Skip to main content
This guide provides a complete set of step-by-step instructions for securely connecting your Amazon S3 bucket data to Labelbox using IAM delegated access.

Prerequisites

Before you begin, ensure you have the following:
  • You have permissions to create IAM roles and policies in your AWS account.
  • You know the name of the S3 bucket you want to connect.
  • You have configured Cross-Origin Resource Sharing (CORS) on your S3 bucket to allow Labelbox to request resources from your cloud storage.

Step 1: Begin integration in Labelbox

First, you’ll start the integration process in the Labelbox UI to obtain the necessary credentials.
  1. In Labelbox, navigate to Settings > Integrations.
  2. Under Add integrations, select Sync from a source.
  3. Select AWS as your source.
  4. From the Create AWS integration page, copy the Labelbox AWS account ID and the External ID.
  5. Leave this page open in your browser: you will return to it in a later step.

Step 2: Create a role for Labelbox in AWS

Next, you will create a role in your AWS account that Labelbox can assume to access your S3 bucket.

Part A: Create a permission policy

  1. In your AWS account, navigate to the IAM Management Console > Policies page.
  2. Click Create policy and select the JSON policy editor.
  3. Paste the following JSON policy, which grants read-only access to a specific S3 bucket.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::CustomerBucketARN/*",
                "arn:aws:s3:::CustomerBucketARN"
            ]
        }
    ]
}
Remember to replace CustomerBucketARNwith the actual ARN of your S3 bucket.
  1. Add Add a name for the policy (for example, LabelboxReadAccess) and click Create policy.

Part B: Create a role

  1. From the Roles page in the IAM Management Console, click Create role.
  2. Select Custom trust policy and paste the following policy. Be sure to enter the External ID you obtained from Labelbox in Step 1.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::340636424752:role/lb-aws-delegated-access-role"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": ""
                }
            }
        }
    ]
}
  1. In the Add Permissions step, attach the permission policy you created in Part A (e.g., LabelboxReadAccess).
  2. Add a name for the role (e.g., LabelboxS3Access) and click Create role.
  3. Click on the role you just created and copy the Role ARN from the Summary tab.

Step 3: Complete the integration setup in Labelbox

Now, you will add the Role ARN to the new integration you added in Labelbox in Step 1.
  1. Go back to the Create AWS integration page in Labelbox.
  2. In the Provider ARN and name section:
    • Set the integration name.
    • Enter the AWS bucket name.
    • Paste the AWS Role ARN.
  3. Click Save integration.

Step 4: Validate the integration

After you complete the setup in Labelbox, the system will automatically run a validation check on the integration. You can check the status on the Integrations > Manage integrations page. If the integration fails, you can click the refresh icon to view error messages and troubleshoot your setup. Here are possible error messages and our suggestions for troubleshooting your integration setup.
ErrorTroubleshooting
Role cannot be assumedEnsure that the integration’s role ARN is correct and that the Labelbox External ID is properly configured in your AWS account. Additionally, your AWS account admin must activate STS in the us-east-2 region using the IAM console
External ID configured insecurelyEnsure that the Labelbox External ID is properly configured in your AWS account.

Step 5: Create, upload, and validate the dataset

Finally, you need to create and validate your dataset.
  1. When creating your import file, use virtual-hosted-style URLs that follow this format: https://<bucket-name>.s3.<region>.amazonaws.com/<key>. To learn how to format your import file, visit these guides:

Import image data

Import text data

Import document data

Import HTML data

Import video data

Import geospatial data

Import audio data

  1. If you created your integration and imported your dataset using the Labelbox UI, Labelbox automatically runs validation checks to determine whether the CORS setup was configured properly. It also checks if Labelbox can successfully fetch data from your S3 bucket and properly sign the URLs.
Your dataset should now be set up with IAM delegated access. Labelbox will use the AWS role you created to generate temporary signed URLs every time it accesses data in your S3 bucket.