Labelbox documentation

IAM delegated access


When you use IAM delegated access to add your unlabeled data to Labelbox, you can keep your assets in AWS and configure Identity and Access Management (IAM) roles and policies to grant Labelbox read-only access to your S3 buckets.

IAM delegated access presents the following advantages:

  • More secure and robust than IP whitelisting alone.

  • Pre-processing allows for faster loading of large images and videos in the labeling interface.

  • Ability to limit labelers from viewing assets when they are logged out of Labelbox.

  • You no longer need to set up your own proxy servers.

  • You always have the option to revoke access.

  • File-specific access is possible if access to the entire bucket is not required.

Setup guide

IAM Delegated Access is designed to be highly flexible so you can grant Labelbox access to all of your S3 buckets, a single bucket, or even a path within a bucket. You also have the ability to set up different integrations for each dataset or project, if needed.

After you create a role for Labelbox in your AWS account, Labelbox assumes that role in your account to generate a temporary signed URL (current expiry is 15 minutes), uses that URL to access the asset directly from your S3 storage, extracts metadata from the asset, and then loads it into the Editor. Currently, all data processing is performed in US-based data centers.

Follow these steps to set up IAM Delegated Access for your project.

  1. Start the integration in Labelbox.

  2. Set up CORS headers for your S3 bucket.

  3. Create a role and permission policy for Labelbox in your AWS account.

  4. Validate the integration.

  5. Create your import file and import your data.

  6. Validate your dataset.

To learn how Labelbox accesses and stores your data when you import via IAM Delegated Access, see Access & Storage.

To see a sample script for setting this up, see our IAM Delegated Access colab notebook.