Skip to main content
This guide covers the shared AWS setup for connecting 4MINDS to any AWS-based integration — Amazon S3, Amazon SageMaker, Amazon Bedrock, and AWS Lake Formation. The connection mechanics (IAM Role Federation or Amazon Cognito) are the same across all of them; only the IAM permissions policy changes per integration.

Choosing a Connection Method

4MINDS supports two connection methods for AWS:
Some integrations support additional methods (e.g., Bedrock supports API keys). Those are documented in the integration-specific guides.

AWS Setup (shared across all AWS integrations)

You only need to complete this setup once per AWS account, regardless of how many 4MINDS integrations (S3, SageMaker, Bedrock, Lake Formation) you plan to use. When adding a new integration later, you simply attach the appropriate permissions policy to the same IAM role or Cognito authenticated role.

Step 1: Note Your AWS Region

  1. Sign in to the AWS Management Console
  2. The active region appears in the top-right of the AWS console (e.g., us-east-1). You’ll need to enter this when connecting in 4MINDS
  3. Common regions include us-east-1, us-west-2, eu-west-1, eu-central-1

Step 2: Create the IAM Permissions Policy

The policy you attach depends on which 4MINDS integration you’re setting up. Skip to the relevant section: To create a policy:
  1. Go to AWS Console → IAM (search for “IAM” in the top search bar)
  2. Click Policies in the left sidebar
  3. Click Create policy
  4. Click the JSON tab (switch from the visual editor)
  5. Paste the policy JSON for your integration (see sections below)
  6. Click Next, name the policy (e.g., 4MINDS-S3-Access), and click Create policy
Keep the policy name handy — you’ll attach it in the connection method steps below. You can attach multiple 4MINDS policies to the same role if you’re connecting to more than one AWS integration.
No long-lived credentials are stored. 4MINDS uses OIDC federation to mint short-lived credentials through AWS STS for each request.

A. Register 4MINDS as an OIDC Identity Provider

  1. Go to AWS Console → IAM → Identity Providers (left sidebar)
  2. Click Add Provider
  3. Select OpenID Connect
  4. For Provider URL, enter: https://api.4minds.ai
  5. For Audience, enter: sts.amazonaws.com
  6. Click Add provider
You only need to do this once per AWS account.

B. Create the IAM Role

  1. Go to IAM → RolesCreate role
  2. Under Trusted entity type, select Web identity
  3. Under Identity provider, select api.4minds.ai
  4. Under Audience, select sts.amazonaws.com
  5. Click Next
  6. Attach the permissions policy (or policies) you created in Step 2
  7. Click Next, enter a Role name (e.g., 4MINDS-integration-role), and click Create role
  8. Copy the Role ARN from the role summary page — it looks like: arn:aws:iam::123456789012:role/4MINDS-integration-role

C. Verify the Trust Policy

  1. Open the role you just created
  2. Click the Trust relationships tab → Edit trust policy
  3. Confirm it matches this (with your 12-digit AWS account ID):
Note — External ID is not supported for IAM Role Federation. AWS STS AssumeRoleWithWebIdentity (the API this method uses) does not accept an External ID, so adding an sts:ExternalId condition to the trust policy will cause every connection to fail with AccessDenied. Leave the External ID field blank in 4MINDS for this method. For additional trust hardening, add a condition on a token claim instead. The JWT 4MINDS mints includes sub (e.g. 4minds:org:42:user:7) and, when applicable, org_id and tenant_id. For example:

D. Connect in 4MINDS

  1. In 4MINDS, open Integrations from the main navigation bar and select your integration (e.g., Amazon S3)
  2. Select the IAM Role tab
  3. Paste your IAM Role ARN (from step B.8)
  4. Leave the External ID field blank — it is not supported for IAM Role Federation (see the note in step C)
  5. Enter your AWS Region
  6. Fill in any integration-specific fields (see the Per-Integration Policies & Fields section)
  7. Click Test Connection, then Save Credentials

Connection Method 2: Amazon Cognito

Use this method if your organization manages AWS access through Amazon Cognito User Pools and Identity Pools.
Already have Cognito set up? Skip to Gather Your Cognito Details.

A. Create a Cognito User Pool

  1. Go to AWS Console → Amazon Cognito
  2. Click Create user pool
  3. Under Sign-in experience, check User name (and optionally Email)
  4. Under Security requirements, configure your password policy and MFA (select No MFA for the simplest setup)
  5. Under Sign-up experience, uncheck Enable self-registration
  6. Under Message delivery, select Send email with Cognito
  7. Under Integrate your app:
    • User pool name: 4MINDS-user-pool
    • App client name: 4MINDS-app-client
    • Client secret: optional — 4MINDS supports both
    • Under Authentication flows, ensure ALLOW_USER_PASSWORD_AUTH is checked (required)
  8. Click Create user pool
  9. Copy the User Pool ID — looks like us-east-1_aBcDeFgHi

B. Get the App Client Details

  1. In your new User Pool, go to App integration
  2. Scroll to App clients and analytics and open your app client
  3. Copy the Client ID — looks like 1abc2def3ghi4jkl5mno6pqr
  4. If you generated a client secret, click Show client secret and copy it

C. Create a User in the Pool

  1. In your User Pool, go to UsersCreate user
  2. Enter a User name (e.g., 4MINDS-service-user)
  3. Enter a Temporary password or set a permanent one
  4. Click Create user
If the user status shows FORCE_CHANGE_PASSWORD, complete the password change via AWS CLI before connecting in 4MINDS:

D. Create a Cognito Identity Pool

The Identity Pool maps authenticated Cognito users to an IAM role.
  1. Go to Amazon Cognito → Identity poolsCreate identity pool
  2. Under User access, select Authenticated access
  3. Under Authenticated identity sources, select Amazon Cognito user pool
  4. Under Configure permissions, select Create a new IAM role and name it (e.g., 4MINDS-cognito-auth-role)
  5. Under Connect identity providers, enter the User Pool ID and App Client ID from steps A and B
  6. Enter an Identity pool name (e.g., 4MINDS-identity-pool)
  7. Click Create identity pool
  8. Copy the Identity Pool ID — looks like us-east-1:12345678-abcd-1234-efgh-123456789012

E. Attach Permissions to the Cognito Authenticated Role

  1. Go to IAM → Roles and open the role created in step D.4
  2. Click Add permissions → Attach policies
  3. Attach the permissions policy (or policies) you created in Step 2

Gather Your Cognito Details

Connect in 4MINDS

  1. Open Integrations from the main navigation bar and select your integration
  2. Select the Cognito tab
  3. Fill in all fields from the table above
  4. If your app client has a secret, toggle on App Client Secret and enter it
  5. Enter your AWS Region (must match the region of your User Pool and Identity Pool)
  6. Fill in any integration-specific fields (see below)
  7. Click Test Connection, then Save Credentials

Per-Integration Policies & Fields

Paste the JSON below into the JSON tab when creating a policy in Step 2. You can attach multiple policies to the same IAM role or Cognito authenticated role.

Amazon S3

Connect to Amazon S3 to import datasets and files directly from your S3 buckets.

Policy — Broad Access (list all buckets in the account)

Policy — Least Privilege (restrict to specific buckets)

If you configure Allowed Buckets in 4MINDS, you can drop s3:ListAllMyBuckets entirely and scope access to just the buckets you expose:

Restricting Access with Allowed Buckets

By default, when 4MINDS opens the S3 browser it calls s3:ListAllMyBuckets and shows every bucket in your account. If you’d rather expose only a specific set of buckets — for compliance, tenancy isolation, or just to keep the picker tidy — use the Allowed Buckets field. How it works:
  • With Allowed Buckets empty, 4MINDS lists every bucket the role can see. The IAM policy needs s3:ListAllMyBuckets.
  • With Allowed Buckets populated, 4MINDS never calls ListAllMyBuckets — it only probes the buckets you named via s3:ListBucket. The IAM policy can drop ListAllMyBuckets entirely and scope s3:ListBucket/s3:GetObject to just those bucket ARNs (see Policy — Least Privilege above).
Adding buckets in 4MINDS:
  1. Open IntegrationsAmazon S3
  2. Scroll to the Allowed buckets (optional) section
  3. Click Add bucket — a new text input row appears
  4. Type the exact bucket name (e.g., prod-datasets), not the ARN and not a path
  5. Click Add bucket again to add another row; the button is disabled until the current row has a value
  6. To remove a bucket, click the trash icon next to its row
  7. Click Test Connection to verify the role can head_bucket on each name, then Save Credentials
Behavior during connection test:
  • Each allowed bucket is probed with HeadBucket. If any one fails, the error message names the specific bucket (e.g., “Access denied on bucket ‘prod-datasets’”) so you can fix a typo or missing grant without hunting.
  • Buckets in other regions are reachable but slower — S3 follows a redirect. For best performance, keep all allowed buckets in the region you specified.
When to use it:
  • Multi-tenant AWS accounts where only a subset of buckets contain data you want in 4MINDS
  • Least-privilege IAM setups where you want to drop s3:ListAllMyBuckets and scope Resource to specific ARNs
  • Cleaner UX when your account has hundreds of buckets and users only care about a handful
When to leave it empty:
  • You want 4MINDS to auto-discover new buckets as they’re created without updating the integration
  • You already restrict buckets via IAM — in that case, ListAllMyBuckets simply returns the subset the role can see

4MINDS Fields


Amazon SageMaker

Connect to Amazon SageMaker to create 4MINDS models backed by your deployed SageMaker endpoints.

Policy

Least privilege: Restrict sagemaker:InvokeEndpoint to specific endpoint ARNs if you only want 4MINDS to call certain endpoints. Replace the resource with e.g. arn:aws:sagemaker:us-east-1:123456789012:endpoint/my-endpoint.

4MINDS Fields


Amazon Bedrock

Connect to Amazon Bedrock to use foundation models as 4MINDS models.

Policy

Least privilege: Scope bedrock:InvokeModel to specific model ARNs. See the Bedrock guide for examples.
Alternative: API Key. Bedrock also supports authentication via an API key generated in the Bedrock console — no IAM setup needed. See the Bedrock guide for details.

4MINDS Fields


AWS Lake Formation

Connect to Lake Formation to query governed tables via AWS Glue and Athena.

Policy

Replace <your-athena-results-bucket> with the S3 bucket configured as the Athena query results location (Athena → Settings → Query result location).
Lake Formation grants: The IAM policy above allows the API calls. You must also grant the role SELECT access on the specific databases/tables in the Lake Formation → Data permissions console. Without Lake Formation grants, Athena queries will return no rows.

4MINDS Fields


Testing Your Connection

After saving credentials in 4MINDS:
  1. Click Test Connection — validates credentials and permissions
  2. Success messages vary by integration (e.g., “Found 12 bucket(s)” for S3, “Found 8 foundation model(s)” for Bedrock)
  3. Click Save Credentials to persist

Troubleshooting


Disconnecting

To remove a 4MINDS integration connection:
  1. Open Integrations, select the integration
  2. Click Disconnect
This removes stored credentials from 4MINDS. Your AWS resources (IAM roles, OIDC providers, Cognito pools, policies) are not affected — delete them in the AWS Console if no longer needed.