# Amazon S3 Bucket Endpoint
An Amazon S3 Bucket Endpoint connects Finout to a specific S3 bucket in your AWS account. Once configured, the endpoint can be reused across multiple Finout features that read from or write to S3 — including telemetry imports, billing data, and Data Exporter.
Each endpoint is scoped to a single bucket and a single permission mode, which you choose at creation time.
### Choose Your Endpoint Mode
Before creating the endpoint, decide which permission mode fits your use case. The mode determines which IAM permissions Finout needs and which Finout features the endpoint can support.
| Mode | What Finout can do | Use this for |
| ------------------ | ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Read Only** | Read objects from the bucket | [Telemetry](https://docs.finout.io/telemetry-integrations/telemetry) imports, billing data ingestion, any feature that consumes data you've placed in S3 |
| **Read and Write** | Read and write objects in the bucket | [Data Exporter](https://docs.finout.io/user-guide/inform/data-exporter-beta) — Finout writes daily Parquet files to your bucket |
{% hint style="info" %}
A single endpoint cannot switch between modes after creation. If you need both modes against the same bucket, create two endpoints with different prefix paths.
{% endhint %}
### Prerequisites
Before creating an Amazon S3 Bucket Endpoint, make sure you have:
* An S3 bucket in your AWS account
* Permission to create an IAM role and attach an inline policy in that AWS account
* The AWS region of your bucket
### Step 1 — Obtain the External ID from Finout
The External ID is generated by Finout and is required when you create the IAM role in AWS. It ensures only Finout can assume the role on your behalf.
1. In Finout, navigate to **Settings → Endpoints**.
2. Click **Add Endpoint**, then select **Amazon S3**.
3. Under **Bucket Access**, choose the mode you decided on:
* **Read Only** — for telemetry, billing, and other read-from-S3 use cases
* **Read and Write** — for Data Exporter
4. Copy the **External ID**. You will paste it into the AWS console in the next step.
{% hint style="info" %}
Keep this Finout window open. You will return to it in Step 3 to enter the Role ARN and bucket details.
{% endhint %}
### Step 2 — Create the IAM Role and Policy in AWS
The IAM role grants Finout scoped access to your bucket. The trust policy uses the External ID from Step 1, and the inline policy controls exactly what Finout can do.
#### **Create the role**
1. In the AWS console, [create a new cross-account role in IAM](https://console.aws.amazon.com/iam/home?region=us-east-1#/roles%24new?step=type\&roleType=crossAccount).
2. In the **Account ID** field, enter the AWS Account ID associated with the S3 bucket.
3. Select **Require external ID** and paste the External ID you copied from Finout.
4. Click **Next** until you reach the review screen.
5. Name the role and create it. You can use any name; just remember it for the next step.
6. Open the newly created role and copy the **Role ARN**. You will paste it into Finout in Step 3.
{% hint style="info" %}
Suggested role names — pick the one that matches your endpoint mode so it's clear what the role is for:
* Read Only: `Finout-S3-ReadOnly-Role`
* Read and Write: `Finout-DataExporter-Role`
{% endhint %}
#### **Attach the inline policy**
1. In the role page, click **Add permissions** and select **Create inline policy**.
2. Select the **JSON** tab.
3. Paste the policy that matches your endpoint mode:
{% tabs %}
{% tab title="Read Only" %}
Use this policy if your endpoint is for telemetry, billing data, or other read-from-S3 features.\
Replace `BUCKET_NAME` with your bucket name:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"tag:GetTagKeys"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::/*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::"
}
]
}
```
{% endtab %}
{% tab title="Read and Write" %}
Use this policy if your endpoint is for Data Exporter, which writes daily files to your bucket.
Replace `Bucket Name` with your bucket name:
```json
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::/*",
"arn:aws:s3:::"
]
}
]
}
```
{% endtab %}
{% endtabs %}
4. Click **Next** until you reach the review screen.
5. Name the policy (for example, `finout-s3-access-policy`) and click **Create policy**.
### Step 3 — Add the Endpoint in Finout
Return to the **Add Amazon S3 Bucket Endpoint** page in Finout and fill in the bucket details.
1. Fill in the following fields:
| Field | Value |
| ----------------------------- | ----------------------------------------------------------------- |
| **Endpoint Name** | A descriptive name for this endpoint |
| **Description** | An optional description |
| **Bucket Access** | The mode you chose in Step 1 (Read Only or Read and Write) |
| **Role ARN** | The ARN of the IAM role you created in Step 2 |
| **Bucket Name** | The name of your S3 bucket |
| **S3 Path Prefix** (optional) | A folder path inside the bucket where Finout should read or write |
| **Region** | The AWS region of your bucket |
2. Click **Test Endpoint**. Finout verifies the connection by reading from the bucket — and, for Read and Write endpoints, by writing and deleting a test file.
3. Click **Add Endpoint**.
The endpoint is now available for use across Finout features that support S3.
### Using the Endpoint
Once created, the endpoint can be selected from any Finout feature that reads from or writes to S3:
* [**Telemetry**](https://docs.finout.io/telemetry-integrations/telemetry) — for importing telemetry data from a Read Only endpoint
* [**Data Exporter**](https://docs.finout.io/billing-integrations/data-exporter) — for daily Parquet exports to a Read and Write endpoint
A single endpoint can be reused across multiple features, as long as they all use the same permission mode. To use the same bucket for both reading and writing, create two endpoints with different prefix paths — one in each mode.
#### FAQs
**Can I use the same S3 bucket for multiple endpoints?**
Yes. You can point multiple endpoints at the same bucket, as long as the prefix paths don't conflict. This is the recommended approach if you need both Read Only and Read and Write access to the same bucket.
**Why does the IAM role need an External ID?**
The External ID prevents the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) — it ensures only Finout, acting on your behalf, can assume the role. Each Finout account has a unique External ID.
**Can I edit an endpoint after creating it?**
Not at the moment. If you need a different configuration, create a new endpoint. Contact your customer success manager or if you need assistance.
**What happens if my IAM role's permissions change after the endpoint is created?**
Finout will fail to read from or write to the bucket on the next operation.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.finout.io/settings/endpoints/amazon-s3-bucket-endpoint.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.