From 4a04173aabddfd153e71a057882ab06833d52bfb Mon Sep 17 00:00:00 2001 From: Kathryn May Date: Fri, 19 Dec 2025 10:19:47 -0500 Subject: [PATCH] Add policy and clarify permissions required for bulk export --- src/langsmith/data-export.mdx | 67 ++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 5 deletions(-) diff --git a/src/langsmith/data-export.mdx b/src/langsmith/data-export.mdx index b3395d7af4..41adef638e 100644 --- a/src/langsmith/data-export.mdx +++ b/src/langsmith/data-export.mdx @@ -49,15 +49,72 @@ Update the LangSmith URL appropriately for self-hosted installations or organiza For the EU region, use `eu.api.smith.langchain.com`. - -**Permissions required** +#### Permissions required Both the `backend` and `queue` services require write access to the destination bucket: -- The `backend` service attempts to write a test file to the destination bucket when the export destination is created. -It will delete the test file if it has permission to do so (delete access is optional). +- The `backend` service attempts to write a test file to the destination bucket when the export destination is created. It will delete the test file if it has permission to do so (delete access is optional). - The `queue` service is responsible for bulk export execution and uploading the files to the bucket. - + +**AWS S3 permissions** + +The minimal AWS S3 permission policy requires the following permissions: + +- `s3:PutObject` (required): Allows writing Parquet files to the bucket. +- `s3:DeleteObject` (optional): Used for cleanup of test files during destination creation. +- `s3:GetObject` (optional but recommended): Used to verify file size after writing. + +Minimal IAM policy example: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::YOUR_BUCKET_NAME/*" + ] + } + ] +} +``` + +Recommended IAM policy example with additional permissions: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:DeleteObject", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::YOUR_BUCKET_NAME/*" + ] + } + ] +} +``` + +**Google Cloud Storage (GCS) permissions** + +When using GCS with the S3-compatible XML API, the following IAM permissions are required: + +- `storage.objects.create` (required): Allows writing files to the bucket. +- `storage.objects.delete` (optional): Used for test file cleanup during destination creation. +- `storage.objects.get` (optional but recommended): Used for file size verification after writing. + +These permissions can be granted through the "Storage Object Admin" predefined role or a custom role. + +#### Create a destination The following example demonstrates how to create a destination using cURL. Replace the placeholder values with your actual configuration details. Note that credentials will be stored securely in an encrypted form in our system.