open-vault/website/source/docs/configuration/storage/s3.html.md

---
layout: "docs"
page_title: "S3 - Storage Backends - Configuration"
sidebar_current: "docs-configuration-storage-s3"
description: |-
  The S3 storage backend is used to persist Vault's data in an Amazon S3
  bucket.
---

# S3 Storage Backend

The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3]
bucket.

- **No High Availability** – the S3 storage backend does not support high
  availability.

- **Community Supported** – the S3 storage backend is supported by the
  community. While it has undergone review by HashiCorp employees, they may not
  be as knowledgeable about the technology. If you encounter problems with them,
  you may be referred to the original author.

```hcl
storage "s3" {
  access_key = "abcd1234"
  secret_key = "defg5678"
  bucket     = "my-bucket"
}
```

## `s3` Parameters

- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This
  can also be provided via the environment variable `AWS_S3_BUCKET`.

- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3
  endpoint. This can also be provided via the environment variable
  `AWS_S3_ENDPOINT`.

- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
  provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`,
  in that order of preference.

The following settings are used for authenticating to AWS. If you are
running your Vault server on an EC2 instance, you can also make use of the EC2
instance profile service to provide the credentials Vault will use to make
S3 API calls. Leaving the `access_key` and `secret_key` fields empty will
cause Vault to attempt to retrieve credentials from the AWS metadata service.

- `access_key` – Specifies the AWS access key. This can also be provided via
  the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by
  IAM role.

- `secret_key` – Specifies the AWS secret key. This can also be provided via
  the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or
  by IAM role.

- `session_token` `(string: "")` – Specifies the AWS session token. This can
  also be provided via the environment variable `AWS_SESSION_TOKEN`.

- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
  requests to S3.

- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
  bucket style domains with the configured endpoint.

- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
  endpoint connection (highly recommended not to disable for production).

## `s3` Examples

### Default Example

This example shows using Amazon S3 as a storage backend.

```hcl
storage "s3" {
  access_key = "abcd1234"
  secret_key = "defg5678"
  bucket     = "my-bucket"
}
```

[s3]: https://aws.amazon.com/s3/
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
+								---
 								layout: "docs"
 								page_title: "S3 - Storage Backends - Configuration"
 								sidebar_current: "docs-configuration-storage-s3"
 								description: |-
 								  The S3 storage backend is used to persist Vault's data in an Amazon S3
 								  bucket.
 								---
 								# S3 Storage Backend
 								The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3]
 								bucket.
 								- **No High Availability** – the S3 storage backend does not support high
 								  availability.
 								- **Community Supported** – the S3 storage backend is supported by the
 								  community. While it has undergone review by HashiCorp employees, they may not
 								  be as knowledgeable about the technology. If you encounter problems with them,
 								  you may be referred to the original author.
 								```hcl
-												Rename physical backend to storage and alias old value (#2456)


											
										
										
											2017-03-08 14:17:00 +00:00
+								storage "s3" {
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
+								  access_key = "abcd1234"
 								  secret_key = "defg5678"
 								  bucket     = "my-bucket"
 								}
 								```
 								## `s3` Parameters
 								- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This
 								  can also be provided via the environment variable `AWS_S3_BUCKET`.
 								- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3
 								  endpoint. This can also be provided via the environment variable
-												Use RemoteCredProvider instead of EC2RoleProvider  (#2983)


											
										
										
											2017-07-31 22:27:16 +00:00
+								  `AWS_S3_ENDPOINT`.
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
 								- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
-												Use RemoteCredProvider instead of EC2RoleProvider  (#2983)


											
										
										
											2017-07-31 22:27:16 +00:00
+								  provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`,
 								  in that order of preference.
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
 								The following settings are used for authenticating to AWS. If you are
 								running your Vault server on an EC2 instance, you can also make use of the EC2
 								instance profile service to provide the credentials Vault will use to make
 								S3 API calls. Leaving the `access_key` and `secret_key` fields empty will
 								cause Vault to attempt to retrieve credentials from the AWS metadata service.
-												Update the S3 storage backend docs to reflect capabilities.

											
										
										
											2017-05-11 03:00:59 +00:00
+								- `access_key` – Specifies the AWS access key. This can also be provided via
 								  the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by
 								  IAM role.
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
-												Update the S3 storage backend docs to reflect capabilities.

											
										
										
											2017-05-11 03:00:59 +00:00
+								- `secret_key` – Specifies the AWS secret key. This can also be provided via
 								  the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or
 								  by IAM role.
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
 								- `session_token` `(string: "")` – Specifies the AWS session token. This can
 								  also be provided via the environment variable `AWS_SESSION_TOKEN`.
-												s3.go: Added options to use paths with S3 and the ability to disable SSL (#3730)


											
										
										
											2018-01-03 17:11:00 +00:00
+								- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
-												Add permitPool support to S3 (#2466)


											
										
										
											2017-03-26 18:32:26 +00:00
+								  requests to S3.
-												s3.go: Added options to use paths with S3 and the ability to disable SSL (#3730)


											
										
										
											2018-01-03 17:11:00 +00:00
+								- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
 								  bucket style domains with the configured endpoint.
 								- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
 								  endpoint connection (highly recommended not to disable for production).
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
+								## `s3` Examples
 								### Default Example
-												Fix typo in s3 storage backend docs (#3603)


											
										
										
											2017-11-23 21:28:33 +00:00
+								This example shows using Amazon S3 as a storage backend.
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
 								```hcl
-												Rename physical backend to storage and alias old value (#2456)


											
										
										
											2017-03-08 14:17:00 +00:00
+								storage "s3" {
-												Separate backend configurations into their own pages (#2454)

* Clean vertical lines

* Make sidebar slightly larger on bigger displays

* Separate backend configurations into their own pages

											
										
										
											2017-03-08 02:47:23 +00:00
+								  access_key = "abcd1234"
 								  secret_key = "defg5678"
 								  bucket     = "my-bucket"
 								}
 								```
 								[s3]: https://aws.amazon.com/s3/