Configure Amazon S3 for external content indexing

  • Release version: Yokohama
  • Updated November 14, 2025
  • 5 minutes to read

    • Create an Identity and Access Management (IAM) user in the Amazon Web Services (AWS) Management Console. Define an access key for your new user to allow the Amazon S3 external content connector to access your Amazon S3 source system.

    Before you begin

    You need AWS Management Console credentials for your AWS account. You must have sufficient privileges to create an IAM user, define policy permissions for that user, and create an access key for that user. To learn more about these tasks, see the Amazon Web Services IAM users, Define custom IAM permissions with customer managed policies, Permissions required to access IAM resources, Manage access keys for IAM users, and Secure access keys resources.

    Role required: none

    About this task

    The Amazon S3 external content connector retrieves content from buckets in your Amazon S3 source system using the Amazon Web Services (AWS) API. To access your Amazon S3 buckets, the connector uses an access key ID and secret access key that you define for a new Identity and Access Management (IAM) user. You specify bucket access permissions for this IAM user with an IAM policy.

    Your ServiceNow AI Platform needs this IAM user's access key ID and secret access key to configure the Amazon S3 external content connector for proper connection to your AWS account.
    Important:
    All content the connector retrieves from your Amazon S3 buckets is treated as public content, searchable by everyone who has access to your configured AI Search experience.

    Procedure

    1. Create a new IAM policy that defines permissions needed for the Amazon S3 external content connector user.
      1. Log in to the Identity and Access Management page of the AWS Management Console at https://console.aws.amazon.com/iam/.
      2. Navigate to Access management > Policies, then select Create policy.
        Policies page in AWS Management Console IAM web service.
      3. In the Policy editor, select JSON, then paste the following JSON-format policy description into the editor, replacing the default policy description: 
        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListAllBuckets",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "BucketCrawlPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket-1",
        "arn:aws:s3:::example-bucket-2"
      ]
    },
    {
      "Sid": "ObjectCrawlPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket-1/*",
        "arn:aws:s3:::example-bucket-2/*"
      ]
    }
  ]
}
        Specify permissions page for new policy in AWS Management Console IAM web service.
      4. In the Policy editor, update the Resource array for the BucketCrawlPermissions object to include Amazon Resource Names (ARNs) for all of the Amazon S3 buckets you want the external content connector to be able to crawl.
        This array should only contain ARNs for the Amazon S3 bucket resource type. For details on ARNs, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html. To learn more about resource types defined for Amazon S3, see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies. When granting access to your Amazon S3 buckets, remember that all content crawled by the connector is searchable by everyone who has access to your configured AI Search experience.
      5. In the Policy editor, update the Resource array for the ObjectCrawlPermissions object to include ARNs for all of the Amazon S3 resources you want the external content connector to be able to retrieve.
        This array should only contain ARNs for the Amazon S3 object resource type. You can use wildcards to grant access to all objects in a bucket, as shown in the example ARNs. For details on ARNs, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html. To learn more about resource types defined for Amazon S3, see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies. When granting access to your Amazon S3 bucket resources, remember that all content crawled by the connector is searchable by everyone who has access to your configured AI Search experience.Detail of JSON policy showing Resource arrays for policy objects in AWS Management Console IAM web service.
      6. Select Next.
      7. On the Review and create page, enter a Policy name and optionally a Description for your new policy, then select Create policy.
        As an example, you might enter Amazon-S3-external-content-connector as the policy name and IAM policy with permissions for the ServiceNow Amazon S3 external content connector user. as the definition.Review and create page for new policy in AWS Management Console IAM web service.
      A message confirms that your new IAM policy was created successfully, and the policy appears in the list of IAM policies.Policies list showing newly created policy in AWS Management Console IAM web service.
    2. Create a new IAM user in your AWS account:
      1. In the Identity and Access Management page of the AWS Management Console, navigate to Access management > Users, then select Create user.
        Users page in AWS Management Console IAM web service.
      2. On the Specify user details page, enter a name for your new IAM user, then select Next.
        As an example, you might enter Amazon-S3-external-content-connector-user.Specify user details page for new user in AWS Management Console IAM web service.
      3. On the Set permissions page, select Attach policies directly in the Permissions options section.
      4. In the Permissions policies list, select the option for the new IAM policy that you created in step 1, then select Next.
        Set permissions page for new user in AWS Management Console IAM web service.
      5. On the Review and create page, select Create user.
        Review and create page for new user in AWS Management Console IAM web service.
      A message confirms that your new IAM user was created successfully, and the user appears in the list of IAM users.Users list showing newly created user in AWS Management Console IAM web service.
    3. Create an access key for your new IAM user:
      1. Select View user in the message that appeared when you completed step 2.
        If the message and View user link are no longer visible, navigate to Access management > Users in the AWS Management Console, then select the user that you created in step 2.
      2. In the Security credentials tab, navigate to the Access keys section and select Create access key.
        User editor for new user with Security credentials tab shown in AWS Management Console IAM web service.
      3. On the Access key best practices & alternatives page, select the Application running outside AWS use-case, then select Next.
        Access key best practices & alternatives page for new access key in AWS Management Console IAM web service.
      4. Enter a description tag value for your new access key.
        As an example, you might enter Access key for the ServiceNow Amazon S3 external content connector user.
      5. Select Create access key.
        Set description tag page for new access key in AWS Management Console IAM web service.
        A message confirms that your new access key was created.
      6. On the Retrieve access keys page, copy the new key's Access key and Secret access key values and store them in a secure location.
        Retrieve access keys page for new access key in AWS Management Console IAM web service.
        Important:
        Your connector administrator needs this access key and secret access key when configuring the Amazon S3 external content connector.
      7. Select Done.

    What to do next

    Provide the IAM user access key and secret access key that you copied in step 3.f to your ServiceNow AI Platform admins. Your admin needs these items to configure an Amazon S3 external content connector to retrieve searchable content and security principals from your Amazon S3 buckets.

    For details on creating and configuring an Amazon S3 external content connector, see Create an Amazon S3 external content connector.