Skip to main content
Avala supports bring-your-own-storage so your data never has to leave your infrastructure. Connect an Amazon S3 or Google Cloud Storage bucket, and Avala will read assets directly from it — no copies, no transfers. You control access, retention, and encryption while Avala handles the annotation layer on top.

Amazon S3

Bucket Policy

Create an IAM policy that grants Avala read access to your bucket. If you also want Avala to write exports back to the bucket, include the s3:PutObject permission. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AVALA_ACCOUNT_ID:root"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}
Replace AVALA_ACCOUNT_ID with the account ID provided in Mission Control during setup, and your-bucket-name with your actual bucket name.

CORS Configuration

If you are loading images or video directly in the browser-based annotation editor, add a CORS rule to your bucket: 
[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET", "HEAD"],
    "AllowedOrigins": ["https://avala.ai"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

Connect in Mission Control

  1. Go to Mission Control > Settings > Storage.
  2. Click Add Storage and select Amazon S3.
  3. Enter your Bucket Name and Region.
  4. Choose an authentication method:
    • Cross-account IAM role (recommended) — Avala assumes a role in your account.
    • Access key — Provide an AWS access key ID and secret.
  5. Click Test Connection to verify access.
  6. Save the configuration.

Google Cloud Storage

Service Account

Create a service account that Avala can use to access your bucket:
  1. In the Google Cloud Console, navigate to IAM & Admin > Service Accounts.
  2. Create a new service account (e.g., avala-storage-reader).
  3. Grant the following roles on the bucket:
    • roles/storage.objectViewer — read access to objects
    • roles/storage.legacyBucketReader — list objects in the bucket
  4. If Avala should write exports to the bucket, also grant roles/storage.objectCreator.
  5. Download the JSON key file for the service account.

CORS Configuration

If you are loading images or video directly in the browser-based annotation editor, add a CORS configuration to your GCS bucket. Save the following as cors.json: 
[
  {
    "origin": ["https://avala.ai"],
    "method": ["GET", "HEAD"],
    "responseHeader": ["Content-Type", "ETag"],
    "maxAgeSeconds": 3600
  }
]
Apply the CORS configuration using gsutil: 
gsutil cors set cors.json gs://your-bucket-name
Replace your-bucket-name with your actual bucket name.

Connect in Mission Control

  1. Go to Mission Control > Settings > Storage.
  2. Click Add Storage and select Google Cloud Storage.
  3. Enter your Bucket Name.
  4. Upload the Service Account JSON key file.
  5. Click Test Connection to verify access.
  6. Save the configuration.

Storage Configuration Options

Once a bucket is connected, you can configure it in Mission Control:
OptionDescription
Default storageSet the bucket as the default destination for new datasets.
Prefix filterLimit Avala’s access to a specific path prefix within the bucket (e.g., datasets/production/).
Export destinationEnable writing completed exports back to this bucket.
Signed URL expiryControl how long signed URLs remain valid when serving assets to annotators (default: 1 hour).

Uploading Data from Connected Buckets

After connecting a bucket, you can create datasets from its contents:
  1. Create a new dataset in Mission Control.
  2. Select Import from Cloud Storage as the data source.
  3. Browse or search the connected bucket for the files or folder you want.
  4. Select the assets and confirm the import.
Avala will register the assets by reference — it reads them from your bucket on demand rather than copying them.
Your data stays in your bucket at all times. Avala generates short-lived signed URLs to serve assets to the annotation editor and never persists copies of your files.