> ## Documentation Index
> Fetch the complete documentation index at: https://docs.labelbox.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect AWS S3 to Labelbox via IAM Delegated Access

> Step-by-step guide for importing your S3 bucket data to Labelbox via IAM delegated access.

This guide provides a complete set of step-by-step instructions for securely connecting your Amazon S3 bucket data to Labelbox using IAM delegated access.

## Prerequisites

Before you begin, ensure you have the following:

* You have permissions to create IAM roles and policies in your AWS account.
* You know the name of the S3 bucket you want to connect.
* You have configured [Cross-Origin Resource Sharing (CORS)](/docs/create-cors-headers) on your S3 bucket to allow Labelbox to request resources from your cloud storage.

## Step 1: Begin integration in Labelbox

First, you'll start the integration process in the Labelbox UI to obtain the necessary credentials.

1. In Labelbox, navigate to **Settings** > **Integrations**.
2. Under **Add integrations**, select **Sync from a source**.
3. Select **AWS** as your source.
4. From the **Create AWS integration page**, copy the Labelbox AWS account ID and the External ID.
5. Leave this page open in your browser: you will return to it in a later step.

## Step 2: Create a role for Labelbox in AWS

Next, you will create a role in your AWS account that Labelbox can assume to access your S3 bucket.

### Part A: Create a permission policy

1. In your AWS account, navigate to the **IAM Management Console > Policies** page.
2. Click **Create policy** and select the **JSON** policy editor.
3. Paste the following JSON policy, which grants read-only access to a specific S3 bucket.

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::CustomerBucketARN/*",
                "arn:aws:s3:::CustomerBucketARN"
            ]
        }
    ]
}
```

<Note>
  Remember to replace `CustomerBucketARN`with the actual ARN of your S3 bucket.
</Note>

4. Add Add a name for the policy (for example, `LabelboxReadAccess`) and click **Create policy**.

### Part B: Create a role

1. From the **Roles** page in the IAM Management Console, click **Create role**.
2. Select **Custom trust policy** and paste the following policy. Be sure to enter the **External ID** you obtained from Labelbox in Step 1.

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::340636424752:role/lb-aws-delegated-access-role"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": ""
                }
            }
        }
    ]
}
```

3. In the **Add Permissions** step, attach the permission policy you created in Part A (e.g., `LabelboxReadAccess`).
4. Add a name for the role (e.g., `LabelboxS3Access`) and click **Create role**.
5. Click on the role you just created and copy the **Role ARN** from the **Summary** tab.

## Step 3: Complete the integration setup in Labelbox

Now, you will add the Role ARN to the new integration you added in Labelbox in Step 1.

1. Go back to the **Create AWS integration** page in Labelbox.
2. In the **Provider ARN and name** section:
   * Set the **integration name**.
   * Enter the **AWS bucket name**.
   * Paste the **AWS Role ARN**.
3. Click **Save integration**.

## Step 4: Validate the integration

After you complete the setup in Labelbox, the system will automatically run a validation check on the integration. You can check the status on the **Integrations > Manage integrations** page. If the integration fails, you can click the refresh icon to view error messages and troubleshoot your setup.

Here are possible error messages and our suggestions for troubleshooting your integration setup.

| Error                               | Troubleshooting                                                                                                                                                                                                                                                                                                                    |
| :---------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| *Role cannot be assumed*            | Ensure that the integration’s role ARN is correct and that the Labelbox External ID is properly configured in your AWS account. Additionally, your AWS account admin must [activate STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the `us-east-2` region using the IAM console |
| *External ID configured insecurely* | Ensure that the Labelbox External ID is properly configured in your AWS account.                                                                                                                                                                                                                                                   |

## Step 5: Create, upload, and validate the dataset

Finally, you need to create and validate your dataset.

1. When creating your import file, use virtual-hosted-style URLs that follow this format: `https://<bucket-name>.s3.<region>.amazonaws.com/<key>`. To learn how to format your import file, visit these guides:

<Columns cols={2}>
  <Column>
    <Card title="Import image data" icon="plus" horizontal href="/reference/import-image-data" />

    <Card title="Import text data" icon="plus" horizontal href="/reference/import-text-data" />

    <Card title="Import document data" icon="plus" horizontal href="/reference/import-document-data" />

    <Card title="Import HTML data" icon="plus" horizontal href="/reference/import-html-data" />
  </Column>

  <Column>
    <Card title="Import video data" icon="plus" horizontal href="/reference/import-video-data" />

    <Card title="Import geospatial data" icon="plus" horizontal href="/reference/import-geospatial-data" />

    <Card title="Import audio data" icon="plus" horizontal href="/reference/import-audio-data" />
  </Column>
</Columns>

2. If you created your integration and imported your dataset using the Labelbox UI, Labelbox automatically runs validation checks to determine whether the CORS setup was configured properly. It also checks if Labelbox can successfully fetch data from your S3 bucket and properly sign the URLs.

Your dataset should now be set up with IAM delegated access. Labelbox will use the AWS role you created to generate temporary signed URLs every time it accesses data in your S3 bucket.