From 4ce024b415a2cac007fce5bd3fcadebae46d68a7 Mon Sep 17 00:00:00 2001 From: caitlinwheeless Date: Fri, 7 Mar 2025 14:28:28 -0600 Subject: [PATCH 1/2] docs: DIA-1977: Updated policy for IAM roles --- docs/source/guide/storage.md | 62 ++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/docs/source/guide/storage.md b/docs/source/guide/storage.md index 82847f698eaa..c4480f8ace4f 100644 --- a/docs/source/guide/storage.md +++ b/docs/source/guide/storage.md @@ -298,11 +298,66 @@ In Label Studio Enterprise, you can use an IAM role configured with an external If you want to use a revocable method to grant Label Studio access to your Amazon S3 bucket, use an IAM role and its temporary security credentials instead of an access key ID and secret. This added layer of security is only available in Label Studio Enterprise. For more details about security in Label Studio and Label Studio Enterprise, see [Secure Label Studio](security.html). #### Set up an IAM role in Amazon AWS + +!!! note "Notice for Label Studio Cloud users" + + Set up an IAM role in Amazon AWS to use with Label Studio. -1. In the Label Studio UI, open the **Organization** page to get an `External ID` to use for the IAM role creation in Amazon AWS. You must be an administrator to view the Organization page. -2. Follow the [Amazon AWS documentation to create an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in your AWS account.
Make sure to require an external ID and do not require multi-factor authentication when you set up the role. Select an existing permissions policy, or create one that allows programmatic access to the bucket. +1. From Label Studio, go to **Organization** page to retrieve your organization's `External ID`. You must be an Owner or Admin to view the Organization page. +2. Follow the [Amazon AWS documentation to create an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in your AWS account. + + Make sure to require an external ID and do not require multi-factor authentication when you set up the role. Select an existing permissions policy, or create one that allows programmatic access to the bucket. 3. Create a trust policy using the external ID. Use the following example: + +{% details Label Studio Enterprise Cloud %} + + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::490065312183:role/label-studio-app-production" + ] + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": [ + "" + ] + } + } + } + ] +} +``` + +!!! attention + If your bucket is already connected to a Label Studio project, and that connection was created before April 7, 2025, your principal will be listed as `"arn:aws:iam::490065312183:user/rw_bucket"`. + + You will need to modify it to also include `"arn:aws:iam::490065312183:role/label-studio-app-production"` before you can create any new storage connections. + + +{% enddetails %} + +{% details Label Studio Enterprise On-Prem %} + + ```json { "Version": "2012-10-17", @@ -326,6 +381,9 @@ Set up an IAM role in Amazon AWS to use with Label Studio. ] } ``` + +{% enddetails %} + 4. After you create the IAM role, note the Amazon Resource Name (ARN) of the role. You need it to set up the S3 source storage in Label Studio. 5. Assign role policies to the role to allow it to access your S3 bucket. Replace `` with your S3 bucket name. Use the following role policy for S3 source storage: ```json From 21d7d7834debba67fa5c318ff7698db05c1e9238 Mon Sep 17 00:00:00 2001 From: caitlinwheeless Date: Fri, 7 Mar 2025 14:49:28 -0600 Subject: [PATCH 2/2] Updates per discussion with Hakan --- docs/source/guide/storage.md | 39 +----------------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/docs/source/guide/storage.md b/docs/source/guide/storage.md index c4480f8ace4f..3f220f72e887 100644 --- a/docs/source/guide/storage.md +++ b/docs/source/guide/storage.md @@ -320,9 +320,6 @@ Set up an IAM role in Amazon AWS to use with Label Studio. Make sure to require an external ID and do not require multi-factor authentication when you set up the role. Select an existing permissions policy, or create one that allows programmatic access to the bucket. 3. Create a trust policy using the external ID. Use the following example: -{% details Label Studio Enterprise Cloud %} - - ```json { "Version": "2012-10-17", @@ -348,41 +345,7 @@ Set up an IAM role in Amazon AWS to use with Label Studio. ``` !!! attention - If your bucket is already connected to a Label Studio project, and that connection was created before April 7, 2025, your principal will be listed as `"arn:aws:iam::490065312183:user/rw_bucket"`. - - You will need to modify it to also include `"arn:aws:iam::490065312183:role/label-studio-app-production"` before you can create any new storage connections. - - -{% enddetails %} - -{% details Label Studio Enterprise On-Prem %} - - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::490065312183:user/rw_bucket" - ] - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": [ - "" - ] - } - } - } - ] -} -``` - -{% enddetails %} + If your bucket is already connected to a Label Studio project, and that connection was created before April 7, 2025, you will need to add the new role (listed above) along with your old user to continue using your existing project. 4. After you create the IAM role, note the Amazon Resource Name (ARN) of the role. You need it to set up the S3 source storage in Label Studio. 5. Assign role policies to the role to allow it to access your S3 bucket. Replace `` with your S3 bucket name. Use the following role policy for S3 source storage: