Virtual EventEverything we shipped in 2025 & what's next →
Quick Start
Back to integrations

GCS with Workload Identity FederationEnterprise integration

Label Studio Enterprise integrates with Google Cloud Storage (GCS) using Workload Identity Federation (WIF) so you can connect storage without managing long-lived service account JSON keys. Label Studio exchanges its AWS identity for short-lived GCP tokens, then uses a GCP service account to read and write objects in your buckets.

With this connection, you can:

  • Import data from GCS into Label Studio for annotation
  • Export annotations back to GCS buckets and prefixes
  • Use keyless, short-lived credentials managed through Workload Identity Federation
  • Optionally generate signed URLs so browsers read objects directly from GCS

This GCS with WIF integration is available in Label Studio Enterprise (on-prem). It appears in the open source UI but is disabled.

How Label Studio Connects with Google Cloud Storage (WIF)

Label Studio Enterprise runs in AWS and connects to GCS through your GCP Workload Identity Federation setup:

  • Label Studio signs an AWS STS GetCallerIdentity request
  • Google Security Token Service (STS) exchanges that identity for a federated access token tied to your WIF pool and provider
  • Label Studio impersonates a target GCP service account to get an access token
  • Using that service account, Label Studio:
    • Reads objects for imports
    • Writes annotation exports
    • Uses IAM Credentials signBlob to generate signed URLs when presigning is enabled

This flow keeps all long-lived secrets in AWS and GCP, while Label Studio uses only short-lived tokens.

Related Integrations

Azure Blob with Managed Identity

Secure, flexible authentication for Azure.

Databricks

Unify your data and AI

S3 with IAM roles

A secure way to move data in and out of projects