2

Simplest S3 Bucket and User Setup

Chris Lu edited this page 2026-04-14 00:01:04 -07:00

Table of Contents

• Simplest S3 Bucket and User Setup with weed mini
• 1. Start weed mini
• 2. Create a bucket, user, and policy in one step
• Available roles
• 3. Use the credentials
• Anonymous (public) access
• Grant read-only public access
• Revoke all anonymous access
• Adding more users later
• Speed check
• Related

Simplest S3 Bucket and User Setup with weed mini

The fastest way to get a working S3 setup — a bucket, a user, and the right permissions — is weed mini plus a single weed shell command.

1. Start weed mini

weed mini -dir=/data

This starts the master, volume, filer, S3 gateway, and admin UI in one process. See Quick Start with weed mini for details.

2. Create a bucket, user, and policy in one step

In another terminal, open weed shell and run s3.user.provision:

weed shell
> s3.bucket.create -name my-bucket
> s3.user.provision -name alice -bucket my-bucket -role readwrite

s3.user.provision performs three steps in one command:

1. Creates an IAM policy scoped to my-bucket
2. Creates the user alice with a freshly generated access key and secret key
3. Attaches the policy to the user

The access key and secret key are printed in the shell output. You can also view them any time from the Admin UI at http://localhost:23646.

Available roles

Role	Object actions	Bucket actions
readonly	s3:GetObject	s3:ListBucket
readwrite	s3:GetObject, s3:PutObject, s3:DeleteObject	s3:ListBucket
admin	s3:*	s3:*

Only the named bucket is granted — nothing else in the cluster is exposed.

3. Use the credentials

export AWS_ACCESS_KEY_ID=<printed access key>
export AWS_SECRET_ACCESS_KEY=<printed secret key>

aws --endpoint-url http://localhost:8333 s3 cp ./file.txt s3://my-bucket/
aws --endpoint-url http://localhost:8333 s3 ls s3://my-bucket/

As soon as any credential exists, the S3 gateway switches from "Allow All" mode to authenticated mode — unauthenticated requests will be rejected.

Anonymous (public) access

Use s3.anonymous.set to grant or revoke unauthenticated access on a bucket.

Grant read-only public access

To serve public assets — anyone can GET and LIST without credentials:

> s3.anonymous.set -bucket my-bucket -access Read,List

Verify:

aws --endpoint-url http://localhost:8333 s3 ls s3://my-bucket/ --no-sign-request
curl http://localhost:8333/my-bucket/file.txt

Revoke all anonymous access

To make the bucket private again:

> s3.anonymous.set -bucket my-bucket -access none

After this, unauthenticated requests to my-bucket are rejected; only users with IAM credentials (see s3.user.provision above) can access it.

Supported actions: Read, Write, List, Tagging, Admin (combine with commas), or none to revoke. Use s3.anonymous.list / s3.anonymous.get -bucket my-bucket to inspect the current state.

Adding more users later

Run s3.user.provision again with a different -name or -role. If the user already exists, the new bucket policy is attached to the existing user instead of creating a duplicate.

> s3.user.provision -name bob -bucket my-bucket -role readonly
> s3.user.provision -name alice -bucket another-bucket -role readwrite

Speed check

Quick sanity test on an Apple Silicon laptop, weed mini -dir=/tmp/weed-repro -ip=127.0.0.1, 1 GiB object over loopback:

Operation	Time	Throughput
aws s3 cp upload (1 GiB)	~2.0 s	~500 MB/s
aws s3 cp download (multipart-range)	~1.7 s	~600 MB/s
Single-stream curl on a presigned URL	~0.8 s	~1343 MB/s

Related

• Quick Start with weed mini
• Amazon S3 API
• Amazon IAM API
• Admin UI

Introduction

• Quick Start with weed mini
• Simplest S3 Bucket and User Setup
• Components
• Getting Started
• Production Setup
• A typical step‐by‐step example
• Benchmarks
• FAQ
• Applications

API

• Master Server API
• Volume Server API
• Filer Server API
• Client Libraries
• SeaweedFS Java Client

Configuration

• Replication
• Store file with a Time To Live
• Failover Master Server
• Erasure coding for warm storage
• EC Bitrot Detection
• Server Startup via Systemd
• Environment Variables

Filer

• Filer Setup
• Directories and Files
• File Operations Quick Reference
• Data Structure for Large Files
• Filer Data Encryption
• Filer Commands and Operations
• Filer JWT Use
• TUS Resumable Uploads

Filer Stores

• Filer Cassandra Setup
• Filer Redis Setup
• Super Large Directories
• Path-Specific Filer Store
• Choosing a Filer Store
• Customize Filer Store

Management

• Admin UI
• Admin UI OIDC
• Worker
• Plugin Worker Scheduling

Advanced Filer Configurations

• Migrate to Filer Store
• Add New Filer Store
• Filer Store Replication
• Filer Active Active cross cluster continuous synchronization
• Filer as a Key-Large-Value Store
• Path Specific Configuration
• Filer Change Data Capture
• Filer Operation Serialization

FUSE Mount

• FIO benchmark
• fstab and systemd mount
• POSIX Compliance
• Distributed POSIX Locks
• P2P reading in weed mount

WebDAV

SFTP Server

Cloud Drive

• Cloud Drive Benefits
• Cloud Drive Architecture
• Configure Remote Storage
• Mount Remote Storage
• Cache Remote Storage
• Cloud Drive Quick Setup
• Gateway to Remote Object Storage

AWS S3 API

• Amazon S3 API
• Supported APIs vs Minio
• S3 Lifecycle
• S3 Lifecycle vs Volume TTL
• S3 Conditional Operations
• S3 CORS
• S3 Object Lock and Retention
• S3 Object Versioning
• S3 API Benchmark
• S3 API FAQ
• S3 Bucket Quota
• S3 Rate Limiting
• S3 API Audit log
• S3 Nginx Proxy
• Docker Compose for S3

S3 Table Bucket

• S3 Table Bucket
• S3 Table Bucket Commands
• S3 Tables Security
• SeaweedFS Iceberg Catalog
• Iceberg Table Maintenance

Iceberg Integrations

• Spark Iceberg Integration
• Trino Iceberg Integration
• Dremio Iceberg Integration
• DuckDB Iceberg Integration
• Doris Iceberg Integration
• RisingWave Iceberg Integration
• Lakekeeper Iceberg Integration

S3 Authentication & IAM

• S3 Configuration - Start Here
• S3 Credentials (-s3.config)
• OIDC Integration (-s3.iam.config)
• Kubernetes ServiceAccount Authentication (IRSA-style)
• S3 Policy Variables
• S3 Policy Conditions
• S3 Bucket Policies
• Amazon IAM API
• AWS IAM CLI
• weed shell - Shell IAM Commands

Server-Side Encryption

• Server-Side Encryption
• Server-Side Encryption SSE-KMS
• Server-Side Encryption SSE-C

S3 Client Tools

• AWS CLI with SeaweedFS
• s3cmd with SeaweedFS
• rclone with SeaweedFS
• restic with SeaweedFS
• nodejs with Seaweed S3

Machine Learning

• TensorFlow with SeaweedFS
• Distributing AI Model Files for Multi-GPU Loading

HDFS

• Hadoop Compatible File System
• run Spark on SeaweedFS
• run HBase on SeaweedFS
• run Presto on SeaweedFS
• Hadoop Benchmark
• HDFS via S3 connector

Replication and Backup

• Async Replication to another Filer [Deprecated]
• Async Backup
• Async Filer Metadata Backup
• Async Replication to Cloud [Deprecated]
• Kubernetes Backups and Recovery with K8up

Metadata Change Events

• Filer Metadata Events
• Filer Notification Webhook

Messaging

• Structured Data Lake with SMQ and SQL
• Seaweed Message Queue
• SQL Queries on Message Queue
• SQL Quick Reference
• PostgreSQL-compatible Server weed db
• Pub-Sub to SMQ to SQL
• Kafka to Kafka Gateway to SMQ to SQL

Use Cases

• Use Cases
• Actual Users

Operations

• System Metrics
• weed shell
• Data Backup
• Deployment to Kubernetes and Minikube
• Deployment with seaweed-up
  • Cluster Plan Workflow
  • Cluster Plan Inventory Reference
  • Cluster Plan Day 2 Operations

Rust Volume Server

• Rust Volume Server

Advanced

• Large File Handling
• Optimization
• Optimization for Many Small Buckets
• Volume Management
• Tiered Storage
• Cloud Tier
• Cloud Monitoring
• Load Command Line Options from a file
• SRV Service Discovery
• Volume Files Structure

Security

• Security Overview
• Security Configuration
• Cryptography and FIPS Compliance
• Run Blob Storage on Public Internet

Misc Use Case Examples

• UrBackup with SeaweedFS
• Docker Image Registry with SeaweedFS
• SeaweedFS in Docker Swarm
• Words from SeaweedFS Users
• Independent Benchmarks
• Hardware