Labelbox documentation

Configure integration in AWS

Follow these steps to set up the IAM delegated access integration in your AWS account and create an integration in Labelbox.

  1. In Labelbox, go to Account > Integrations, and click New Integration. Copy the Labelbox account ID and external ID.

  2. Set up the CORS configuration for your bucket.

  3. If you need to create a permission policy in AWS, we recommend doing so before you create a role for Labelbox. If you already have a permission policy you plan to use, proceed to step 4.

    1. In your IAM Management Console, go to the Policies section, click Create policy, and enter your policy in the JSON tab. This sample policy restricts access to a specific S3 bucket.

          "Version": "2012-10-17",
          "Statement": [
                  "Effect": "Allow",
                  "Action": [
                  "Resource": "arn:aws:s3:::CustomerBucketARN/*"

      The s3:GetObject action gives Labelbox read-only access to the bucket you specify. The value for Resource is your Bucket ARN. To find your Bucket ARN, go to your s3 console, select the bucket from the list, go to the Properties tab, and copy the Amazon Resource Name (ARN). The * at the end of the example ARN above is a wildcard character.

      When you are done creating your policy, click Next: Tags.

    2. Click Next: Review to bypass the optional Add tags step. Tags are not required to set up this integration.

    3. In the Review policy step, name the policy you just created. We recommend naming it something like LabelboxReadAccess.

    4. To approve, click Create policy.

  4. From the Roles page, follow these steps:

    1. Click Create role.

    2. Select Another AWS account.

    3. Paste the Labelbox Account ID from step 1.

    4. Check the box for Require external ID.

    5. Paste the Labelbox External ID from step 1.

    6. Do not check the box for Require MFA.

    7. Click Next: Permissions.

    8. In the Attach permissions policies section, check the box next to the permission policy you created in step 3 to attach it to your role. Or you can select a policy in the list provided (e.g., AmazonS3ReadOnlyAccess).

    9. Click Next: Tags.

    10. Click Next: Review to bypass the optional Add tags step. Tags are not required to set up this integration.

    11. Name the role you created for Labelbox. We recommend naming it something like LabelboxS3Access.

    12. When you are done reviewing, click Create role.

  5. Click on the role you just created and copy the Role ARN at the top of the Summary tab. Then, in Labelbox, paste the AWS Role ARN in the provided field and name the integration.

  6. Make sure the integration is set up properly. See our Validate integration docs to learn how to do this.


To learn how to set up your integration programmatically, see our GraphQL docs.