# Setting up Amazon Rekognition Custom Labels
The following instructions show how to set up the Amazon Rekognition Custom Labels console and SDK.
Note that you can use the Amazon Rekognition Custom Labels console with the following browsers:
+ **Chrome** — Version 21 or later
+ **Firefox** — Version 27 or later
+ **Microsoft Edge** — Version 88 or later
+ **Safari** — Version 7 or later. Additionally, you can't use Safari to draw bounding boxes with the Amazon Rekognition Custom Labels console. For more information, see [Labeling objects with bounding boxes](md-localize-objects.md).
Before you use Amazon Rekognition Custom Labels for the first time, complete the following tasks:
**Topics**
+ [Step 1: Create an AWS account](su-account.md)
+ [Step 2: Set up Amazon Rekognition Custom Labels console permissions](su-console-policy.md)
+ [Step 3: Create the console bucket](su-create-console-bucket.md)
+ [Step 4: Set up the AWS CLI and AWS SDKs](su-awscli-sdk.md)
+ [Step 5: (Optional) Encrypt training files](su-encrypt-bucket.md)
+ [Step 6: (Optional) Associate prior datasets with new projects](su-associate-prior-dataset.md)
# Step 1: Create an AWS account
In this step, you create an AWS account, create an administrative user, and learn about granting programmatic access to the AWS SDK.
**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)
+ [Programmatic access](#su-sdk-programmatic-access)
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Programmatic access
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-account.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-account.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-account.html) |
# Step 2: Set up Amazon Rekognition Custom Labels console permissions
To use the Amazon Rekognition console you need add to have appropriate permissions. If you want to store your training files in a bucket other than the [console bucket](su-create-console-bucket.md), you need additional permissions.
**Topics**
+ [Allowing console access](#su-console-access)
+ [Accessing external Amazon S3 Buckets](#su-external-buckets)
+ [Assigning permissions](#su-assign-permissions)
## Allowing console access
To use the Amazon Rekognition Custom Labels console, you need the following IAM policy that covers Amazon S3, SageMaker AI Ground Truth, and Amazon Rekognition Custom Labels. For information about assigning permissions, see [Assigning permissions](#su-assign-permissions).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "s3Policies",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:CreateBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectTagging",
"s3:GetBucketVersioning",
"s3:GetObjectVersionTagging",
"s3:PutBucketCORS",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPolicy",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutBucketVersioning",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::custom-labels-console-*"
]
},
{
"Sid": "rekognitionPolicies",
"Effect": "Allow",
"Action": [
"rekognition:*"
],
"Resource": "*"
},
{
"Sid": "groundTruthPolicies",
"Effect": "Allow",
"Action": [
"groundtruthlabeling:*"
],
"Resource": "*"
}
]
}
```
------
## Accessing external Amazon S3 Buckets
When you first open the Amazon Rekognition Custom Labels console in a new AWS Region, Amazon Rekognition Custom Labels creates a bucket (console bucket) that's used to store project files. Alternatively, you can use your own Amazon S3 bucket (external bucket) to upload the images or manifest file to the console. To use an external bucket, add the following policy block to the preceding policy. Replace `amzn-s3-demo-bucket` with the name of the bucket.
```
{
"Sid": "s3ExternalBucketPolicies",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket*"
]
}
```
## Assigning permissions
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Step 3: Create the console bucket
You use an Amazon Rekognition Custom Labels project to create and manage your models. When you first open the Amazon Rekognition Custom Labels console in a new AWS Region, Amazon Rekognition Custom Labels creates an Amazon S3 bucket (console bucket) to store your projects. You should note the console bucket name somewhere where you can refer to it later because you might need to use the bucket name in AWS SDK operations or console tasks, such as creating a dataset.
The format of the bucket name is `custom-labels-console`-**-**. The random value ensures that there isn't a collision between bucket names.
**To create the console bucket**
1. Ensure that the user has the correct permissions. For more information, see [Allowing console access](su-console-policy.md#su-console-access).
1. Sign in to the AWS Management Console and open the Amazon Rekognition console at [https://console.aws.amazon.com/rekognition/](https://console.aws.amazon.com/rekognition/).
1. Choose **Get started**.
1. If this is the first time that you've opened the console in the current AWS Region, do the following in the **First Time Set Up** dialog box:
1. Copy down the name of the Amazon S3 bucket that's shown. You'll need this information later.
1. Choose **Create S3 bucket** to let Amazon Rekognition Custom Labels create an Amazon S3 bucket (console bucket) on your behalf.
1. Close the browser window.
# Step 4: Set up the AWS CLI and AWS SDKs
You can use Amazon Rekognition Custom Labels with the AWS Command Line Interface (AWS CLI) and AWS SDKs. If you need to run Amazon Rekognition Custom Labels operations from the terminal, install the AWS CLI. If you are creating an application, download the AWS SDK for the programming language that you are using.
**Topics**
+ [Install the AWS SDKS](#sdk-install-sdk)
+ [Grant programmatic access](su-sdk-programmatic-access.md)
+ [Set up SDK permissions](su-sdk-permissions.md)
+ [Call an Amazon Rekognition Custom Labels operation](su-sdk-list-projects.md)
## Install the AWS SDKS
Follow the steps to download and configure the AWS SDKs.
**To set up the AWS CLI and the AWS SDKs**
+ Download and install the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and the AWS SDKs that you want to use. This guide provides examples for the AWS CLI, [Java](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/setup.html), and [Python](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#installation). For information about installing AWS SDKs, see [Tools for Amazon Web Services](https://aws.amazon.com/tools/).
# Grant programmatic access
You can run the AWS CLI and code examples in this guide on your local computer or other AWS environments, such as an Amazon Elastic Compute Cloud instance. To run the examples, you need to grant access to the AWS SDK operations that the examples use.
**Topics**
+ [Running code on your local computer](#su-sdk-programmatic-access-general)
+ [Running code in AWS environments](#su-sdk-aws-environments)
## Running code on your local computer
To run code on a local computer, we recommend that you use short-term credentials to grant a user access to AWS SDK operations. For specific information about running the AWS CLI and code examples on a local computer, see [Using a profile on your local computer](#su-sdk-programmatic-access-customlabels-examples).
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-sdk-programmatic-access.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-sdk-programmatic-access.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/rekognition/latest/customlabels-dg/su-sdk-programmatic-access.html) |
### Using a profile on your local computer
You can run the AWS CLI and code examples in this guide with the short-term credentials you create in [Running code on your local computer](#su-sdk-programmatic-access-general). To get the credentials and other settings information, the examples use a profile named `custom-labels-access` For example:
```
session = boto3.Session(profile_name='custom-labels-access')
rekognition_client = session.client("rekognition")
```
The user that the profile represents must have permissions to call the Amazon Rekognition Custom Labels SDK operations and other AWS SDK operations needed by the examples. For more information, see [Set up SDK permissions](su-sdk-permissions.md). To assign permissions, see [Set up SDK permissions](su-sdk-permissions.md).
To create a profile that works with the AWS CLI and code examples, choose one of the following. Make sure the name of the profile you create is `custom-labels-access`.
+ Users managed by IAM — Follow the instructions at [Switching to an IAM role (AWS CLI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html).
+ Workforce identity (Users managed by AWS IAM Identity Center) — Follow the instructions at [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html). For the code examples, we recommend using an Integrated Development Environment (IDE), which supports the AWS Toolkit enabling authentication through IAM Identity Center. For the Java examples, see [Start building with Java](https://aws.amazon.com/developer/language/java/). For the Python examples, see [Start building with Python](https://aws.amazon.com/developer/tools/#IDE_and_IDE_Toolkits). For more information, see [IAM Identity Center credentials](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sso-credentials.html).
**Note**
You can use code to get short-term credentials. For more information, see [Switching to an IAM role (AWS API)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_use_switch-role-api.html). For IAM Identity Center, get the short-term credentials for a role by following the instructions at [Getting IAM role credentials for CLI access](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html).
## Running code in AWS environments
You shouldn't use user credentials to sign AWS SDK calls in AWS environments, such as production code running in an AWS Lambda function. Instead, you configure a role that defines the permissions that your code needs. You then attach the role to the environment that your code runs in. How you attach the role and make temporary credentials available varies depending on the environment that your code runs in:
+ AWS Lambda function — Use the temporary credentials that Lambda automatically provides to your function when it assumes the Lambda function's execution role. The credentials are available in the Lambda environment variables. You don't need to specify a profile. For more information, see [Lambda execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html).
+ Amazon EC2 — Use the Amazon EC2 instance metadata endpoint credentials provider. The provider automatically generates and refreshes credentials for you using the Amazon EC2 *instance profile* you attach to the Amazon EC2 instance. For more information, see [Using an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)
+ Amazon Elastic Container Service — Use the Container credentials provider. Amazon ECS sends and refreshes credentials to a metadata endpoint. A *task IAM role* that you specify provides a strategy for managing the credentials that your application uses. For more information, see [Interact with AWS services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
For more information about credential providers, see [Standardized credential providers](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html).
# Set up SDK permissions
To use Amazon Rekognition Custom Labels SDK operations, you need access permissions to the Amazon Rekognition Custom Labels API and the Amazon S3 bucket used for model training.
**Topics**
+ [Granting SDK operation permissions](#su-grant-sdk-permissions)
+ [Policy updates for using the AWS SDK](#su-sdk-policy-update)
+ [Assigning permissions](#su-sdk-assign-permissions)
## Granting SDK operation permissions
We recommend that you grant only the permissions required to perform a task (least-privilege permissions). For example, to call [DetectCustomLabels](https://docs.aws.amazon.com/rekognition/latest/APIReference/API_DetectCustomLabels.html), you need permission to perform `rekognition:DetectCustomLabels`. To find the permissions for an operation, check the [API reference](https://docs.aws.amazon.com/rekognition/latest/APIReference/Welcome.html).
When you are just starting out with an application, you might not know the specific permissions you need, so you can start with broader permissions. AWS managed policies provide permissions to help you get started. You can use the `AmazonRekognitionCustomLabelsFullAccess` AWS managed policy to get complete access to the Amazon Rekognition Custom Labels API. For more information, see [AWS managed policy: AmazonRekognitionCustomLabelsFullAccess](https://docs.aws.amazon.com/rekognition/latest/dg/security-iam-awsmanpol.html#security-iam-awsmanpol-custom-labels-full-access). When you know the permissions that your application needs, reduce permissions further by defining customer managed policies specific to your use cases. For more information, see [Customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies).
To assign permissions, see [Assigning permissions](#su-sdk-assign-permissions).
## Policy updates for using the AWS SDK
To use the AWS SDK with the latest release of Amazon Rekognition Custom Labels, you no longer need to give Amazon Rekognition Custom Labels permissions to access the Amazon S3 bucket that contains your training and testing images. If you have previously added permissions, You don't need to remove them. If you choose to, remove any policy from the bucket where the service for the principal is `rekognition.amazonaws.com`. For example:
```
"Principal": {
"Service": "rekognition.amazonaws.com"
}
```
For more information, see [Using bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html).
## Assigning permissions
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Call an Amazon Rekognition Custom Labels operation
Run the following code to confirm that you can make calls to the Amazon Rekognition Custom Labels API. The code lists the projects in your AWS account, in the current AWS Region. If you haven't previously created a project, the response is empty, but does confirm that you can call the `DescribeProjects` operation.
In general, calling an example function requires an AWS SDK Rekognition client and any other required parameters. The AWS SDK client is declared in the main function.
If the code fails, check that the user that you use has the correct permissions. Also check the AWS Region that you using as Amazon Rekognition Custom Labels is not available in all AWS Regions.
**To call an Amazon Rekognition Custom Labels operation**
1. If you haven't already done so, install and configure the AWS CLI and the AWS SDKs. For more information, see [Step 4: Set up the AWS CLI and AWS SDKs](su-awscli-sdk.md).
1. Use the following example code to view your projects.
------
#### [ CLI ]
Use the `describe-projects` command to list the projects in your account.
```
aws rekognition describe-projects \
--profile custom-labels-access
```
------
#### [ Python ]
```
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
"""
This example shows how to describe your Amazon Rekognition Custom Labels projects.
If you haven't previously created a project in the current AWS Region,
the response is an empty list, but does confirm that you can call an
Amazon Rekognition Custom Labels operation.
"""
from botocore.exceptions import ClientError
import boto3
def describe_projects(rekognition_client):
"""
Lists information about the projects that are in in your AWS account
and in the current AWS Region.
: param rekognition_client: A Boto3 Rekognition client.
"""
try:
response = rekognition_client.describe_projects()
for project in response["ProjectDescriptions"]:
print("Status: " + project["Status"])
print("ARN: " + project["ProjectArn"])
print()
print("Done!")
except ClientError as err:
print(f"Couldn't describe projects. \n{err}")
raise
def main():
"""
Entrypoint for script.
"""
session = boto3.Session(profile_name='custom-labels-access')
rekognition_client = session.client("rekognition")
describe_projects(rekognition_client)
if __name__ == "__main__":
main()
```
------
#### [ Java V2 ]
```
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package com.example.rekognition;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.rekognition.RekognitionClient;
import software.amazon.awssdk.services.rekognition.model.DatasetMetadata;
import software.amazon.awssdk.services.rekognition.model.DescribeProjectsRequest;
import software.amazon.awssdk.services.rekognition.model.DescribeProjectsResponse;
import software.amazon.awssdk.services.rekognition.model.ProjectDescription;
import software.amazon.awssdk.services.rekognition.model.RekognitionException;
public class Hello {
public static final Logger logger = Logger.getLogger(Hello.class.getName());
public static void describeMyProjects(RekognitionClient rekClient) {
DescribeProjectsRequest descProjects = null;
// If a single project name is supplied, build projectNames argument
List projectNames = new ArrayList();
descProjects = DescribeProjectsRequest.builder().build();
// Display useful information for each project.
DescribeProjectsResponse resp = rekClient.describeProjects(descProjects);
for (ProjectDescription projectDescription : resp.projectDescriptions()) {
System.out.println("ARN: " + projectDescription.projectArn());
System.out.println("Status: " + projectDescription.statusAsString());
if (projectDescription.hasDatasets()) {
for (DatasetMetadata datasetDescription : projectDescription.datasets()) {
System.out.println("\tdataset Type: " + datasetDescription.datasetTypeAsString());
System.out.println("\tdataset ARN: " + datasetDescription.datasetArn());
System.out.println("\tdataset Status: " + datasetDescription.statusAsString());
}
}
System.out.println();
}
}
public static void main(String[] args) {
try {
// Get the Rekognition client
RekognitionClient rekClient = RekognitionClient.builder()
.credentialsProvider(ProfileCredentialsProvider.create("custom-labels-access"))
.region(Region.US_WEST_2)
.build();
// Describe projects
describeMyProjects(rekClient);
rekClient.close();
} catch (RekognitionException rekError) {
logger.log(Level.SEVERE, "Rekognition client error: {0}", rekError.getMessage());
System.exit(1);
}
}
}
```
------
# Step 5: (Optional) Encrypt training files
You can choose one of the following options to encrypt the Amazon Rekognition Custom Labels manifest files and image files that are in a console bucket or an external Amazon S3 bucket.
+ Use an Amazon S3 key (SSE-S3).
+ Use your AWS KMS key.
**Note**
The calling [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal%23intro-structure-principal) need permissions to decrypt the files. For more information, see [Decrypting files encrypted with AWS Key Management Service](#su-kms-encryption).
For information about encrypting an Amazon S3 bucket, see [Setting default server-side encryption behavior for Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html).
## Decrypting files encrypted with AWS Key Management Service
If you use AWS Key Management Service (KMS) to encrypt your Amazon Rekognition Custom Labels manifest files and image files, add the IAM principal that calls Amazon Rekognition Custom Labels to the key policy of the KMS key. Doing this lets Amazon Rekognition Custom Labels decrypt your manifest and image files before training. For more information, see [My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-default-encryption/)
The IAM principal needs the following permissions on the KMS key.
+ kms:GenerateDataKey
+ kms:Decrypt
For more information, see [Protecting Data Using Server-Side Encryption with KMS keys Stored in AWS Key Management Service (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html).
## Encrypting copied training and test images
To train your model, Amazon Rekognition Custom Labels makes a copy of your source training and test images. By default the copied images are encrypted at rest with a key that AWS owns and manages. You can also choose to use your own AWS KMS key. If you use your own KMS key, you need the following permissions on the KMS key.
+ kms:CreateGrant
+ kms:DescribeKey
You optionally specify the KMS key when you train the model with the console or when you call the `CreateProjectVersion` operation. The KMS key you use doesn't need to be the same KMS key that you use to encrypt manifest and image files in your Amazon S3 bucket. For more information, see [Step 5: (Optional) Encrypt training files](#su-encrypt-bucket).
For more information, see [AWS Key Management Service concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). Your source images are unaffected.
For information about training a model, see [Training an Amazon Rekognition Custom Labels model](training-model.md).
# Step 6: (Optional) Associate prior datasets with new projects
Amazon Rekognition Custom Labels now manages datasets with projects. Earlier (prior) datasets that you created are read-only and must be associated with a project before you can use them. When you open the details page for a project with the console, we automatically associate the datasets that trained the latest version of the project's model with the project. Automatic association of a dataset with a project doesn't happen if you are using the AWS SDK.
Unassociated prior datasets have never been used to train a model or, were used to train a previous version of a model. The Prior datasets page shows all of your associated and unassociated datasets.
To use an unassociated prior dataset, you create a new project on the Prior datasets page. The dataset becomes the training dataset for the new project. You can also create a project for an already associated dataset as prior datasets can have multiple associations.
**To associate a prior dataset to a new project**
1. Open the Amazon Rekognition console at [https://console.aws.amazon.com/rekognition/](https://console.aws.amazon.com/rekognition/).
1. In the left pane, choose Use **Custom Labels**. The Amazon Rekognition Custom Labels landing page is shown.
1. In the left navigation pane, choose **Prior datasets**.
1. In the datasets view, choose the prior dataset that you want to associate with a project.
1. Choose **Create project with dataset**.
1. On the **Create project** page, enter a name for your new project in **Project name**.
1. Choose **Create project** to create the project. The project might take a while to create.
1. Use the project. For more information, see [Understanding Amazon Rekognition Custom Labels](understanding-custom-labels.md).
## Using a prior dataset as a test dataset
You can use a prior dataset as the test dataset for an existing project by first associating the prior dataset with a new project. You then copy the training dataset of the new project to the test dataset of the existing project.
**To use a prior dataset as a test dataset**
1. Follow the instructions at [Step 6: (Optional) Associate prior datasets with new projects](#su-associate-prior-dataset) to associate the prior dataset with a new project.
1. Create the test dataset in the existing project by using copying the training dataset from the new project. For more information, see [Copying content from an existing dataset](md-create-dataset-existing-dataset.md).
1. Follow the instructions at [Deleting an Amazon Rekognition Custom Labels project (Console)](mp-delete-project.md#mp-delete-project-console) to delete the new project.
Alternatively, you can create the test dataset by using the manifest file for prior dataset. For more information, see [Creating a manifest file](md-create-manifest-file.md).