Use these GraphQL operations to configure IAM Delegated Access programmatically.

To learn how to set up IAM Delegated Access for your cloud storage solution, see our IAM Delegated Access docs.

Get integration ID

Use this query to get a list of all IAM integrations.

query GetIntegrations {
  iamIntegrations {
    id
    name
  }
}

Create integration

Use the createAwsIamIntegration mutation to create a Delegated Access integration between your S3 bucket and Labelbox.

Specifying the roleArn when you are creating the integration is optional.

The id returned from this createAwsIntegration mutation is the Labelbox External ID. The Labelbox AWS account ID is 340636424752.

Field

Type

Description

name

String

The name of the new IAM integration.

roleArn

String

The ARN (Amazon Resource Name) for the role created for Labelbox in your AWS account. If you do not have a role yet, you can leave out roleArn.

mutation CreateIntegration {
    createAwsIamIntegration (data: { 
      name: "AWS IAM Integration" 
      roleArn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
    }) {
    id
    }
}

Validate integration

Use the validateIamIntegration mutation to ensure that the integration you set up via IAM was configured properly.

Field

Type

Description

valid

Boolean

Indicates whether the IAM integration is valid.

name

IamIntegrationValidationCheckName

Values are AWSAssumeRole and AWSExternalID. See Troubleshooting for more information.

success

Boolean

Indicates whether the check was successful.

mutation CheckIntegration {
  validateIamIntegration (where: {id: "<INTEGRATION_ID>"}) {
    valid
    checks { 
      name
      success
    }
  }
}

Update integration

Use the updateAwsIamIntegration mutation to update the role ARN associated with the integration. Use the where argument to specify which integration you want to update and the data argument to specify what you want to update (i.e., roleArn or name).

Field

Type

Description

name

String

Name of the IAM integration you want to update.

roleArn

String

ARN of the IAM integration you want to update.

id

ID

ID for the integration you created via the createAwsIamIntegration mutation.

mutation UpdateIntegration {
    updateAwsIamIntegration (
        data: { 
            roleArn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
            name: "<NEW_INTEGRATION_NAME>"
        },
    where: { 
            id: "<INTEGRATION_ID>" 
        }) {
            id
        }
}

Attach integration to a dataset

Use the setSignerForDataset mutation to attach an IAM integration to your dataset. Use the where argument to specify the dataset and the data argument to specify what to change.

Field

Type

Description

signerId

ID

The ID of an IAM integration to use as a signer for the dataset.

id

ID

Dataset ID.

mutation SetSignerForDataset {
    setSignerForDataset (
    data: { signerId: "<INTEGRATION_ID>" },
    where: { id: "<DATASET_ID>" }) {
        id
        signer {
        id
    }
    }
}

Validate dataset

When you create your dataset via the GraphQL API, you'll need to run a dataset validation yourself. Use the validateDataset mutation to do this.

This returns a payload with the status of the various checks that you can use for troubleshooting.

Field

Type

Description

valid

Boolean

Indicates whether the dataset was connected to the IAM integration successfully.

name

DatasetValidationCheckName

Values are CORSPreflight and FetchAsset. For more information, see the Troubleshooting section.

success

Boolean

Indicates whether the dataset validation check was successful.

mutation ValidateDataset {
  validateDataset (where: {id: "<DATASET_ID>"}){
    valid
    checks {
      name
      success
    }
  }
}