> ## Documentation Index
> Fetch the complete documentation index at: https://docs.labelbox.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Google Cloud Storage to Labelbox via IAM Delegated Access

> Learn how to import your GCS bucket data to Labelbox via IAM delegated access.

This guide provides a complete set of step-by-step instructions for securely connecting your Google Cloud Storage (GCS) bucket to Labelbox. The process uses a dedicated service account to grant Labelbox delegated access to your data.

## Prerequisites

Before you begin, please ensure you have the following:

* Permissions to create service accounts and assign IAM roles in your Google Cloud Platform (GCP) project.
* The name of the GCS bucket you want to connect.
* Configure [Cross-Origin Resource Sharing (CORS)](/docs/create-cors-headers) on your GCS account.

## Step 1: Create a custom service account in GCP

First, you will create a new service account in your GCP project that Labelbox will use to access your data.

1. In the Google Cloud Console, navigate to **IAM & Admin > Service Accounts**.
2. Click **Create Service Account**.
3. Enter a **Service account name** (e.g., `labelbox-integration-svc`) and a brief description.
4. Click **Create and Continue**. You do not need to grant this service account access to the project or grant users access to this service account in this step.
5. Click **Done**.
6. From the list of service accounts, copy the **email address** of the service account you just created. You will need it in the next steps.

## Step 2: Assign IAM roles to the service account

Next, you need to grant the new service account the necessary permissions to read data from your GCS bucket and to create security tokens.

### Part A: Grant access to the GCS bucket

1. Navigate to your GCS bucket by going to **Cloud Storage > Buckets**.
2. Select the bucket you want to connect and go to the **Permissions** tab.
3. Click **Grant Access**.
4. In the **New principals** field, paste the email address of the service account you created in Step 1.
5. In the **Assign roles** dropdown, select the **Storage Object Viewer** role.
6. Click **Save**.

### Part B: Grant service account token creator role

1. Navigate back to **IAM & Admin > Service Accounts** and select the service account you created.
2. Go to the **Permissions** tab for that service account.
3. Click **Grant Access**.
4. In the **New principals** field, paste the same service account email address.
5. In the **Assign roles** dropdown, select the **Service Account Token Creator** role.
6. Click **Save**.

## Step 3: Grant Labelbox access to your service account

Now, you will authorize the official Labelbox service account to act on behalf of the service account you created.

1. Navigate back to **IAM & Admin > Service Accounts** and select the service account you created.
2. Go to the **Permissions** tab for that service account.
3. Click **Grant Access**.
4. In the **New principals** field, paste the official Labelbox service account email: `client-gcp-production@labelbox-prod.iam.gserviceaccount.com`.
5. In the **Assign roles** dropdown, select the **Service Account Token Creator** role.
6. Click **Save**.

## Step 4: Complete the integration in Labelbox

Finally, return to Labelbox to complete the integration setup.

1. In Labelbox, navigate to **Settings > Integrations** and click **New integration**.
2. Select **Google Cloud Platform**.
3. On the integration page, provide the following details:
   * **Integration Name:** A descriptive name for your integration.
   * **GCS Bucket Name:** The name of your GCS bucket (e.g., `my-bucket`).
   * **Service Account Email:** The email address of the custom service account you created in Step 1.
4. Click **Save integration**.

Labelbox will automatically validate the connection. Once validated, your integration is complete and you can begin creating datasets with your GCS data.

## Step 5: Upload your data

Once the connection is successfully established, you can begin uploading your data to Labelbox.

<Columns cols={2}>
  <Column>
    <Card title="Import image data" icon="plus" horizontal href="/reference/import-image-data" />

    <Card title="Import text data" icon="plus" horizontal href="/reference/import-text-data" />

    <Card title="Import document data" icon="plus" horizontal href="/reference/import-document-data" />

    <Card title="Import HTML data" icon="plus" horizontal href="/reference/import-html-data" />
  </Column>

  <Column>
    <Card title="Import video data" icon="plus" horizontal href="/reference/import-video-data" />

    <Card title="Import geospatial data" icon="plus" horizontal href="/reference/import-geospatial-data" />

    <Card title="Import audio data" icon="plus" horizontal href="/reference/import-audio-data" />
  </Column>
</Columns>

If a dataset is signed by a GCP IAM integration, Labelbox will attempt to sign all data rows with this integration.

The value of `rowData` for each Data Row will be updated as follows (the `queryParams` contain signing information):

`<https://storage.googleapis.com/${bucket}/${key}?{queryParams}`>

<Info>
  Please ensure that you are using `gsutil` URIs during data import (JSON file or Python SDK).

  Example: `gs://gcs-lb-demo-bucket/test.png`
</Info>

You should now be set up with IAM delegated access. Labelbox will use the roles you assigned to securely access data from your GCS bucket.