Connecting drives — Instabase Documentation

Connect external drives to AI Hub to expand your available storage space for AI Hub projects and conveniently maintain and upload files from your own storage. Organizations can additionally use connected drives as a location to save processed AI Hub files.

About drives

All AI Hub accounts include up to one terabyte of storage on Instabase Drive for AI Hub projects and documents. In addition to the Instabase Drive, AI Hub supports connecting the following types of external storage:

Google Drive
Commercial & Enterprise Amazon S3
Commercial & Enterprise Azure Blob Storage
Commercial & Enterprise Google Cloud Storage

Not all drives support the same AI Hub functionality. See the following table for a summary:

Drive type	Workspace drive	Organization drive	Default drive
Instabase Drive		Default	✓
Google Drive	✓
Amazon S3	✓	✓	✓
Azure Blob Storage	✓	✓	✓
Google Cloud Storage	✓	✓

Workspace and organization drives

External drives can be connected at the workspace or organization level. Drives connected at the workspace level are available only within that workspace and all members of the workspace can access files on the drive. Drives connected at the organization level are available to all workspaces in the organization and all members of the organization can access files on the drive. In organizations, admins and workspace members can connect workspace drives. Only admins can connect organization drives.

For organization members, the contents of any external drive connected to your personal workspace are available only to you.

Any drive that’s accessible in the workspace can be used as a source of input files. Processed output files are saved to the workspace default drive, unless otherwise specified.

To make a drive available in only certain workspaces, you can connect the drive as a workspace drive in multiple workspaces. In this case, processed files are saved to workspace-specific folders in the drive. Those folders and their contents are visible in all workspaces the drive is connected to.

Default drives

A default drive is the drive where all processed AI Hub files in a workspace are stored by default. Processed AI Hub files include Build project files, Converse conversation files, and run results. Default drives can be assigned at the organization level or the workspace level. The organization-level default drive applies to all workspaces in the organization, unless the workspace has a previously assigned workspace-level default drive. If a workspace has a default drive assigned at the workspace level, this overrides any changes to the organization-level default drive.

All workspaces and organizations, by default, have Instabase Drive as the default drive. The Instabase Drive can’t be removed, but you can change the default drive to another connected drive.

You can use the data sources dashboard to see which drives are default drives. In the Workspaces All workspaces view, select the Data tab to see a list of all drives available to the organization. The organization-level default drive is marked with ORG under the Default column. Any drive that’s a workspace-level default drive is marked with WORKSPACE under the Default column—use the Workspace column to identify which workspace.

Connecting Google Drive

You can connect a Google Drive and upload files from your own and shared drives on the parent drive. In addition to standard file types, AI Hub supports uploading Google Docs (.gdoc), Google Sheets (.gsheet), and Google Slides (.gslides).

Review the following limitations of using Google Drive as a connected drive:

Google Drive isn’t supported as a default drive.
Google Drive can be connected as a workspace drive only. Google Drive isn’t supported for use as an organization drive.
App run results can be exported only to the My Drive on the connected Google Drive, not to any shared drives on the Google Drive.
Files and folders with a / in the name don’t appear in the file picker and might result in an error if uploaded by API.
Files or folders with the same name don’t appear in the file picker and might result in an error if uploaded by API. This constraint applies in the following scenarios:
- Two or more files with the same name and same parent folder.
- Two or more folders with the same name and same parent folder.
- A file and folder, or several files and folders, with the same name and same parent folder.

In Workspaces, select the workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Google Drive.
Select Workspace members as the audience.
Enter a display name for the drive.
Click Connect to Google Drive.
Select and sign in to the Google account with the Google Drive you want to connect.
Click Allow to grant AI Hub the necessary permissions.
Click Done

Connecting Amazon S3

You can connect your Amazon S3 bucket using an AWS IAM access key for authentication or using an AWS IAM role.

Authenticating with AWS IAM access key

When connecting Amazon S3 as a drive using AWS Identity and Access Management (IAM) access key authentication, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

Setting	Required	Description
Access key ID	Required	Your AWS IAM access key ID.
Secret access key	Required	Your AWS IAM secret access key. Review the permissions requirements.
Bucket name	Required	The name of the S3 bucket to use for file storage. Provide the name, not the Amazon Resource Name (ARN).
Region	Required	The region code for your AWS account, such as `us-east-1`. For a full list of region codes, see the AWS Regions and zones documentation.
Path to drive	Optional	A file path to a folder in the S3 bucket where the desired input files are found. Leave empty to accept default (root).
Server-side encryption type	Optional	Select the server-side encryption (SSE) type. - None: (Default) No server-side encryption. - SSE-S3: Use Amazon-managed server-side encryption of files. - SSE-KMS: Use Amazon Key Management Service (KMS) for server-side encryption of files.
Server-side encryption KMS key ID	Visible and required if Server-side encryption type is set to SSE-KMS.	The Amazon resource name (ARN) for the KMS key. See the AWS Finding the key ID and key ARN documentation for more information.

Access key permissions requirements

In Workspaces, select a workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Amazon S3.
Select who can access the drive contents:
- Organization members: Connect the drive as an organization drive available to all workspaces. All members of all workspaces have access.
- Workspace members: Connect the drive as a workspace drive. Only members of the selected workspace have access.
Enter a display name for the drive.
Select Access key as your authentication method.
On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.
Select whether to set the drive as a default drive. Be aware of how changing the default drive affects assets.

If connecting the drive as an organization drive, this step sets the organization-level default drive. If connecting the drive as a workspace drive, this step sets the workspace-level default drive.
Click Done

Authenticating with AWS IAM role

When connecting Amazon S3 as a drive using AWS Identity and Access Management (IAM) role authentication, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

Setting	Required	Description
IAM role ARN	Required	The Amazon Resource Name (ARN) for the IAM role being used for authentication. See the AWS IAM identifiers and Find Amazon Resource Names (ARNs) in AMS documentation for details.
Bucket name	Required	The name of the S3 bucket to use for file storage. Provide the name, not the ARN.
AWS region	Required	The region code for your AWS account, such as `us-east-1`. For a full list of region codes, see the AWS Regions and zones documentation.
Path to drive	Optional	A file path to a folder in the S3 bucket where the desired input files are found. Leave empty to accept default (root).
Server-side encryption type	Optional	Select the server-side encryption type. - None: (Default) No server-side encryption. - SSE-S3: Use Amazon-managed server-side encryption of files. - SSE-KMS: Use Amazon Key Management Service (KMS) for server-side encryption of files.
Server-side encryption KMS key ID	Visible and required if Server-side encryption type is set to SSE-KMS.	The Amazon resource name (ARN) for the KMS key. See the AWS Finding the key ID and key ARN documentation for more information.

In Workspaces, select a workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Amazon S3.
Select who can access the drive contents:
- Organization members: Connect the drive as an organization drive available to all workspaces. All members of all workspaces have access.
- Workspace members: Connect the drive as a workspace drive. Only members of the selected workspace have access.
Enter a display name for the drive.
Select IAM role as your authentication method, then click Next.
Connect a new role or select a previously connected role, then click Next.
On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.
Copy the IAM role policy provided. Using the IAM console in the AWS Management Console, embed the policy as an inline policy for the IAM role used for authentication.

See the AWS Adding and removing IAM identity permissions documentation for guidance. Follow the instructions for embedding an inline policy for a user or role in the IAM console.
Copy the bucket policy provided. Using the Amazon S3 console in the AWS Management Console, add the bucket policy to the S3 bucket being used for storage.

See the AWS Adding a bucket policy by using the Amazon S3 console for guidance on editing bucket policies.
Confirm the IAM role policy is embedded and the bucket policy is added, then click Next.
Select whether to set the drive as a default drive. Be aware of how changing the default drive affects assets.

If connecting the drive as an organization drive, this step sets the organization-level default drive. If connecting the drive as a workspace drive, this step sets the workspace-level default drive.
Click Done

Managing IAM roles

After adding an IAM role, it can be reused when adding other S3 buckets. Previously connected roles are visible and usable in all workspaces, regardless of whether the initial connection was for an organization-level or workspace-level drive. Any organization member can select the IAM role, though they must have access to your AWS Management Console to complete all steps in the connection process.

Reusing roles

Previously connected IAM roles display in a role selection dropdown when connecting S3 buckets. When reusing a role, you don’t need to add a new custom trust policy as the trust relationship is already established.

Changing roles

AI Hub doesn’t support changing the IAM role used for authentication. You can remove the drive then reconnect it with a new role. Be aware of the impacts of removing drives.

Deleting roles

When you delete a role, it can no longer be used for authentication. You can’t delete an IAM role that’s in use with a connected drive. If you want to continue using the drive with a different role, remove the drive then reconnect it with a new role. Be aware of the impacts of removing drives.

In Workspaces, select a workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Amazon S3.
Select an audience.
Enter a display name for the drive.
Select IAM role as your authentication method, then click Next.
Select the role to delete, then click the delete icon
.
Click Delete to confirm.

Connecting Azure Blob Storage

When connecting Azure Blob Storage as a drive, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

Setting	Required	Description
Name your drive	Required	A display name for the connected drive.
Container name	Required	The name of your Azure Blob Storage container.
Auth method	Required	The authentication method to use when connecting to your storage. Available options are connection string and service principal.
Connection string	Visible and required if Auth method is set to Connection string.	The connection string for your Azure storage account.
Service URL	Visible and required if Auth method is set to Service principal.	The endpoint for the Blob Service registered to the container’s storage account, such as `https://<storage account>.blob.core.windows.net/`
Tenant ID	Visible and required if Auth method is set to Service principal.	The tenant ID for the service principal.
Client ID	Visible and required if Auth method is set to Service principal.	The client ID for the service principal.
Client secret	Visible and required if Auth method is set to Service principal.	The client secret for the service principal.

In Workspaces, select a workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Azure Blob Storage.
Select who can access the drive contents:
- Organization members: Connect the drive as an organization drive available to all workspaces. All members of all workspaces have access.
- Workspace members: Connect the drive as a workspace drive. Only members of the selected workspace have access.
On the configuration screen, fill in your authentication and container details, using the configuration settings description table for guidance. Click Next.
Select whether to set the drive as a default drive. Be aware of how changing the default drive affects assets.

If connecting the drive as an organization drive, this step sets the organization-level default drive. If connecting the drive as a workspace drive, this step sets the workspace-level default drive.
Click Done

Connecting Google Cloud Storage

When connecting Google Cloud Storage as a drive, the following configuration settings are available. Review these settings to ensure you have the required configuration information.

Setting	Required	Description
Name your drive	Required	A display name for the connected drive.
Bucket name	Required	The name of your Google Cloud Storage bucket.
Path to mount	Optional	A prefix to mount all files in the Google Cloud Storage bucket. Leave empty to accept default (mounting to root).
Server-side encryption type	Required	The following server-side encryption types are supported: - GCS AES-256: Uses Google-managed server-side encryption of files. - GCS KMS: Uses Google Cloud Key Management Service (KMS) for server-side encryption of files. When selected, a valid server-side encryption KMS key ID is required.
Server-side encryption KMS key ID	Visible and required if Server-side encryption type is set to GCS KMS.	The Cloud KMS Resource ID. See the Google Cloud Getting a Cloud KMS Resource ID documentation for additional information.
Upload the private key file for your Google Cloud Storage service account	Required	The credentials for your Google Cloud Storage service account. Upload the credentials as a `.json` file. See Configuring a Google Cloud Storage account for details.

Configuring a Google Cloud Storage service account

In Workspaces, select a workspace to connect the drive to, then select the Data tab.
Click Add data source, then select Google Cloud Storage.
Select who can access the drive contents:
- Organization members: Connect the drive as an organization drive available to all workspaces. All members of all workspaces have access.
- Workspace members: Connect the drive as a workspace drive. Only members of the selected workspace have access.
On the configuration screen, fill in your authentication and bucket details, using the configuration settings description table for guidance. Click Next.
Click Add.

Updating drives

After connecting a drive, you can make select configuration changes.

Amazon S3, authenticated with AWS IAM access key: You can update the drive’s security credentials. You must remove and reconnect the drive to change the authentication method. Be aware of the impacts of removing drives.
Amazon S3, authenticated with AWS IAM role: No changes supported. You must remove and reconnect the drive to change the authentication method or change the IAM role. Be aware of the impacts of removing drives.
Azure Blob Storage: You can update the drive’s security credentials, though you must remove and reconnect the drive to change the authentication method. Be aware of the impacts of removing drives.
Google Cloud Storage: You can update the private key file for your Google Cloud Storage service account.
Google Drive: You can update the display name.

In Workspaces, select All workspaces, then select the Data tab.
In the organization drives section, click the overflow icon
of the drive to update.
Select Modify configuration.
Make any changes then click Update to confirm.

Assigning default drives

Organization admins can assign workspace and organization default drives. By default, Instabase Drive is the default drive for all organizations and workspaces.

Changing the default drive impacts projects and conversations

When you change the default drive, files stored on the previous default drive aren’t automatically migrated to the new default drive. In practice, this means that when the default drive changes for a workspace:

Any Build projects in the workspace must be deleted or migrated to the new default drive. When members open an affected Build project, they see a dialog that can’t be dismissed. To continue working with the project, members must migrate the project.
Any existing conversations in the workspace become limited to previously uploaded files. Members can continue to view their conversation history and converse with any files already added to the conversation. To upload new files, members must create a new conversation.

Assigning the organization default drive

Drives connected at the organization level can be set as the organization default drive.

In Workspaces, select All workspaces, then select the Data tab.
In the organization drives section, click the overflow icon
of the drive, then select Make org default drive.
Click Set as default drive to confirm.

Assigning a workspace default drive

The workspace default drive overrides the organization default drive.

In Workspaces, select the workspace to assign a new default drive to, then select the Data tab.
Click the overflow icon
of the drive, then select Set as default drive.
Click Set as default drive to confirm.

To revert to using the organization default drive, select Unset as default drive in the overflow menu for the workspace default drive.

Removing drives

You can remove a connected drive to disconnect it and revoke AI Hub’s access to its contents. You can disable Instabase Drive, the default storage included with your account, to hide it. Review the following limitations and consequences before removing or disabling drives:

Removing a drive completely disconnects the drive from AI Hub. Any processed AI Hub files stored on the drive aren’t deleted, but AI Hub loses the ability to reference those files in the future. Processed AI Hub files include Build project files, Converse conversation files, and app run results.
While you can later add a previously removed drive, doing so doesn’t restore the ability to reference any AI Hub files previously saved to the drive. If you want to reference AI Hub files previously saved to the drive, you must re-upload them.
Default drives can’t be removed. To remove a default drive you must first assign another drive as the default.
The Instabase Drive can’t be removed. After connecting another drive for use as the default drive, you can disable the Instabase Drive to hide it.

In Workspaces, select All workspaces, then select the Data tab.
Click the overflow icon
of the drive to disable or remove.
Select Disable or Remove.
To confirm, click Disable or type the confirmation text and click Remove.