Step 1: Create an IAM policy Step 2: Create an execution role Security best practices

Configure IAM permissions

Amazon Location Jobs requires an IAM execution role that grants the service permission to access your Amazon S3 buckets. When you run a job, Amazon Location assumes this role to read input files from your input bucket and write output results to your output bucket on your behalf. You provide these permissions by creating an IAM policy with the required Amazon S3 permissions and attaching it to an IAM role with a trust policy that allows the Amazon Location service to assume the role.

Note

The Amazon S3 input and output buckets you create must exist in the same AWS Region where you plan to run your jobs. The IAM resources you create must be created in the same account.

Step 1: Create an IAM policy

Create an IAM policy that grants the permissions required for Amazon Location jobs.

To create an IAM policy for Amazon Location jobs

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies.
Choose Create policy.

Choose the JSON tab and enter the following policy document, replacing INPUT_BUCKET_NAME and OUTPUT_BUCKET_NAME with your bucket names:


{
  "Version": "2012-10-17", 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetObjectVersion",
        "s3:GetBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::INPUT_BUCKET_NAME",
        "arn:aws:s3:::INPUT_BUCKET_NAME/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::OUTPUT_BUCKET_NAME/*"
      ]
    }
  ]
}

Choose Next.
For Policy name, enter a descriptive name such as LocationJobsS3AccessPolicy.
Choose Create policy.

The following table describes the permissions granted by this policy:

Permission	Description
`s3:GetObject`	Allows Amazon Location to read input files from your input bucket.
`s3:ListBucket`	Allows Amazon Location to list files in your input bucket to identify all input files for processing.
`s3:GetObjectVersion`	Allows Amazon Location to access specific versions of input files. Required because versioning must be enabled on your buckets.
`s3:GetBucketVersioning`	Allows Amazon Location to verify that versioning is enabled on your input bucket.
`s3:PutObject`	Allows Amazon Location to write output results to your output bucket.
`s3:AbortMultipartUpload`	Allows Amazon Location to clean up failed multipart uploads when writing large output files.

Note

This policy follows the principle of least privilege by granting only the permissions required for Amazon Location Jobs to function. The policy restricts read permissions to your input bucket and write permissions to your output bucket.

To create an IAM policy using the AWS CLI

Create a file named location-jobs-policy.json with the following content, replacing INPUT_BUCKET_NAME and OUTPUT_BUCKET_NAME with your bucket names:


{
  "Version": "2012-10-17", 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetObjectVersion",
        "s3:GetBucketVersioning"
      ],
      "Resource": [
        "arn:aws:s3:::INPUT_BUCKET_NAME",
        "arn:aws:s3:::INPUT_BUCKET_NAME/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::OUTPUT_BUCKET_NAME/*"
      ]
    }
  ]
}

Create the policy:


aws iam create-policy \
    --policy-name LocationJobsS3AccessPolicy \
    --policy-document file://location-jobs-policy.json

Note the policy ARN from the output. You need this ARN in the next step.

Step 2: Create an execution role

Create an IAM role that Amazon Location assumes to access your Amazon S3 buckets during job execution.

The trust policy allows the Amazon Location service (geo.amazonaws.com) to assume this role. This trust relationship is required for Amazon Location to access your Amazon S3 buckets during job execution.

To create an execution role for Amazon Location jobs

In the IAM console navigation pane, choose Roles.
Choose Create role.
For Trusted entity type, choose Custom trust policy.

Enter the following trust policy, replacing ACCOUNT_ID with your AWS account ID:


{
  "Version": "2012-10-17", 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "geo.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "ACCOUNT_ID"
        }
      }
    }
  ]
}

Choose Next.
Search for and select the policy you created in Step 1 (such as LocationJobsS3AccessPolicy).
Choose Next.
For Role name, enter a descriptive name such as LocationServiceJobExecutionRole.
Choose Create role.

To create an execution role using the AWS CLI

Create a file named trust-policy.json with the following content, replacing ACCOUNT_ID with your AWS account ID:


{
  "Version": "2012-10-17", 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "geo.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "ACCOUNT_ID"
        }
      }
    }
  ]
}

Create the role:


aws iam create-role \
    --role-name LocationServiceJobExecutionRole \
    --assume-role-policy-document file://trust-policy.json

Attach the policy you created in Step 1 (replace ACCOUNT_ID with your AWS account ID and LocationJobsS3AccessPolicy with your policy name if different):
```
aws iam attach-role-policy \
    --role-name LocationServiceJobExecutionRole \
    --policy-arn arn:aws:iam::ACCOUNT_ID:policy/LocationJobsS3AccessPolicy
```

Get the role ARN:


aws iam get-role \
    --role-name LocationServiceJobExecutionRole \
    --query 'Role.Arn' \
    --output text

Note the role ARN from the output. You need this ARN when starting jobs using the ExecutionRoleArn parameter.

After creating the role, note the role ARN. You need this ARN when starting jobs using the ExecutionRoleArn parameter. For more information, see Prepare input data.

Security best practices

Follow these security best practices when configuring IAM permissions for Amazon Location Jobs:

Use specific bucket ARNs: Replace the placeholder bucket names in the policy with your actual bucket names to restrict access to only the buckets you intend to use.
Separate input and output buckets: Use different buckets for input and output to maintain clear separation of read and write permissions.
Enable Amazon S3 bucket versioning: Versioning must be enabled on your buckets. This is required for Amazon Location Jobs to function properly.
Use Amazon S3 bucket policies: Add bucket policies to your Amazon S3 buckets for additional access control beyond IAM policies.
Monitor role usage: Use to monitor when and how the execution role is used by Amazon Location Jobs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create Amazon S3 buckets

Prepare input data