GT Studio
  • Introduction
  • Getting started
    • Set up a Project
    • Set up Annotation Specification
    • Set up a Workflow
    • Create Jobs
    • Export Jobs
    • What's next?
  • Tools for Labelling
    • Image Segmentation
      • Tool Introduction
      • Maker Tool
      • Reviewer Tool
      • QC Tool
    • 2D Video and Image Labeling
      • Tool Introduction
      • Maker Tool
      • Reviewer Tool
      • QC Tool
  • Workflow
    • Workflow Steps
      • Steps and Patch
      • Step Analytics
      • Move and Push Jobs
      • Job Assignment
    • Job Build Structure
      • Base type - Image
      • Base type - Segmentation
      • Base type - Video
    • Workflow Routes
  • How to Guides
    • How to set up an image or a video classification task?
    • How to setup a Pose Tracking Project?
    • How to create jobs with pre-labeled data?
    • How to export annotation data in COCO format?
    • How to convert Playment segmentation mask to a grayscale mask
    • How to split a video into frames and create jobs in GT Studio
    • How to add classes after setting up the workflow
    • How to re-open a completed batch for making changes
  • Batches
    • Job Viewer
    • Quality Check
  • Annotator Performance
    • Video and Images
    • Segmentation
  • Annotation Specification
    • Classes
    • Attributes
  • Team management
    • Invite your team
    • Groups
  • API reference
  • Secure Attachment Access
  • What's New?
  • Hybrid Cloud
  • We are phasing out our SaaS offering — GT Studio
Powered by GitBook
On this page
  • S3 IAM Access
  • Google Cloud Storage Access
  • IP Whitelisting

Was this helpful?

Secure Attachment Access

PreviousGroupsNextWhat's New?

Last updated 4 years ago

Was this helpful?

We expect attachments/files sent while creating the job should either be

  • Publicly accessible links or

  • Private URLs when object hosted on AWS S3 or

  • Private URLs or gs protocol URI (gs://) when object hosted on GCP

S3 IAM Access

If you use AWS S3 to store data and if you create jobs with attachments as http: or https:,

We will fetch your data using Cross-account Access.

Cross-account Access

We will directly fetch attachments from your S3 bucket, using AWS account ID 475757276268 (canonical ID d4b5723a54db6f9da8a68f4c24233880793bf1d68dd11e7e2b4989bd2c71c59a), which you can grant access to on a or using .

For most customers, we recommend setting a Bucket Policy that shares the bucket's contents with Playment's account.

A sample Bucket Policy below - please be sure to replace YOUR_BUCKET_NAME with the name of your bucket, leaving the /* as shown or replacing it with a more specific bucket path to further restrict access.

Please note that if using Access Control Lists (ACLs), each object must have its ACL individually updated to grant read access to our account, as Bucket ACLs cannot grant read permissions to the objects inside.Sample Bucket Policy for Cross-account Access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "playment-s3-access",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}

Google Cloud Storage Access

IP Whitelisting

Playment uses a consistent set of IP addresses to fetch data and send callbacks, allowing for IP whitelisting of attachments sent to us, as well as for callback endpoints, to increase data security.

If you are enabling IP whitelisting, we request that you whitelist access to your data to the listed IP addresses below, and we will only fetch the content using these IP addresses. In this way, you can secure your content from the public while still allowing Playment to access it. Playment's static IP addresses

52.66.129.133

Please note that this authentication mechanism suffers from the — a third party that can guess your S3 URLs will be able to submit tasks with your data.

If you use Google Cloud Storage to store data, if you submit tasks with attachments as gs: protocol URIs, rather thanhttp: orhttps: , we will use the Google Cloud Storage API to fetch your data. For example, instead of sending , you would send gs://bucket/key.

We will fetch attachments from your GCS bucket, using our GCP service account bucket-acess-5fa53438-d897@playment-1266.iam.gserviceaccount.com. You can grant access to this service account on a , or on a .

per-object basis using ACLs
bucket policies
confused deputy problem
https://storage.googleapis.com/bucket/key
per-object basis with ACLs
per-bucket basis with Cloud IAMPermissions