Figure Eight Secure Data Access

When utilizing Figure Eight’s Secure Data Access, your team maintains ownership and governance overall source data. The data that your team supplies never leave your servers. For added security, private buckets can be used while processing training data in the Figure Eight platform.

Your team serves the source data via secure URLs hosted in private buckets inside your cloud storage. The only data that is passed to Figure Eight are the URLs for your private bucket, which will be assigned a unit ID. Corresponding annotations for the data can be downloaded from the Figure Eight platform and can subsequently be associated with source data via the unit ID.

  • Secure content is rendered through signed URLs
  • Signed URLs expire immediately after the content is rendered
  • Your content is never stored or saved within the Figure Eight platform
  • Content is rendered only to authenticated contributors and requestors with access to specific Figure Eight tasks. 


Note: For access to this feature, please contact your Customer Success Manager or Account Executive. The feature is supported for the following uses cases:

  1. Data categorization, validation and transcription of text, image, audio and video files
    • All filenames should not contain spaces
  2. Image Annotation Tool

Guide to setup Secure Data Access with AWS

Team or Organization Admin must complete the following tasks: 

1. Create an AWS role 

a. Reach out to your DevOps teams to create an AWS role. The role will be used in future             steps to grant Figure Eight access to your private S3 bucket

b. Have your DevOps team provide the following information about the new AWS role:

i. Role unique identifier, also known as ARN or AWS Role resource name, which has the following format:

arn:aws:iam::<customer_aws_account_number>:role/<role name>

ii. Role region - this is where the role resides in AWS (i.e. us-east-1)

2. Create a Storage Integration by going to Data & Security tab

a. Go to Account -> Data & Security 


Fig. 1: Data & Security Page

b. Click on "Create New Secure Storage" 

c. You will be prompted to provide the following information to create a new secure storage integration:

i. Storage CML name: Select a unique name for your storage provider integration. You will use this name within the CML of a job to indicate which data columns reference private bucket URLs. Each Storage Provider requires a unique Storage CML name. Please share the Storage CML name with your team to be used during job design.

ii. Storage Provider: Select the storage provider setup. For an AWS integration, select "AWS Role ARN" option. 

iii. AWS Resource Name: Please provide the AWS Resource Name (ARN) obtained from step 1.b.i above. This is the unique identifier for a role within AWS. The Role has to have a policy that grants GetObject on the bucket and a trust policy to trust the Figure Eight account. Each Storage Provider Integration requires a unique AWS Resource name. 

iv. AWS Region Name: Enter the AWS region (obtained from step 1.b.ii above) where the AWS Resource Name role resides. 


Fig. 2: Adding Secure Storage

d. Once the above steps have been completed the new Storage Provider integration should be listed as "Pending". Additionally, “External ID” & “Figure Eight Account ID” values will be displayed in Secure Storage view. Please copy the two values for your DevOps team.


Fig. 3: Setup Secure Data Access and Connect Private Buckets

3. Grant Figure Eight access to your private s3 bucket 

a. Share “Figure Eight Account ID” and “External ID” associated with the Storage Provider Integration to your DevOps team.They will need to grant Figure Eight access to the private S3 bucket. This involves the following high level steps:

i. Modify the AWS role created in Step 1.b.i so that it trusts Figure Eight's Account ID and only applies to the Storage Provider's External ID. Below is the example on how the trust relationship in the IAM Role needs to be edited.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:::root"
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": ""


ii. Grant the role access to your private S3 bucket

4. Notify Figure Eight Customer Success Manager about completion of Step 3

a. Once all the Strong Provider setup steps above have been completed, notify your Customer Success Success Manager

b. The Integration Status will move to an "Active" state once the configuration has been completed and the AWS setup is done.


Fig. 4: Ensuring Secure Storage is Active

5. Verify access to your private content 

a. Set up a job that uses secure content and modify the CML tag as per the instruction described below

b. In the job secure data columns should be marked with a CML liquid tag in the job design. The CML liquid tag is the "Storage CML Name" that was configured during storage  integration. For example if a Storage Provider was created with a "Storage CML name" of "secure_s3" then the job CML will have the following tag:
<img src="{{image_url|secure:'secure_s3'}}">


Fig. 5: Setting Up Secure Data Access in CML

b. Confirm that the secure content is visible when previewing the job

Note: URL's for secure content should follow this format:

c. Please go ahead and share the "Storage CML Name" with your team so they can start using private buckets for Figure Eight jobs.


Additional Instructions: 

  1. You can update or delete an existing storage integration
    • Please note that changing the "Storage CML name" for a store provider will prevent any existing jobs that use that name in the CML from accessing private S3 content. So if value of "Storage CML Name" is modified the new value should be updated in the jobs accessing private data. 
    • Modifying AWS Resource Name or AWS Region Name will break the existing integration. 
  2. The team can set up multiple storage provider integrations
  3. Team admins can add storage provider integration for their teams
  4. Org admins can add storage provider integration for all the teams within the Org




Was this article helpful?
0 out of 0 found this helpful

Have more questions? Submit a request
Powered by Zendesk