Skip to main content
Use this flow when your customer data lives in Amazon S3. Dari assumes a customer-created IAM role in your AWS account and mounts one session prefix into /workspace/customer.

What you share with Dari

  • provider = s3
  • Bucket name
  • Base prefix, for example dari/acme-prod
  • Role ARN
  • Target environment: dev or prod
Example remote layout: 
s3://customer-bucket/dari/acme-prod/sessions/sess_123/

1. Get the Dari AWS principal and external ID

Use the AWS principal and external ID provided by Dari for your target environment, for example: 
Principal: arn:aws:iam::111122223333:role/dari-storage-prod
External ID: acme-prod-8f2b3d1f

2. Create a cross-account IAM role in your AWS account

Create a role with a trust policy that allows Dari to assume it. Example trust policy: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/dari-storage-prod"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "acme-prod-8f2b3d1f"
        }
      }
    }
  ]
}

3. Scope the role to your bucket and base prefix

Grant only the bucket and object permissions needed for your chosen base prefix. Example permissions policy for read and write session storage: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketMetadata",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME",
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "BASE_PREFIX",
            "BASE_PREFIX/*"
          ]
        }
      }
    },
    {
      "Sid": "ObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/BASE_PREFIX/*"
    }
  ]
}
If you want a read-only bucket-backed workspace, remove the write and delete actions. If the bucket uses SSE-KMS, also grant the role access to the relevant KMS key.

4. Register the connection with Dari

Share:
  • provider = s3
  • Bucket name
  • Base prefix
  • Role ARN
  • Environment
Dari will assume that role, derive one session prefix under the base prefix, and mount it into /workspace/customer.

Notes

  • Keep dev and prod in separate prefixes.
  • Grant access only to the bucket and base prefix that Dari needs.
  • Do not use long-lived static AWS access keys as the default production path.
Read Storage Overview for the shared storage model and Connect Storage on GCP for the Google Cloud flow.