2017-03-08 02:47:23 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: docs
|
|
|
|
|
page_title: S3 - Storage Backends - Configuration
|
2017-03-08 02:47:23 +00:00
|
|
|
|
description: |-
|
|
|
|
|
The S3 storage backend is used to persist Vault's data in an Amazon S3
|
|
|
|
|
bucket.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# S3 Storage Backend
|
|
|
|
|
|
|
|
|
|
The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3]
|
|
|
|
|
bucket.
|
|
|
|
|
|
|
|
|
|
- **No High Availability** – the S3 storage backend does not support high
|
|
|
|
|
availability.
|
|
|
|
|
|
|
|
|
|
- **Community Supported** – the S3 storage backend is supported by the
|
|
|
|
|
community. While it has undergone review by HashiCorp employees, they may not
|
|
|
|
|
be as knowledgeable about the technology. If you encounter problems with them,
|
|
|
|
|
you may be referred to the original author.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "s3" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
access_key = "abcd1234"
|
|
|
|
|
secret_key = "defg5678"
|
|
|
|
|
bucket = "my-bucket"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## `s3` Parameters
|
|
|
|
|
|
|
|
|
|
- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This
|
|
|
|
|
can also be provided via the environment variable `AWS_S3_BUCKET`.
|
|
|
|
|
|
|
|
|
|
- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3
|
|
|
|
|
endpoint. This can also be provided via the environment variable
|
2017-07-31 22:27:16 +00:00
|
|
|
|
`AWS_S3_ENDPOINT`.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be
|
2017-07-31 22:27:16 +00:00
|
|
|
|
provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`,
|
|
|
|
|
in that order of preference.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
The following settings are used for authenticating to AWS. If you are
|
|
|
|
|
running your Vault server on an EC2 instance, you can also make use of the EC2
|
|
|
|
|
instance profile service to provide the credentials Vault will use to make
|
|
|
|
|
S3 API calls. Leaving the `access_key` and `secret_key` fields empty will
|
|
|
|
|
cause Vault to attempt to retrieve credentials from the AWS metadata service.
|
|
|
|
|
|
2017-05-11 03:00:59 +00:00
|
|
|
|
- `access_key` – Specifies the AWS access key. This can also be provided via
|
|
|
|
|
the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by
|
|
|
|
|
IAM role.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2017-05-11 03:00:59 +00:00
|
|
|
|
- `secret_key` – Specifies the AWS secret key. This can also be provided via
|
|
|
|
|
the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or
|
|
|
|
|
by IAM role.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
- `session_token` `(string: "")` – Specifies the AWS session token. This can
|
|
|
|
|
also be provided via the environment variable `AWS_SESSION_TOKEN`.
|
|
|
|
|
|
2018-01-03 17:11:00 +00:00
|
|
|
|
- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
|
2017-03-26 18:32:26 +00:00
|
|
|
|
requests to S3.
|
|
|
|
|
|
2018-01-03 17:11:00 +00:00
|
|
|
|
- `s3_force_path_style` `(string: "false")` - Specifies whether to use host
|
|
|
|
|
bucket style domains with the configured endpoint.
|
|
|
|
|
|
|
|
|
|
- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the
|
|
|
|
|
endpoint connection (highly recommended not to disable for production).
|
|
|
|
|
|
2019-01-26 21:48:08 +00:00
|
|
|
|
- `kms_key_id` `(string: "")` - Specifies the ID or Alias of the KMS key used to
|
|
|
|
|
encrypt data in the S3 backend. Vault must have `kms:Encrypt` and `kms:Decrypt`
|
|
|
|
|
permissions for this key. You can use `alias/aws/s3` to specify the default
|
|
|
|
|
key for the account.
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
|
|
|
|
- `path` `(string: "")` - Specifies the path in the S3 Bucket where Vault
|
2019-07-24 16:48:26 +00:00
|
|
|
|
data will be stored.
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
## `s3` Examples
|
|
|
|
|
|
|
|
|
|
### Default Example
|
|
|
|
|
|
2017-11-23 21:28:33 +00:00
|
|
|
|
This example shows using Amazon S3 as a storage backend.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "s3" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
access_key = "abcd1234"
|
|
|
|
|
secret_key = "defg5678"
|
|
|
|
|
bucket = "my-bucket"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2019-01-26 21:48:08 +00:00
|
|
|
|
### S3 KMS Encryption with Default Key
|
|
|
|
|
|
|
|
|
|
This example shows using Amazon S3 as a storage backend using KMS
|
|
|
|
|
encryption with the default S3 KMS key for the account.
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
storage "s3" {
|
|
|
|
|
access_key = "abcd1234"
|
|
|
|
|
secret_key = "defg5678"
|
|
|
|
|
bucket = "my-bucket"
|
|
|
|
|
kms_key_id = "alias/aws/s3"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### S3 KMS Encryption with Custom Key
|
|
|
|
|
|
|
|
|
|
This example shows using Amazon S3 as a storage backend using KMS
|
|
|
|
|
encryption with a customer managed KMS key.
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
storage "s3" {
|
|
|
|
|
access_key = "abcd1234"
|
|
|
|
|
secret_key = "defg5678"
|
|
|
|
|
bucket = "my-bucket"
|
|
|
|
|
kms_key_id = "001234ac-72d3-9902-a3fc-0123456789ab"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
[s3]: https://aws.amazon.com/s3/
|
2020-10-26 18:15:59 +00:00
|
|
|
|
|
|
|
|
|
## AWS Instance Metadata Timeouts
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
@include 'aws-imds-timeout.mdx'
|