viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Page: S3 Configuration
Pages
A typical step‐by‐step example AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI OIDC Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Cluster Plan Day 2 Operations Cluster Plan Inventory Reference Cluster Plan Workflow Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Deployment with seaweed up Directories and Files Distributed POSIX Locks Distributing AI Model Files for Multi GPU Loading Docker Compose for S3 Docker Image Registry with SeaweedFS Doris Iceberg Integration Dremio Iceberg Integration DuckDB Iceberg Integration EC Bitrot Detection Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Operation Serialization Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Iceberg Table Maintenance Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Kubernetes ServiceAccount Authentication Lakekeeper Iceberg Integration Large File Handling Load Command Line Options from a file Master Server API Migrate Maintenance Scripts to Admin Script Plugin Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization for Many Small Buckets Optimization P2P reading in weed mount POSIX Compliance Path Specific Configuration Path Specific Filer Store Plugin Worker Scheduling PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication RisingWave Iceberg Integration Run Blob Storage on Public Internet Run Presto on SeaweedFS Rust Volume Server S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Policies S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Lifecycle Architecture S3 Lifecycle Monitoring S3 Lifecycle Operator Guide S3 Lifecycle Troubleshooting S3 Lifecycle vs Volume TTL S3 Lifecycle S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Conditions S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket S3 Tables Security SFTP Server SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Architecture SeaweedFS Iceberg Catalog SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Simplest S3 Bucket and User Setup Spark Iceberg Integration Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories Supported APIs vs Minio System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage Trino Iceberg Integration UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab and systemd mount nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
10
S3 Configuration
Chris Lu edited this page 2026-04-06 18:39:18 -07:00
Table of Contents

S3 Configuration Overview

SeaweedFS S3 gateway has two separate configuration systems for different purposes. Understanding the difference is crucial for proper setup.

Quick Reference

Option Purpose Use When
No Config Zero Configuration Simplest way to use STS features immediately
-s3.config Basic S3 credentials You need simple user authentication with access keys
-s3.iam.config Advanced IAM (STS, OIDC) You need OIDC integration or role-based access

Zero Configuration (Simplest)

weed s3 enables Advanced IAM (STS) by default with secure, auto-generated keys.

Use this for: Immediate access to STS features like AssumeRoleWithWebIdentity (e.g., for Kubernetes workloads) without any setup.

# S3 server starts with STS enabled, allowing both anonymous and STS access
weed s3 -filer=localhost:8888

Security & Persistence

  • Default Effect: Allow: This defaults to Open Access (same as legacy behavior). It does not secure your data by default. To enforce access control, you must provide a config file with "defaultEffect": "Deny".
  • Policy Store: Memory: By default, policies are stored in memory and lost on restart. This ensures "Zero Config" instances are isolated and don't accidentally enforce cluster-wide policies. For persistent policies, use -s3.iam.config and configure "storeType": "filer".

Basic Credentials (-s3.config)

Use this for: Simple username/password style authentication with access keys.

Documentation: S3 Credentials

weed s3 -config=/path/to/s3.json -filer=localhost:8888
# OR
weed server -s3 -s3.config=/path/to/s3.json
# OR
weed mini -s3.config=/path/to/s3.json

Configuration Format

{
  "identities": [
    {
      "name": "admin_user",
      "credentials": [
        {
          "accessKey": "your_access_key",
          "secretKey": "your_secret_key"
        }
      ],
      "actions": ["Admin", "Read", "Write", "List", "Tagging"]
    },
    {
      "name": "readonly_user",
      "credentials": [
        {
          "accessKey": "readonly_key",
          "secretKey": "readonly_secret"
        }
      ],
      "actions": ["Read", "List"]
    }
  ]
}

Available Actions

Action Description
Admin Full access, create/delete buckets
Read Read objects
Write Write/upload objects
List List buckets and objects
Tagging Manage object tags
Read:bucket1 Read access to specific bucket
Write:bucket1 Write access to specific bucket

S3 with Reverse Proxy

When SeaweedFS S3 is behind a reverse proxy (Nginx, HAProxy, AWS ALB, etc.), it needs to know the correct host and protocol to verify S3 signatures.

By default, SeaweedFS automatically detects the following headers from your proxy:

  • X-Forwarded-Host (e.g. s3.example.com)
  • X-Forwarded-Proto (e.g. https)
  • X-Forwarded-Port (e.g. 443)

Alternatively, you can explicitly set the public-facing URL using the externalUrl flag. This is recommended for complex proxy setups or when you cannot easily modify proxy headers.

# Explicitly set the external S3 endpoint
weed s3 -s3.externalUrl=https://s3.example.com

For detailed configuration examples, see the S3 Nginx Proxy page.

Advanced IAM (-s3.iam.config)

Use this for: Enterprise features like OIDC/Keycloak integration, STS (Security Token Service), IAM policies, and role-based access control.

Documentation: OIDC Integration

weed s3 -filer=localhost:8888 -iam.config=/path/to/iam.json
# OR
weed server -s3 -s3.iam.config=/path/to/iam.json
# OR
weed mini -s3.iam.config=/path/to/iam.json

Configuration Format

{
  "sts": {
    "tokenDuration": "1h",       // Optional, default: "1h"
    "maxSessionLength": "12h",   // Optional, default: "12h"
    "issuer": "seaweedfs-sts",   // Optional, default: "seaweedfs-sts"
    "signingKey": "base64-..."   // Optional, auto-fallback if missing
  },
  "providers": [
    {
      "name": "keycloak",
      "type": "oidc",
      "enabled": true,
      "config": {
        "issuer": "https://keycloak.example.com/realms/myrealm",
        "clientId": "seaweedfs-s3",
        "jwksUri": "https://keycloak.example.com/realms/myrealm/protocol/openid-connect/certs"
      }
    }
  ],
  "policies": [
    {
      "name": "ReadOnlyPolicy",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": ["*"] }
        ]
      }
    }
  ],
  "roles": [
    {
      "roleName": "ReadOnlyRole",
      "roleArn": "arn:aws:iam::role/ReadOnlyRole",
      "attachedPolicies": ["ReadOnlyPolicy"],
      "trustPolicy": { ... }
    }
  ]
}

Key Components

Component Description
sts Security Token Service configuration for temporary credentials
providers OIDC identity providers (Keycloak, Okta, Auth0, etc.)
policies AWS IAM-style policy documents
roles IAM roles with trust policies for role assumption

STS Configuration & Defaults

The sts section is optional. If omitted or partially configured, the following defaults apply:

  • tokenDuration: Defaults to 1h
  • maxSessionLength: Defaults to 12h
  • issuer: Defaults to seaweedfs-sts

Signing Key Fallback Strategy:

If signingKey is not provided in the IAM config, SeaweedFS attempts to find a key in the following order:

  1. Filer Signing Key: The jwt.filer_signing.key from server configuration (security.toml or CLI).
  2. SSE-S3 Master Key (KEK): If the filer key is missing, it falls back to the cluster-wide SSE-S3 Master Key (stored in filer at /etc/s3/sse_kek).
    • Auto-Generation: This key is automatically generated if it does not exist, ensuring a fallback is always available in a healthy cluster.
    • Security Note: A specific seaweedfs-sts-signing-key is derived from the master KEK using HKDF-SHA256 to ensure cryptographic isolation between STS and SSE-S3.

Important

: The -s3.iam.config does NOT support the identities field. For basic user credentials, use -s3.config instead.

Using Both Together

You can use both configuration options together:

weed s3 \
  -config=/path/to/s3-credentials.json \
  -iam.config=/path/to/iam-advanced.json \
  -filer=localhost:8888

This allows:

  • Basic users to authenticate with access keys (from -s3.config)
  • OIDC users to authenticate with JWT tokens (from -s3.iam.config)

Common Mistakes

Wrong: Using identities in -s3.iam.config

# This will NOT load identities!
weed s3 -iam.config=/path/to/config.json

With config file:

{
  "identities": [...]  // This is IGNORED by -iam.config
}

Correct: Using identities in -s3.config

weed s3 -config=/path/to/config.json

With config file:

{
  "identities": [...]  // This works with -config
}

Configuration Methods Summary

Method Priority Auto-Reload Best For
-config file Highest SIGHUP Production static config
Filer storage Medium Yes Dynamic management
Admin UI Medium Yes Web-based management
Environment variables Fallback No Development/testing
Allow All Lowest (Fallback) N/A Quick start / Dev / Local testing

See S3 Credentials for detailed information on each method.

Embedded IAM API

Starting with SeaweedFS 3.x, the IAM API is embedded in the S3 server by default. This allows managing users, access keys, and policies using AWS IAM CLI commands on the same endpoint as S3.

# Start S3 with embedded IAM (default)
weed s3 -filer=localhost:8888

# IAM and S3 use the same endpoint
aws --endpoint http://localhost:8333 iam create-user --user-name bob
aws --endpoint http://localhost:8333 s3 ls

Disabling Embedded IAM

If you don't need IAM API functionality, you can disable it:

weed s3 -iam=false -filer=localhost:8888

See Amazon IAM API for detailed IAM usage, or use the weed shell commands for interactive management:

weed shell
> s3.user.create -name alice
> s3.policy -put -name my-policy -file policy.json
> s3.policy.attach -policy my-policy -user alice
> s3.config.show

File Permissions for S3 Uploads

By default, objects uploaded via S3 are created with Unix file mode 0660 (-rw-rw----). This can be controlled per-object via the X-Amz-Acl header, or overridden server-wide with the -defaultFileMode flag.

Per-Object Permissions via S3 ACL

The X-Amz-Acl (canned ACL) header is mapped to Unix file permissions:

Canned ACL File Mode Permissions
private 0660 -rw-rw----
public-read 0644 -rw-r--r--
public-read-write 0666 -rw-rw-rw-
authenticated-read 0644 -rw-r--r--
bucket-owner-read 0644 -rw-r--r--
bucket-owner-full-control 0660 -rw-rw----

Example with rclone:

# Upload with world-readable permissions
rclone copy myfile.txt remote:mybucket/ --s3-acl=public-read

Example with AWS CLI:

aws s3 cp myfile.txt s3://mybucket/ --acl public-read --endpoint-url http://localhost:8333

Server-Wide Default File Mode

To change the default for all uploads (when no ACL header is provided):

# Standalone S3 server
weed s3 -defaultFileMode=0644

# Embedded in weed server
weed server -s3 -s3.defaultFileMode=0644

# Embedded in weed filer
weed filer -s3 -s3.defaultFileMode=0644

# Mini mode
weed mini -s3.defaultFileMode=0644

The value is an octal file mode string (e.g. 0644, 0666, 0660).

Priority Order

  1. Per-object X-Amz-Acl header (if present and recognized)
  2. Server-wide -defaultFileMode (if configured)
  3. Built-in default 0660

Related Documentation

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

SFTP Server

Cloud Drive

AWS S3 API

S3 Table Bucket

Iceberg Integrations

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Rust Volume Server

Advanced

Security

Misc Use Case Examples