API Reference
  • Introduction
  • Terminology
  • Authentication
  • Authentication
  • Basic operations
    • Create a batch
    • Create a job
    • Get project details
    • Get batch jobs
    • Get job result
  • Examples
  • Image Annotation
    • Create a job
    • Get job results
  • Image Segmentation
    • Create a job
    • Get job results
  • Video Segmentation
    • Create a job
    • Get job results
  • Video Annotation
    • Create a job
    • Get job results
  • 3D Point Cloud Annotation
    • Create a job
    • Output format
  • Point Cloud Segmentation
    • Create a job
    • Get job results
  • Secure Attachment Access
    • AWS S3
    • Google Cloud Storage
    • Azure Blob Storage
    • IP Whitelisting
    • Hybrid Cloud
  • Advanced
    • Creating jobs with pre-labeled data
  • Error Codes
    • Error Codes
Powered by GitBook
On this page
  • Cross-account Access
  • Granting access to an S3 bucket encrypted with KMS Key

Was this helpful?

  1. Secure Attachment Access

AWS S3

PreviousGet job resultsNextGoogle Cloud Storage

Last updated 12 months ago

Was this helpful?

If you use AWS S3 to store data you can send attachments as https: or http: URLs. You can also send attachments as s3: which look like s3://bucket/key.

To access private s3 objects, We use Cross-account Access.

Cross-account Access

We will fetch attachments from your S3 bucket, using AWS account ID 475757276268 (canonical ID d4b5723a54db6f9da8a68f4c24233880793bf1d68dd11e7e2b4989bd2c71c59a). You will need to grant access to TELUS International using or on set permissions on objects .

We suggest setting a Bucket Policy that shares the bucket's contents with the account of TELUS International.

Here's a sample bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

Replace YOUR_BUCKET_NAME with the name of your bucket, leaving the /* as shown or replacing it with a more specific bucket path to further restrict access.

If you are using ACLs (Access Control Lists), you need to update the ACL individually for each object to grant read access to our account, as Bucket ACLs can't grant read permissions to nested objects.

Granting access to an S3 bucket encrypted with KMS Key

If your S3 bucket uses Customer managed KMS keys for encryption(SSE-KMS), there's an additional step to grant TELUS International the necessary permissions:

  1. IAM Policy on KMS Key: In addition to the bucket policy or ACLs, you need to modify the policy attached to the Customer KMS key used for encryption. This policy needs to allow IAM user of TELUS International to perform the following actions:

    1. kms:GenerateDataKey: This grants TELUS International permission to generate data keys for encrypting/decrypting objects within your bucket.

    2. kms:Decrypt: This allows TELUS International to decrypt objects retrieved from your S3 bucket.

Steps to update the KMS key policy:

  1. Navigate to the AWS KMS console and select the KMS key used for your S3 bucket encryption.

  2. Go to the "Key policy" section.

  3. Edit the existing policy or create a new one.

  4. Add the following :

{
    "Version": "2012-10-17",
    "Id": "kms-policy",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::475757276268:root"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
    ]
}

protocol URIs
bucket policies
using ACLs