Use these GraphQL operations to configure IAM Delegated Access programmatically.
To learn how to set up IAM Delegated Access for your cloud storage solution, see our IAM Delegated Access docs.
Get integration ID
Use this query to get a list of all IAM integrations.
query GetIntegrations {
iamIntegrations {
id
name
}
}
Create integration
Use the createAwsIamIntegration mutation to create a Delegated Access integration between your S3 bucket and Labelbox.
Specifying the roleArn when you are creating the integration is optional.
The id returned from this createAwsIntegration mutation is the Labelbox External ID. The Labelbox AWS account ID is 340636424752.
| Field | Type | Description |
|---|---|---|
name | String | The name of the new IAM integration. |
roleArn | String | The ARN (Amazon Resource Name) for the role created for Labelbox in your AWS account. If you do not have a role yet, you can leave out roleArn. |
mutation CreateIntegration {
createAwsIamIntegration (data: {
name: "AWS IAM Integration"
roleArn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
}) {
id
}
}
Validate integration
Use the validateIamIntegration mutation to ensure that the integration you set up via IAM was configured properly.
| Field | Type | Description |
|---|---|---|
valid | Boolean | Indicates whether the IAM integration is valid. |
name | IamIntegrationValidationCheckName | Values are AWSAssumeRole and AWSExternalID. See Troubleshooting for more information. |
success | Boolean | Indicates whether the check was successful. |
mutation CheckIntegration {
validateIamIntegration (where: {id: "<INTEGRATION_ID>"}) {
valid
checks {
name
success
}
}
}
Update integration
Use the updateAwsIamIntegration mutation to update the role ARN associated with the integration. Use the where argument to specify which integration you want to update and the data argument to specify what you want to update (i.e., roleArn or name).
| Field | Type | Description |
|---|---|---|
name | String | Name of the IAM integration you want to update. |
roleArn | String | ARN of the IAM integration you want to update. |
id | ID | ID for the integration you created via the createAwsIamIntegration mutation. |
mutation UpdateIntegration {
updateAwsIamIntegration (
data: {
roleArn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
name: "<NEW_INTEGRATION_NAME>"
},
where: {
id: "<INTEGRATION_ID>"
}) {
id
}
}
Attach integration to a dataset
Use the setSignerForDataset mutation to attach an IAM integration to your dataset. Use the where argument to specify the dataset and the data argument to specify what to change.
| Field | Type | Description |
|---|---|---|
signerId | ID | The ID of an IAM integration to use as a signer for the dataset. |
id | ID | Dataset ID. |
mutation SetSignerForDataset {
setSignerForDataset (
data: { signerId: "<INTEGRATION_ID>" },
where: { id: "<DATASET_ID>" }) {
id
signer {
id
}
}
}
Validate dataset
When you create your dataset via the GraphQL API, you'll need to run a dataset validation yourself. Use the validateDataset mutation to do this.
This returns a payload with the status of the various checks that you can use for troubleshooting.
| Field | Type | Description |
|---|---|---|
valid | Boolean | Indicates whether the dataset was connected to the IAM integration successfully. |
name | DatasetValidationCheckName | Values are CORSPreflight and FetchAsset. For more information, see the Troubleshooting section. |
success | Boolean | Indicates whether the dataset validation check was successful. |
mutation ValidateDataset {
validateDataset (where: {id: "<DATASET_ID>"}){
valid
checks {
name
success
}
}
}