# Upload the firmware file to an Amazon S3 bucket and add an IAM role Upload file to S3 and add IAM role **Note** You'll need to perform these steps only if you're using the AWS CLI to create a wireless gateway task definition and perform the update. If you're using the AWS Management Console, you can skip these steps and proceed to [Schedule and run gateway firmware update task](lorawan-schedule-firmware-update.md). You can use Amazon S3 to create a *bucket*, which is a container that can store your firmware update file. You can upload your file to the S3 bucket and add an IAM role that allows the CUPS server to read your update file from the bucket. For more information about Amazon S3, see [ Getting started with Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html). The firmware update file that you want to upload depends on the gateway you're using. If you followed a procedure similar to the one described in [(Optional) Generate the firmware update file and signature](lorawan-script-fwupdate-sigkey.md), you'll upload the `fwstation` file generated by running the scripts. **Topics** + [ ## Create an Amazon S3 bucket and upload the update file ](#lorawan-create-s3-bucket) + [ ## Create an IAM role with permissions to read the S3 bucket ](#lorawan-s3-iam-permissions) + [ ## Review the next steps ](#lorawan-s3iam-next-steps) ## Create an Amazon S3 bucket and upload the update file You'll create an Amazon S3 bucket by using the AWS Management Console and then upload your firmware update file into the bucket. **Create an S3 bucket** To create an S3 bucket, sign in to the [Amazon S3 console](https://console.aws.amazon.com/s3/home#) and choose **Create bucket**. Then perform the following steps: **Note** Make sure you selected the same AWS Region as the one you used to create your LoRaWAN gateway and device. 1. Enter a unique and meaningful name for the **Bucket name**, (for example, `iotwirelessfwupdate`). For recommended naming convention for your bucket, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html). 1. Verify the following settings for your Amazon S3 bucket, and then choose **Create bucket**. + Make sure that the **Block all public access** setting is selected so that your bucket uses the default permissions. + Choose **Enable** for **Bucket versioning** which will help you keep multiple versions of the firmware update file in the same bucket. + Choose **Server-side encryption** and make sure that it is set to **Disable**. **Upload your firmware update file** You can now see your bucket in the list of Buckets displayed in the AWS Management Console. Choose your bucket and then choose **Upload** to upload your file and complete the following steps. 1. Choose **Add file** and then upload the firmware update file. If you followed the procedure described in [(Optional) Generate the firmware update file and signature](lorawan-script-fwupdate-sigkey.md), you'll upload the `fwstation` file, otherwise upload the file provided by your gateway manufacturer. 1. Make sure all settings are set to their default. Make sure that **Predefined ACLs** is set to **private** and choose **Upload** to upload your file. 1. Copy the S3 URI of the file you uploaded. Choose your bucket and you'll see the file you uploaded displayed in the list of **Objects**. Choose your file and then choose **Copy S3 URI**. The URI will be something like: `s3://iotwirelessfwupdate/fwstation` if you named your bucket similar to the example described previously (`fwstation`). You'll use the S3 URI when creating the IAM role. ## Create an IAM role with permissions to read the S3 bucket You'll now create an IAM role and policy that will give CUPS the permission to read your firmware update file from the S3 bucket. **Create an IAM policy for your role** To create an IAM policy for your AWS IoT Core for LoRaWAN destination role, open the [Policies hub of the IAM console](https://console.aws.amazon.com/iam/home#/policies) and then complete the following steps: 1. Choose **Create policy**, and choose the **JSON** tab. 1. Delete any content from the editor and paste this policy document. The policy provides permissions to access the `iotwireless` bucket and the firmware update file, `fwstation`, stored inside an object. **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:ListBucketVersions", "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::iotwirelessfwupdate/fwstation", "arn:aws:s3:::iotwirelessfwupdate" ] } ] } ``` 1. Choose **Review policy**, and in **Name**, enter a name for this policy (for example, `IoTWirelessFwUpdatePolicy`). You'll need this name to use in the next procedure. 1. Choose **Create policy**. **Create an IAM role with the attached policy** You'll now create an IAM role and attach the policy created previously for accessing the S3 bucket. Open the [Roles hub of the IAM console](https://console.aws.amazon.com/iam/home#/roles) and choose **Create role**, and then complete the following steps: 1. In **Select type of trusted entity**, choose **Another AWS account**. 1. In **Account ID**, enter your AWS account ID, and then choose **Next: Permissions**. 1. In the search box, enter the name of the IAM policy that you created in the previous procedure. Check the IAM policy (for example, `IoTWirelessFwUpdatePolicy`) you created earlier in the search results and choose it. 1. Choose **Next: Tags**, and then choose **Next: Review**. 1. In **Role name**, enter the name of this role (for example, `IoTWirelessFwUpdateRole`), and then choose **Create role**. **Edit trust relationship of the IAM role** In the confirmation message displayed after you ran the previous step, choose the name of the role you created to edit it. You'll edit the role to add the following trust relationship. 1. In the **Summary** section of the role you created, choose the **Trust relationships** tab, and then choose **Edit trust relationship**. 1. In **Policy Document**, change the `Principal` property to look like this example. ``` "Principal": { "Service": "iotwireless.amazonaws.com" }, ``` After you change the `Principal` property, the complete policy document should look like this example. **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iotwireless.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] } ``` 1. To save your changes and exit, choose **Update Trust Policy**. 1. Obtain the ARN for your role. Choose your IAM role and in the Summary section, you'll see a **Role ARN**, such as `arn:aws:iam::123456789012:role/IoTWirelessFwUpdateRole`. Copy this **Role ARN**. ## Review the next steps Now that you have created the S3 bucket and an IAM role that allows the CUPS server to read the S3 bucket, go to the next topic to schedule and run the firmware update. Keep the **S3 URI** and **Role ARN** that you copied previously so that you can enter them to create a task definition that will be run to perform the firmware update.