# Connecting Shade with AWS S3
**Create the bucket**
1. Create a bucket. Keep note of the region and bucket name that you create
1. Just change the bucket name input. All other defaults can be left the same (general purpose, no ACL, block all public access, no bucket versioning, server side encryption, no advanced settings)
**CORS configuration**
1. Click into the bucket and click the permissions tab. Scroll to the `Cross-origin resource sharing (CORS)` section.
2\. Click edit and then paste this JSON.
{% code fullWidth="false" %}
```
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [
"ETag",
"Content-Length",
"Content-Disposition",
"Content-Encoding",
"x-amz-request-id",
"x-amz-id-2",
"x-amz-version-id",
"x-amz-server-side-encryption"
],
"MaxAgeSeconds": 3000
}
]
```
{% endcode %}
This JSON is used to allow web browsers to access this bucket. This is secure as because we provide redirects from our server, we maintain the specific scope of CORs permissions so this configuration can be left generic.
**Create the scoped policy**
1. Under `IAM` click `Policies` then click `Create policy`
1. Most mistakes that we see happen right here where the policies aren’t customized correctly
2. Make sure to customize this JSON file below to change the `Resource` entry from `the-bucket-name-you-provisioned-earlier` to the name of the bucket you created first. **This is in two spots one under the `bucketname` resource and one under the `bucketname/*` resource**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::the-bucket-name-you-provisioned-earlier"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::the-bucket-name-you-provisioned-earlier/*"
}
]
}
```
3. Use the JSON editor and paste this into the policy editor
4. Name your policy to be relevant to the access to the shade bucket we created earlier and add a description. Create the policy
**Create the user**
1. Now under `Users` on the left sidebar of IAM click `Create user`
2. Give the user a name thats relevant to Shade. This will be the user that Shade servers will access your bucket through and sign urls via.
3. Choose `Attach policies directly` and find the policy that you created. Hit the checkbox to attach it and press next
4. Create the user
5. Now click into the user and hit `Create access key`
6. Select `Application running outside AWS`
7. Save the created Access and Secret key to your computer
**Create drives in Shade**
1. In the Shade app create a BYOS drive
2. Use the `Custom` configuration for creating your bucket
3. Fill the configuration with the proper values. Pay attention to the endpoint. Use the `s3..amazonaws.com` format prefixed with `https://`. Find these endpoints depending on the region you created your bucket in under `Amazon S3 endpoints` on this page:
4. Upload a file for testing. You should see objects appear in your S3 bucket, the file should upload and get previews/proxies normally.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://academy.shade.inc/byos/connecting-shade-with-aws-s3.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.