Skip to main content
Enterprise Connect is available for dedicated instance customers only. Contact your Unstructured account team or Unstructured Support to have it enabled on your instance.
Enterprise Connect is a cross-account AWS authentication method. It lets Unstructured access your AWS resources using only the permissions you define. Those permissions cover reading and writing data through connectors and invoking Amazon Bedrock models on your behalf. You configure the AWS side once, then use it with connectors, AI providers, or both.

Setup requirements

Enterprise Connect requires the following:
  • A dedicated instance provisioned for your Unstructured account, with Enterprise Connect enabled. Contact your Unstructured account team or Unstructured Support to request access and have it enabled.
  • An AWS account where you can create and manage IAM roles.

How Enterprise Connect works

Enterprise Connect uses AWS Security Token Service (STS), a service that grants temporary, limited-privilege credentials to access AWS resources. When a workflow runs, Unstructured calls AWS STS to request temporary credentials for your AWS account. AWS STS validates the request against a trust policy attached to an IAM role you’ve configured. If the validation passes, Unstructured receives temporary credentials scoped to the permissions for the AWS resources you defined in the IAM role. Credentials are never stored and expire automatically.

IAM role and trust policy

Enterprise Connect requires an IAM role with a trust policy. The trust policy permits Unstructured to assume the role and receive the permissions needed to access your AWS resources. The trust policy must include two identifiers that together prevent unauthorized role assumption:
  • External ID — a unique value you generate and provide. Because this value is shared only between you and Unstructured, no third party can use the Unstructured ARN to assume your role, preventing the confused deputy problem. The same value goes in this trust policy and in the Unstructured configuration you set up later.
  • Unstructured dedicated instance role ARN — each dedicated instance has a stable IAM role ARN (Amazon Resource Name). Your trust policy must name this ARN as the trusted principal. Your Unstructured account team provides this ARN. Treat it as the only Unstructured identity allowed to assume this role.
The following trust policy template shows how these identifiers appear in the policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<unstructured-dedicated-instance-role-arn>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your-external-id>"
        }
      }
    }
  ]
}

Configure connectors and AI providers

Follow the configuration instructions for the AWS resources Unstructured needs to access: