# Configuring an IAM role for S3 Batch Replication Configuring IAM role and policy Because Amazon S3 Batch Replication is a type of Batch Operations job, you must create an AWS Identity and Access Management (IAM) role to grant Batch Operations permissions to perform actions on your behalf. You also must attach a Batch Replication IAM policy to the Batch Operations IAM role. Use the following procedures to create a policy and an IAM role that give Batch Operations permission to initiate a Batch Replication job. **To create a policy for Batch Replication** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access management**, choose **Policies**. 1. Choose **Create policy**. 1. On the **Specify permissions** page, choose **JSON**. 1. Insert one of the following policies, depending on whether your manifest is generated by Amazon S3 or whether you are supplying your own manifest. For more information about manifests, see [Specifying a manifest for a Batch Replication job](s3-batch-replication-batch.md#batch-replication-manifest). Before using these policies, replace the `user input placeholders` in the following policies with the names of your replication source bucket, manifest bucket, and completion report bucket. **Note** Your IAM role for Batch Replication needs different permissions, depending on whether you are generating a manifest or supplying one, so make sure that you choose the appropriate policy from the following examples. **Policy if using and storing an Amazon S3 generated manifest** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "s3:InitiateReplication" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action": [ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-source-bucket" ] }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*", "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] } ``` ------ **Policy if using a user-supplied manifest** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "s3:InitiateReplication" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] } ``` ------ 1. Choose **Next**. 1. Specify a name for the policy, and then choose **Create policy**. **To create an IAM role for Batch Replication** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access management**, choose **Roles**. 1. Choose **Create role**. 1. Choose **AWS service** as the type of trusted entity. In the **Use case** section, choose **S3** as the service, and **S3 Batch Operations** as the use case. 1. Choose **Next**. The **Add permissions** page appears. In the search box, search for the policy that you created in the preceding procedure. Select the checkbox next to the policy name, then choose **Next**. 1. On the **Name, review, and create** page, specify a name for your IAM role. 1. In the **Step 1: Trust identities** section, verify that your IAM role is using the following trust policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] } ``` ------ 1. In the **Step 2: Add permissions** section, verify that your IAM role is using the policy that you created earlier. 1. Choose **Create role**.