Signed URLs

As an alternative to IAM delegated access, you can use signed URLs (also known as presigned URLs or shared access signatures) to add datasets to Labelbox.

Signed URLs

Signed URLs permit access to resources without requiring updates to policies or other configuration settings.

A signed URL include a hash value that authenticates access requests. In general, signed URLs are valid for limited periods of time. Access to the resource is denied without the hash value; acces is also denied once the hash value expires.

Some cloud providers let you limit signed URLs to specific IP addresses or address blocks.

The hash value is generated by server hosting the file. Each provider provide multiple ways to generate signed URLs.

Here's an example of a signed URL:

http://example.com/filename?hash=DMF1ucDxtqgxwYQ==

Here, the value of the hash parameter is a access token originally generated by the server hosting the file.

Generate signed URLs

The steps for generating signed hashes vary by the cloud provider. To learn more, see one of the following:

• Amazon Web Services (AWS) Simple Storage Service (S3):
  • Working with presigned URLs (AWS docs)
  • Sharing objects with presigned URLs (AWS docs)
• Google Cloud Storage:
  • Signed URLs (Google Cloud docs)
• Microsoft Azure Storage:
  • Grant limited access to Azure Storage resources using shared access signatures (Microsoft docs)

If you're using a different cloud provider or storage service, consult the relevant docs for help generating signed URLs.

Related info

• To learn more about IAM delegated access, see Cloud storage integrations.
• To allow Labelbox to access your data rows, add the server addresses to your allow list.
• For help setting up cross origin resource sharing (CORS), see Configure CORS.
• See Webhooks to learn how to set up and manage an endpoint for Labelbox.