AI HubAdministrationManaging data connections

Connecting drives

Connect your own external drives to AI Hub as a source for uploading input files or as a destination for saving processed output files. AI Hub supports connecting the following types of external storage:

  • Google Drive

  • Commercial & Enterprise Amazon S3

  • Commercial & Enterprise Azure Blob Storage

  • Commercial & Enterprise Google Cloud Storage

When connecting external storage, the connection isn’t validated. If you encounter an error when attempting to perform file operations on the drive, ensure all configuration details are correct.

Connecting Google Drive

You can connect a Google Drive and upload files from your own and shared drives on the parent drive. In addition to standard file types, AI Hub supports uploading Google Docs (.gdoc), Google Sheets (.gsheet), and Google Slides (.gslides). These native Google file types are displayed in the file explorer but the files are converted to PDF when imported.

Review the following limitations of using Google Drive as a connected drive:

  • Google Drive isn’t supported as a default drive.

  • Google Drive can be connected as a workspace drive only. Google Drive isn’t supported for use as an organization drive.

  • Google Drive isn’t supported for upstream or downstream integrations in app deployments.

  • Automation app run results can be exported only to the My Drive on the connected Google Drive, not to any shared drives.

  • Files and folders with a / in the name don’t appear in the AI Hub file explorer and might result in an error if uploaded by API.

  • Files or folders with the same name don’t appear in the file explorer and might result in an error if uploaded by API. This constraint applies in the following scenarios:

    • Two or more files with the same name and same parent folder.

    • Two or more folders with the same name and same parent folder.

    • A file and folder, or several files and folders, with the same name and same parent folder.

  1. In Workspaces, select the workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Google Drive.

  3. Select Workspace members as the audience.

  4. Enter a display name for the drive. This name can’t be changed later.

  5. Click Connect to Google Drive.

  6. Select and sign in to the Google account with the Google Drive you want to connect.

  7. Click Allow to grant AI Hub the necessary permissions.

  8. Click Done

Connecting Amazon S3

Commercial & Enterprise

You can connect your Amazon S3 bucket using an AWS IAM access key for authentication or using an AWS IAM role.

Authenticating with AWS IAM access key

When connecting Amazon S3 as a drive using AWS Identity and Access Management (IAM) access key authentication, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

SettingRequiredDescription
Access key IDRequiredYour AWS IAM access key ID.
Secret access keyRequiredYour AWS IAM secret access key. Review the permissions requirements.
Bucket nameRequiredThe name of the S3 bucket to use for file storage. Provide the name, not the Amazon Resource Name (ARN).
RegionRequiredThe region code for your AWS account, such as us-east-1.

For a full list of region codes, see the AWS Regions and zones documentation.
Path to driveOptionalA file path to a folder in the S3 bucket where the desired input files are found. Leave empty to accept default (root).
Server-side encryption typeOptionalSelect the server-side encryption (SSE) type.

None — (Default) No server-side encryption.

SSE-S3 — Use Amazon-managed server-side encryption of files.

SSE-KMS — Use Amazon Key Management Service (KMS) for server-side encryption of files.
Server-side encryption KMS key IDVisible and required if Server-side encryption type is set to SSE-KMS.The Amazon resource name (ARN) for the KMS key. See the AWS Finding the key ID and key ARN documentation for more information.

Connecting to your Amazon S3 bucket requires an AWS IAM access key with the following permissions:

$s3:DeleteObject
>s3:DeleteObjectVersion
>s3:GetObject
>s3:GetObjectAcl
>s3:GetObjectVersion
>s3:PutObject
>s3:PutObjectAcl
>s3:PutObjectVersion
>s3:ListBucket
>s3:ListBucketMultipartUploads
>s3:ListMultipartUploadParts
>s3:AbortMultipartUpload

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Amazon S3.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. Enter a display name for the drive. This name can’t be changed later.

  5. Select Access key as your authentication method.

  6. On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.

  7. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  8. Click Done

Authenticating with AWS IAM role

When connecting Amazon S3 as a drive using AWS Identity and Access Management (IAM) role authentication, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

SettingRequiredDescription
IAM role ARNRequiredThe Amazon Resource Name (ARN) for the IAM role being used for authentication. See the AWS IAM identifiers and Find Amazon Resource Names (ARNs) in AMS documentation for details.
Bucket nameRequiredThe name of the S3 bucket to use for file storage. Provide the name, not the ARN.
AWS regionRequiredThe region code for your AWS account, such as us-east-1.

For a full list of region codes, see the AWS Regions and zones documentation.
Path to driveOptionalA file path to a folder in the S3 bucket where the desired input files are found. Leave empty to accept default (root).
Server-side encryption typeOptionalSelect the server-side encryption type.

None — (Default) No server-side encryption.

SSE-S3 — Use Amazon-managed server-side encryption of files.

SSE-KMS — Use Amazon Key Management Service (KMS) for server-side encryption of files.
Server-side encryption KMS key IDVisible and required if Server-side encryption type is set to SSE-KMS.The Amazon resource name (ARN) for the KMS key. See the AWS Finding the key ID and key ARN documentation for more information.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Amazon S3.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. Enter a display name for the drive. This name can’t be changed later.

  5. Select IAM role as your authentication method, then click Next.

  6. Connect a new role or select a previously connected role, then click Next.

    1. If previously added IAM roles are shown, click the + icon next to the role selection dropdown. Otherwise, you’re brought to the Add custom trust policy screen.

    2. Copy the custom trust policy provided. Using the IAM console in the AWS Management Console, configure an IAM role using the custom trust policy. You don’t need to set a permissions boundary.

      See the following AWS documentation for guidance:

    3. Confirm the custom trust policy is added, then click Next.

  7. On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.

  8. Copy the IAM role policy provided. Using the IAM console in the AWS Management Console, embed the policy as an inline policy for the IAM role used for authentication.

    See the AWS Adding and removing IAM identity permissions documentation for guidance. Follow the instructions for embedding an inline policy for a user or role in the IAM console.

  9. Copy the bucket policy provided. Using the Amazon S3 console in the AWS Management Console, add the bucket policy to the S3 bucket being used for storage.

    See the AWS Adding a bucket policy by using the Amazon S3 console for guidance on editing bucket policies.

  10. Confirm the IAM role policy is embedded and the bucket policy is added, then click Next.

  11. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  12. Click Done

Managing IAM roles

After adding an IAM role, it can be reused when adding other S3 buckets. Roles added when connecting a workspace drive are reusable within the same workspace only. Roles added when connecting an organization drive are reusable across all workspaces. While other organization or workspace members can select a listed IAM role, they must have access to your AWS Management Console to complete all steps in the connection process.

Reusing roles

Previously connected IAM roles display in a role selection dropdown when connecting S3 buckets. When reusing a role, you don’t need to add a new custom trust policy as the trust relationship is already established.

Changing roles

AI Hub doesn’t support changing the IAM role used for authentication. You can remove the drive then reconnect it with a new role. Be aware of the impacts of removing drives.

Deleting roles

When you delete a role, it can no longer be used for authentication. You can’t delete an IAM role that’s in use with a connected drive. If you want to continue using the drive with a different role, remove the drive then reconnect it with a new role. Be aware of the impacts of removing drives.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Amazon S3.

  3. Select an audience.

  4. Enter a display name for the drive.

  5. Select IAM role as your authentication method, then click Next.

  6. Select the role to delete, then click the delete icon Icon of a trash can..

  7. Click Delete to confirm.

Connecting Azure Blob Storage

Commercial & Enterprise

When connecting Azure Blob Storage as a drive, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

SettingRequiredDescription
Name your driveRequiredA display name for the connected drive. This name can’t be changed later.
Container nameRequiredThe name of your Azure Blob Storage container.
Auth methodRequiredThe authentication method to use when connecting to your storage. Available options are connection string and service principal.
Connection stringVisible and required if Auth method is set to Connection string.The connection string for your Azure storage account.
Service URLVisible and required if Auth method is set to Service principal.The endpoint for the Blob Service registered to the container’s storage account, such as https://<storage account>.blob.core.windows.net/
Tenant IDVisible and required if Auth method is set to Service principal.The tenant ID for the service principal.
Client IDVisible and required if Auth method is set to Service principal.The client ID for the service principal.
Client secretVisible and required if Auth method is set to Service principal.The client secret for the service principal.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Azure Blob Storage.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. On the configuration screen, fill in your authentication and container details, using the configuration settings description table for guidance. Click Next.

  5. Select whether to set the drive as a default drive. Not usually recommended, see Managing default drives for details.

  6. Click Done

Connecting Google Cloud Storage

Commercial & Enterprise

When connecting Google Cloud Storage as a drive, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

SettingRequiredDescription
Name your driveRequiredA display name for the connected drive. This name can’t be changed later.
Bucket nameRequiredThe name of your Google Cloud Storage bucket.
Path to mountOptionalA prefix to mount all files in the Google Cloud Storage bucket. Leave empty to accept default (mounting to root).
Server-side encryption typeRequiredThe following server-side encryption types are supported:

GCS AES-256 — Uses Google-managed server-side encryption of files.

GCS KMS — Uses Google Cloud Key Management Service (KMS) for server-side encryption of files. When selected, a valid server-side encryption KMS key ID is required.
Server-side encryption KMS key IDVisible and required if Server-side encryption type is set to GCS KMS.The Cloud KMS Resource ID.
See the Google Cloud Getting a Cloud KMS Resource ID documentation for additional information.
Upload the private key file for your Google Cloud Storage service accountRequiredThe credentials for your Google Cloud Storage service account. Upload the credentials as a .json file. See Configuring a Google Cloud Storage account for details.

Connecting Google Cloud Storage as a drive requires a Google Cloud Storage service account. The Google Cloud Storage documentation is the most up-to-date reference, but the general process is described here.

  1. From the Google Cloud console, create a Google Cloud Storage bucket with uniform access control. For improved security, create it as a private bucket.

  2. Create a service account in Google Cloud’s Identity and Access Management (IAM) system.

  3. In the Google Cloud console, create a key pair for the service account, selecting JSON as the key type.

  4. Download the JSON credentials file for the service account.

  5. Assign the service account the Storage Admin and Storage Object Admin roles for bucket access.

    For more details, see the Google IAM permission documentation.

  6. Find the Client ID for the service account (available on the Service accounts page).

  7. Using a Google Workplace administrator account, search for the service account’s client ID, and grant the service account access to the Google Cloud Platform OAuth scope www.googleapis.com/auth/cloud-platform.

    For more details, see the Google service account documentation.

  1. In Workspaces, select a workspace to connect the drive to, then select the Data tab.

  2. Click Add data source, then select Google Cloud Storage.

  3. Select an audience.

    • Workspace members (Recommended) — Connect the drive to the selected workspace. Only members of the selected workspace have access.

    • Organization members — Connect the drive at the organization level, making it available to all workspaces.

  4. On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.

  5. Click Add.

Updating drives

After connecting a drive, select configuration changes are supported.

  • Amazon S3, authenticated with AWS IAM access key — You can update the drive’s security credentials. You must remove and reconnect the drive to change the authentication method. Be aware of the impacts of removing drives.

  • Amazon S3, authenticated with AWS IAM role — No changes supported. You must remove and reconnect the drive to change the authentication method or change the IAM role. Be aware of the impacts of removing drives.

  • Azure Blob Storage — You can update the drive’s security credentials, though you must remove and reconnect the drive to change the authentication method. Be aware of the impacts of removing drives.

  • Google Cloud Storage — You can update the private key file for your Google Cloud Storage service account.

  • Google Drive — No changes supported. You must remove and reconnect the drive to make any configuration changes.

  1. In Workspaces, select All workspaces, then select the Data tab.

  2. In the organization drives section, click the overflow icon Icon with three stacked vertical dots. of the drive to update.

  3. Select Modify configuration.

  4. Make any changes then click Update to confirm.

Managing default drives

Commercial & Enterprise

A default drive is the default storage location for all AI Hub resources, including automation project files, conversation files, temporary processing files, and configuration files. The default drive is also used as the default location for all output when no other destination is specified.

By default, the Instabase Drive (1 TB of included storage) serves as the default drive. However, organizations can use a connected Amazon S3 bucket or Azure Blob Storage container as the default drive to ensure all content remains within their own storage system. When you change the organization’s default drive, it becomes the default drive for all workspaces.

You can optionally assign workspace-specific default drives. When you assign a workspace its own default drive, it becomes the default drive for only that workspace. Any future changes to the organization’s default drive don’t override workspace-specific default drives. To simplify data management, using a single, organization-wide default drive is the preferred approach.

You can identify default drives from the All workspaces Data tab. Under the Default column, ORG indicates the organization default drive and WORKSPACE indicates a workspace default drive.
Before changing the organization or workspace default drive, review the following information.

Default drives are used for storing the files underlying projects and conversations. When you change the default drive, files stored on the previous default drive aren’t migrated to the new default drive. When the default drive changes:

  • Automation projects must be deleted or migrated to the new default drive. When members open an affected automation project, they see a migration dialog that can’t be dismissed. To continue working with the project, it must be migrated.

  • Existing conversations become limited to previously uploaded files. Members can continue to view their conversation history and interact with files already added to the conversation, but can’t add new files.

Changing the organization default drive

Before you begin

You must have connected a supported drive at the organization level (audience set to Organization members).

  1. In Workspaces, select All workspaces, then select the Data tab.

  2. In the organization drives section, click the overflow icon Icon with three stacked vertical dots. of the drive, then select Make org default drive.

  3. Click Set as default drive to confirm.

Changing workspace default drives

Before you begin

You must have connected a supported drive in the workspace. Organization-level drives can’t be set as a workspace default drive.

  1. In Workspaces, select the workspace to assign a new default drive to, then select the Data tab.

  2. Click the overflow icon Icon with three stacked vertical dots. of the drive, then select Set as default drive.

  3. Click Set as default drive to confirm.

To revert a workspace to using the organization’s default drive, select Unset as default drive in the overflow menu of the workspace default drive.

Removing drives

You can remove a connected drive to disconnect it and revoke AI Hub’s access to its contents. You can disable Instabase Drive, the default storage included with your account, to hide it. Review the following limitations and consequences before removing or disabling drives:

  • Removing a drive completely disconnects the drive from AI Hub. Any processed AI Hub files stored on the drive aren’t deleted, but AI Hub loses the ability to reference those files in the future. Processed AI Hub files include automation project files, conversation files, and automation app run results.

  • While you can later add a previously removed drive, doing so doesn’t restore the ability to reference any AI Hub files previously saved to the drive. If you want to reference AI Hub files previously saved to the drive, you must re-upload them.

  • Default drives can’t be removed. To remove a default drive you must first assign another drive as the default.

  • The Instabase Drive can’t be removed. After connecting another drive for use as the default drive, you can disable the Instabase Drive to hide it.

  1. In Workspaces, select All workspaces, then select the Data tab.

  2. Click the overflow icon Icon with three stacked vertical dots. of the drive to disable or remove.

  3. Select Disable or Remove.

  4. To confirm, click Disable or type the confirmation text and click Remove.