AWS S3

S3 IAM Access

If you use AWS S3 to store data, if you submit tasks with attachments as s3: protocol URIs, rather than http: or https:, we will use the S3 API to fetch your data. For example, instead of sending https://s3-us-west-2.amazonaws.com/bucket/key, you would send s3://bucket/key.

We can either fetch your data using IAM Delegated Access (preferred, more secure) or Cross-account Access.

IAM Delegated Access

To access S3 data in your AWS account, Scale can assume a role in your account, which has permission to access data in your S3 buckets. This role must be named ScaleAI-Integration.

To set up IAM Delegated Access:

1. As a team admin or manager, go to dashboard.scale.com/settings/integrations.

2. In another window, create a new role in the AWS IAM Console

• Select Another AWS account for the Role Type.

• Enter 307185671274 (Scale's Account ID) as the Account ID.

• Check Require external ID, and enter the external ID displayed in the AWS section of the Integrations Settings page.

• Do not check Require MFA.

1. For permissions, either attach a policy that grants appropriate access, or create a policy. A sample role policy is shown below.

2. Name the role ScaleAI-Integration.

3. Return to the Scale Dashboard and enter your AWS account ID.

Sample Role Policy for IAM Delegated Access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "scales3access",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
              "arn:aws:s3:::YOUR_BUCKET_NAME/*",
              "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
        }
    ]
}

Note that if you enable the AWS integration for your account, we will not attempt to fetch attachments from our account (307185671274) directly; the policies described in Cross-account Access will not work.

Cross-account Access

If IAM delegated access is not configured, we will directly fetch attachments from your S3 bucket, using AWS account ID 307185671274 (canonical ID ae2259599e139df6cedb60b6300bcafa1c652aff129aa3d887477b6d4abf2e47), which you can grant access to on a per-object basis using ACLs or using bucket policies.

For most customers, we recommend setting a Bucket Policy that shares the bucket's contents with Scale's account.

A sample Bucket Policy below - please be sure to replace YOUR_BUCKET_NAME with the name of your bucket, leaving the /* as shown or replacing it with a more specific bucket path to further restrict access.

Please note that if using Access Control Lists (ACLs), each object must have its ACL individually updated to grant read access to our account, as Bucket ACLs cannot grant read permissions to the objects inside.

Sample Bucket Policy for Cross-account Access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "scale-s3-access",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::307185671274:root"
                ]
            },
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}

Please note that this authentication mechanism suffers from the confused deputy problem — a third party that can guess your S3 URLs will be able to submit tasks with your data.