properly configured via AWS Console under EC2 › Instance Settings › Attach/Replace IAM role.

Updating the Existing IAM Role

Since your EC2 instance already has an IAM role attached, you need to update it with the necessary S3 permissions:
  1. In AWS Console, go to IAM › Roles and find your EC2 instance’s existing role.
  2. Click on the role and go to the Permissions tab.
  3. Click Add permissions › Attach policies.
  4. Search for and select AmazonS3ReadOnlyAccess policy.
  5. Click Attach policies to add S3 access permissions to your existing role.
Alternatively, for more granular control, you can create a custom inline policy:
  1. In the same role’s Permissions tab, click Add permissions › Create inline policy.
  2. Switch to JSON and add this policy (replace your-source-bucket-name): 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-source-bucket-name",
        "arn:aws:s3:::your-source-bucket-name/*"
      ]
    }
  ]
}
  3. Name the policy (e.g., OnyxS3Access) and click Create policy.
The connector will automatically detect and use the EC2 instance’s IAM role for accessing your S3 buckets.

Credential Entry in Onyx

When configuring the S3 connector in Onyx, you’ll need to:
  1. Click on the Assume Role tab
  2. No credentials need to be entered - the connector automatically uses your EC2 instance’s attached role
Screenshot of Onyx S3 assume role configuration Once you have updated your EC2 instance’s role with S3 permissions, proceed to the indexing steps in the overview to configure your S3 connector.