Connect data via IAM Delegated Access

When you use IAM delegated access to add your unlabeled data to Labelbox, you can keep your assets in AWS and configure Identity and Access Management (IAM) roles and policies to grant Labelbox read-only access to your S3 buckets.

Configure integration in AWS

Follow these steps to set up the IAM delegated access integration in your AWS account and create an integration in Labelbox.

In Labelbox, go to Account > Integrations, and click New Integration. Copy the Labelbox account ID and external ID.
Set up the CORS configuration for your bucket.
If you need to create a permission policy in AWS, we recommend doing so before you create a role for Labelbox. If you already have a permission policy you plan to use, proceed to step 4.
1. In your IAM Management Console, go to the Policies section, click Create policy, and enter your policy in the JSON tab. This sample policy restricts access to a specific S3 bucket.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::CustomerBucketARN/*"
        }
    ]
}
```
  The s3:GetObject action gives Labelbox read-only access to the bucket you specify. The value for Resource is your Bucket ARN. To find your Bucket ARN, go to your s3 console, select the bucket from the list, go to the Properties tab, and copy the Amazon Resource Name (ARN). The * at the end of the example ARN above is a wildcard character.
  When you are done creating your policy, click Next: Tags.
2. Click Next: Review to bypass the optional Add tags step. Tags are not required to set up this integration.
3. In the Review policy step, name the policy you just created. We recommend naming it something like LabelboxReadAccess.
4. To approve, click Create policy.
From the Roles page, follow these steps:
1. Click Create role.
2. Select Another AWS account.
3. Paste the Labelbox Account ID from step 1.
4. Check the box for Require external ID.
5. Paste the Labelbox External ID from step 1.
6. Do not check the box for Require MFA.
7. Click Next: Permissions.
8. In the Attach permissions policies section, check the box next to the permission policy you created in step 3 to attach it to your role. Or you can select a policy in the list provided (e.g., AmazonS3ReadOnlyAccess).
9. Click Next: Tags.
10. Click Next: Review to bypass the optional Add tags step. Tags are not required to set up this integration.
11. Name the role you created for Labelbox. We recommend naming it something like LabelboxS3Access.
12. When you are done reviewing, click Create role.
Click on the role you just created and copy the Role ARN at the top of the Summary tab. Then, in Labelbox, paste the AWS Role ARN in the provided field and name the integration.
Make sure the integration is set up properly. See our Validate integration docs to learn how to do this.

Note

To learn how to set up your integration programmatically, see our GraphQL docs.

Validate integration

In the Integration tab, the Last checked column indicates whether the integration was successful. If the integration failed, click on the refresh icon to view the error messages.

Here are the possible error messages and our suggestions for troubleshooting your integration setup.

Error	Troubleshooting
"Role cannot be assumed"	Ensure that the integration’s role ARN is correct and that the Labelbox External ID is properly configured in your AWS account.
"External ID configured insecurely"	Ensure that the Labelbox External ID is properly configured in your AWS account.

To learn how to validate the integration programmatically, see our GraphQL docs.

Create the import file

Create your JSON file and make sure it follows the proper format:

Validate dataset

When you upload your dataset into the Labelbox app, Labelbox automatically runs validation checks to determine whether the CORS setup was configured properly, whether Labelbox can successfully fetch data from your S3 bucket, and if Labelbox can properly sign the URLs.

To check the integration status for your dataset, select your project, go to Settings > Datasets, and click on the dataset. From there you can click the refresh icon to view the error messages.

Error message	Troubleshooting
"Incorrect CORS header..."	Ensure your S3 bucket is configured to serve appropriate CORS headers (`https://app.labelbox.com` and `https://editor.labelbox.com`). See our docs for setting up CORS headers.
"Cannot access data row..."	Make sure the IAM integration for the dataset is valid and that the S3 URLs are correct. Make sure the role you created for Labelbox in your AWS account has `GetObject` access to your S3 bucket. Click on the dataset's name to navigate to the dataset details page. Click on a link on one of the data rows and use the response from the server to understand why the request is failing.

Error message

Troubleshooting

"Incorrect CORS header..."

Ensure your S3 bucket is configured to serve appropriate CORS headers (https://app.labelbox.com and https://editor.labelbox.com). See our docs for setting up CORS headers.

"Cannot access data row..."

Make sure the IAM integration for the dataset is valid and that the S3 URLs are correct.

Make sure the role you created for Labelbox in your AWS account has GetObject access to your S3 bucket.

Click on the dataset's name to navigate to the dataset details page. Click on a link on one of the data rows and use the response from the server to understand why the request is failing.

To learn how to validate your dataset programmatically, see our GraphQL docs.

In this section:

Labelbox documentation