Choosing a Connection Method
4MINDS supports two connection methods for AWS:| Method | When to use | Security model |
|---|---|---|
| IAM Role Federation (recommended) | You want zero long-lived credentials stored in 4MINDS | Temporary credentials minted on-demand via OIDC + AWS STS (1 hour lifetime) |
| Amazon Cognito | Your organization already uses Cognito User Pools for identity | Authenticated Cognito identity assumes an IAM role with Bedrock/S3/etc. permissions |
Some integrations support additional methods (e.g., Bedrock supports API keys). Those are documented in the integration-specific guides.
AWS Setup (shared across all AWS integrations)
You only need to complete this setup once per AWS account, regardless of how many 4MINDS integrations (S3, SageMaker, Bedrock, Lake Formation) you plan to use. When adding a new integration later, you simply attach the appropriate permissions policy to the same IAM role or Cognito authenticated role.Step 1: Note Your AWS Region
- Sign in to the AWS Management Console
- The active region appears in the top-right of the AWS console (e.g.,
us-east-1). You’ll need to enter this when connecting in 4MINDS - Common regions include
us-east-1,us-west-2,eu-west-1,eu-central-1
Step 2: Create the IAM Permissions Policy
The policy you attach depends on which 4MINDS integration you’re setting up. Skip to the relevant section: To create a policy:- Go to AWS Console → IAM (search for “IAM” in the top search bar)
- Click Policies in the left sidebar
- Click Create policy
- Click the JSON tab (switch from the visual editor)
- Paste the policy JSON for your integration (see sections below)
- Click Next, name the policy (e.g.,
4MINDS-S3-Access), and click Create policy
Connection Method 1: IAM Role Federation (Recommended)
No long-lived credentials are stored. 4MINDS uses OIDC federation to mint short-lived credentials through AWS STS for each request.A. Register 4MINDS as an OIDC Identity Provider
- Go to AWS Console → IAM → Identity Providers (left sidebar)
- Click Add Provider
- Select OpenID Connect
- For Provider URL, enter:
https://api.4minds.ai - For Audience, enter:
sts.amazonaws.com - Click Add provider
B. Create the IAM Role
- Go to IAM → Roles → Create role
- Under Trusted entity type, select Web identity
- Under Identity provider, select
api.4minds.ai - Under Audience, select
sts.amazonaws.com - Click Next
- Attach the permissions policy (or policies) you created in Step 2
- Click Next, enter a Role name (e.g.,
4MINDS-integration-role), and click Create role - Copy the Role ARN from the role summary page — it looks like:
arn:aws:iam::123456789012:role/4MINDS-integration-role
C. Verify the Trust Policy
- Open the role you just created
- Click the Trust relationships tab → Edit trust policy
- Confirm it matches this (with your 12-digit AWS account ID):
Optional — External ID: For additional cross-account security, you can add an sts:ExternalId condition to the trust policy. If you do, enter the same External ID in 4MINDS when connecting.
D. Connect in 4MINDS
- In 4MINDS, open Integrations from the main navigation bar and select your integration (e.g., Amazon S3)
- Select the IAM Role tab
- Paste your IAM Role ARN (from step B.8)
- If you configured an External ID, enter it
- Enter your AWS Region
- Fill in any integration-specific fields (see the Per-Integration Policies & Fields section)
- Click Test Connection, then Save Credentials
Connection Method 2: Amazon Cognito
Use this method if your organization manages AWS access through Amazon Cognito User Pools and Identity Pools.Already have Cognito set up? Skip to Gather Your Cognito Details.
A. Create a Cognito User Pool
- Go to AWS Console → Amazon Cognito
- Click Create user pool
- Under Sign-in experience, check User name (and optionally Email)
- Under Security requirements, configure your password policy and MFA (select No MFA for the simplest setup)
- Under Sign-up experience, uncheck Enable self-registration
- Under Message delivery, select Send email with Cognito
- Under Integrate your app:
- User pool name:
4MINDS-user-pool - App client name:
4MINDS-app-client - Client secret: optional — 4MINDS supports both
- Under Authentication flows, ensure ALLOW_USER_PASSWORD_AUTH is checked (required)
- User pool name:
- Click Create user pool
- Copy the User Pool ID — looks like
us-east-1_aBcDeFgHi
B. Get the App Client Details
- In your new User Pool, go to App integration
- Scroll to App clients and analytics and open your app client
- Copy the Client ID — looks like
1abc2def3ghi4jkl5mno6pqr - If you generated a client secret, click Show client secret and copy it
C. Create a User in the Pool
- In your User Pool, go to Users → Create user
- Enter a User name (e.g.,
4MINDS-service-user) - Enter a Temporary password or set a permanent one
- Click Create user
FORCE_CHANGE_PASSWORD, complete the password change via AWS CLI before connecting in 4MINDS:
D. Create a Cognito Identity Pool
The Identity Pool maps authenticated Cognito users to an IAM role.- Go to Amazon Cognito → Identity pools → Create identity pool
- Under User access, select Authenticated access
- Under Authenticated identity sources, select Amazon Cognito user pool
- Under Configure permissions, select Create a new IAM role and name it (e.g.,
4MINDS-cognito-auth-role) - Under Connect identity providers, enter the User Pool ID and App Client ID from steps A and B
- Enter an Identity pool name (e.g.,
4MINDS-identity-pool) - Click Create identity pool
- Copy the Identity Pool ID — looks like
us-east-1:12345678-abcd-1234-efgh-123456789012
E. Attach Permissions to the Cognito Authenticated Role
- Go to IAM → Roles and open the role created in step D.4
- Click Add permissions → Attach policies
- Attach the permissions policy (or policies) you created in Step 2
Gather Your Cognito Details
| Field | Where to find it | Example |
|---|---|---|
| User Pool ID | Cognito → User Pools → Overview | us-east-1_aBcDeFgHi |
| App Client ID | Cognito → User Pools → App integration | 1abc2def3ghi4jkl5mno6pqr |
| App Client Secret | Same as above (only if generated) | abcdef123456... |
| Identity Pool ID | Cognito → Identity Pools | us-east-1:12345678-abcd-1234-efgh-123456789012 |
| Username | Cognito user created in step C | 4MINDS-service-user |
| Password | Permanent password for that user | — |
Connect in 4MINDS
- Open Integrations from the main navigation bar and select your integration
- Select the Cognito tab
- Fill in all fields from the table above
- If your app client has a secret, toggle on App Client Secret and enter it
- Enter your AWS Region (must match the region of your User Pool and Identity Pool)
- Fill in any integration-specific fields (see below)
- Click Test Connection, then Save Credentials
Per-Integration Policies & Fields
Paste the JSON below into the JSON tab when creating a policy in Step 2. You can attach multiple policies to the same IAM role or Cognito authenticated role.Amazon S3
Connect to Amazon S3 to import datasets and files directly from your S3 buckets.Policy — Broad Access (list all buckets in the account)
Policy — Least Privilege (restrict to specific buckets)
If you configure Allowed Buckets in 4MINDS, you can drops3:ListAllMyBuckets entirely and scope access to just the buckets you expose:
| Permission | Purpose |
|---|---|
s3:ListAllMyBuckets | Enumerates all buckets in the account (skip if using Allowed Buckets) |
s3:ListBucket | Lists objects within a bucket |
s3:GetObject | Downloads file contents during import |
Restricting Access with Allowed Buckets
By default, when 4MINDS opens the S3 browser it callss3:ListAllMyBuckets and shows every bucket in your account. If you’d rather expose only a specific set of buckets — for compliance, tenancy isolation, or just to keep the picker tidy — use the Allowed Buckets field.
How it works:
- With Allowed Buckets empty, 4MINDS lists every bucket the role can see. The IAM policy needs
s3:ListAllMyBuckets. - With Allowed Buckets populated, 4MINDS never calls
ListAllMyBuckets— it only probes the buckets you named vias3:ListBucket. The IAM policy can dropListAllMyBucketsentirely and scopes3:ListBucket/s3:GetObjectto just those bucket ARNs (see Policy — Least Privilege above).
- Open Integrations → Amazon S3
- Scroll to the Allowed buckets (optional) section
- Click Add bucket — a new text input row appears
- Type the exact bucket name (e.g.,
prod-datasets), not the ARN and not a path - Click Add bucket again to add another row; the button is disabled until the current row has a value
- To remove a bucket, click the trash icon next to its row
- Click Test Connection to verify the role can
head_bucketon each name, then Save Credentials
- Each allowed bucket is probed with
HeadBucket. If any one fails, the error message names the specific bucket (e.g., “Access denied on bucket ‘prod-datasets’”) so you can fix a typo or missing grant without hunting. - Buckets in other regions are reachable but slower — S3 follows a redirect. For best performance, keep all allowed buckets in the region you specified.
- Multi-tenant AWS accounts where only a subset of buckets contain data you want in 4MINDS
- Least-privilege IAM setups where you want to drop
s3:ListAllMyBucketsand scopeResourceto specific ARNs - Cleaner UX when your account has hundreds of buckets and users only care about a handful
- You want 4MINDS to auto-discover new buckets as they’re created without updating the integration
- You already restrict buckets via IAM — in that case,
ListAllMyBucketssimply returns the subset the role can see
4MINDS Fields
| Field | Required | Notes |
|---|---|---|
| AWS Region | Yes | Region where your buckets live |
| Default Bucket | No | Pre-selected bucket in the browser UI |
| Allowed Buckets | No | Restrict which buckets 4MINDS can see. Leave empty to list all |
Amazon SageMaker
Connect to Amazon SageMaker to create 4MINDS models backed by your deployed SageMaker endpoints.Policy
| Permission | Purpose |
|---|---|
sagemaker:ListEndpoints | Discovers deployed inference endpoints |
sagemaker:ListModels | Lists registered SageMaker models |
sagemaker:ListTrainingJobs | Lists training jobs (used for model lineage) |
sagemaker:DescribeEndpoint / DescribeEndpointConfig / DescribeModel | Retrieves endpoint and model metadata |
sagemaker:InvokeEndpoint | Sends prompts to a SageMaker endpoint at inference time |
sts:GetCallerIdentity | Verifies the connection |
Least privilege: Restrictsagemaker:InvokeEndpointto specific endpoint ARNs if you only want 4MINDS to call certain endpoints. Replace the resource with e.g.arn:aws:sagemaker:us-east-1:123456789012:endpoint/my-endpoint.
4MINDS Fields
| Field | Required | Notes |
|---|---|---|
| AWS Region | Yes | Region where your endpoints are deployed |
Amazon Bedrock
Connect to Amazon Bedrock to use foundation models as 4MINDS models.Policy
| Permission | Purpose |
|---|---|
bedrock:ListFoundationModels / GetFoundationModel | Discovers available foundation models |
bedrock:ListCustomModels / GetCustomModel | Discovers fine-tuned custom models (optional) |
bedrock:InvokeModel / InvokeModelWithResponseStream | Runs inference at request time |
sts:GetCallerIdentity | Verifies the connection |
Least privilege: Scope bedrock:InvokeModel to specific model ARNs. See the Bedrock guide for examples.
Alternative: API Key. Bedrock also supports authentication via an API key generated in the Bedrock console — no IAM setup needed. See the Bedrock guide for details.
4MINDS Fields
| Field | Required | Notes |
|---|---|---|
| AWS Region | Yes | Region where Bedrock is enabled |
AWS Lake Formation
Connect to Lake Formation to query governed tables via AWS Glue and Athena.Policy
<your-athena-results-bucket> with the S3 bucket configured as the Athena query results location (Athena → Settings → Query result location).
| Permission | Purpose |
|---|---|
glue:GetDatabase / GetDatabases / GetTable / GetTables | Browses the Glue Data Catalog that backs Lake Formation |
athena:StartQueryExecution / GetQueryExecution / GetQueryResults | Runs SELECT queries against governed tables |
s3:GetObject / PutObject / ListBucket on the results bucket | Reads Athena query results written to S3 |
sts:GetCallerIdentity | Verifies the connection |
Lake Formation grants: The IAM policy above allows the API calls. You must also grant the role SELECT access on the specific databases/tables in the Lake Formation → Data permissions console. Without Lake Formation grants, Athena queries will return no rows.
4MINDS Fields
| Field | Required | Notes |
|---|---|---|
| AWS Region | Yes | Region of the Glue Catalog / Lake Formation |
| Athena Workgroup | No | Workgroup used for queries (defaults to primary) |
| Athena Results Location | Yes | s3://your-athena-results-bucket/path/ — must match the bucket in the policy above |
Testing Your Connection
After saving credentials in 4MINDS:- Click Test Connection — validates credentials and permissions
- Success messages vary by integration (e.g., “Found 12 bucket(s)” for S3, “Found 8 foundation model(s)” for Bedrock)
- Click Save Credentials to persist
Troubleshooting
| Issue | Solution |
|---|---|
AccessDenied on connection test | The IAM policy isn’t attached to the role, or the policy is missing a required action |
AccessDenied on a specific bucket (S3) | The bucket is in Allowed Buckets but the policy doesn’t include it in its Resource — add the bucket ARN or remove it from Allowed Buckets |
NoSuchBucket | The bucket name in Allowed Buckets is a typo or lives in a different region |
Unrecognized client | Wrong AWS region, or the service isn’t enabled in that region |
| Role federation fails | Verify the OIDC provider URL is exactly https://api.4minds.ai with audience sts.amazonaws.com |
Cognito: FORCE_CHANGE_PASSWORD | Complete the password change via AWS CLI (see step C) |
Cognito: NotAuthorizedException | Username or password is wrong, or the app client doesn’t have ALLOW_USER_PASSWORD_AUTH enabled |
| Lake Formation: queries return no rows | Grant the role SELECT in Lake Formation → Data permissions on the target databases/tables |
Disconnecting
To remove a 4MINDS integration connection:- Open Integrations, select the integration
- Click Disconnect