# Storages

## Customer Access to iMerit Owned Dedicated Bucket

By default, iMerit provides **Cross-account IAM roles** for programmatic access to upload customer data into a predesignated S3 bucket.

These steps are for a customer trying to upload data.

1. Create an IAM role or user in the customer AWS account (role\_1).
2. Give the role\_1 download permission (GetObject) and upload (PutObject) objects to and from the predefined S3 bucket.

```json
{ 
  "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetObject",
       "s3:PutObject"
      ],
     "Resource": "arn:aws:s3:::<to be communicated by iMerit team>"
    }
  ]
}
```

## IAM Cross Account Access

The following steps apply when the customer prefers to retain the data within their own infrastructure.

1. Create four S3 buckets with default settings. The bucket names can be chosen as per your internal naming conventions.
   * {*CUSTOMERNAME*}-content.tasking.imerit-prod.io
   * {*CUSTOMERNAME*}-tasking-app-prod-delivery-bucket
   * {*CUSTOMERNAME*}-tasking-app-prod-import-bucket
   * {*CUSTOMERNAME*}-pct-content.tasking.imerit-prod.io
2. Apply the appropriate CORS (Cross-Origin Resource Sharing) configuration to each of the below mentioned buckets:
   * {*CUSTOMERNAME*}-content.tasking.imerit-prod.io and
   * {*CUSTOMERNAME*}-pct-content.tasking.imerit-prod.io

<details>

<summary>Bucket CORS Policy</summary>

{% code lineNumbers="true" %}

```json
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://tools.tasking.imerit-prod.io"
        ]
    }
]
```

{% endcode %}

</details>

3. Upload the [pre-processed data](/project-setup/pre-process-data.md) to\
   `s3://{CUSTOMERNAME}-tasking-app-prod-import-bucket/quickserve_uploads/`
4. Set up an IAM role with the necessary *assume role policy* and *permissions*, as outlined in the code snippet provided below.:

<details>

<summary>Assume Role Policy</summary>

{% code lineNumbers="true" %}

```json
{
    "Version": "2012-10-17",
        "Statement": [
            {

                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::797913408994:role/import-manager-prod",
                        "arn:aws:iam::797913408994:role/pointcloud-converter-prod",
                        "arn:aws:iam::797913408994:role/metafile-generator-prod",
                        "arn:aws:iam::797913408994:role/pointcloud-deliverables-prod",
                        "arn:aws:iam::797913408994:role/tv2-delivery-adapter-prod",
                        "arn:aws:iam::797913408994:role/template-output-generator-prod",
                        "arn:aws:iam::797913408994:role/delivery-manager-prod",
                        "arn:aws:iam::797913408994:role/delivery-manager-api-prod",
                        "arn:aws:iam::797913408994:role/tv2-delegator-api-prod",
                        "arn:aws:iam::797913408994:role/job-builder-prod",
                        "arn:aws:iam::797913408994:role/tv2-delegator-prod"
                    ]
                },
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "imerit-prod"
                    }
                }
            }]
}
```

{% endcode %}

</details>

<details>

<summary>Permissions</summary>

{% code lineNumbers="true" %}

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CustomerBucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{CUSTOMERNAME}-content.tasking.imerit-prod.io",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-delivery-bucket",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-import-bucket",
                "arn:aws:s3:::{CUSTOMERNAME}-pct-content.tasking.imerit-prod.io",
                "arn:aws:s3:::{CUSTOMERNAME}-content.tasking.imerit-prod.io/*",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-delivery-bucket/*",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-import-bucket/*",
                "arn:aws:s3:::{CUSTOMERNAME}-pct-content.tasking.imerit-prod.io/*"
            ]
        }
    ]
}
```

{% endcode %}

</details>

5. After the above steps are completed and a role is generated, share the following information with iMerit:
   1. Role ARN
   2. CUSTOMERNAME
   3. Region the S3 bucket is set up in


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.imerit-prod.io/project-setup/storages.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.