Skip to main content

Configuring the S3 Proxy

An instance of the S3 proxy corresponds with a single tenant in the Antimatter system. The proxy must be configured to both interact with your Antimatter domain and with your AWS account. There are a number of environment variables to configure the Antimatter specific settings, the AWS settings, configuration test settings, and the S3 proxy settings.

Antimatter Configuration

The is the domain ID and API key for the Antimatter account to use to encrypt and decrypt the data in Antimatter capsules.

ANTIMATTER_DOMAIN_ID

ANTIMATTER_API_KEY

The read and write contexts for the Antimatter domain. If not set, the 'default' contexts will be used.

ANTIMATTER_READ_CONTEXT

ANTIMATTER_WRITE_CONTEXT

Because the S3 proxy endpoint for presigned URLs will generally be publicly accessible, the AWS presigned URL is wrapped in an Antimatter presigned URL. The Antimatter metadata will be signed using a pre-configured presigned secret key. If this is not defined, the ANTIMATTER_API_KEY will be used for signing URLs.

ANTIMATTER_PRESIGN_SECRET

AWS Configuration

The AWS region of the bucket(s) that will be interacted with.

AWS_REGION

If using an AWS access key, set the access key ID and secret.

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

Otherwise, if using a service account, set the location of the web ID token file, and optionally set the role ARN.

AWS_WEB_IDENTITY_TOKEN_FILE

AWS_ROLE_ARN

To override the default expiry of AWS presigned URLs, set:

AWS_S3_EXPIRES

The endpoint URL to use for AWS can be explicitly set.

AWS_ENDPOINT_URL

If no AWS_ENDPOINT_URL is set, the transfer acceleration and fips mode flags can be set to direct which AWS URL should be used.

AWS_S3_TRANSFER_ACCELERATION_ENABLED

AWS_S3_FIPS_MODE

Configuration Test Settings

To catch configuration errors with AWS or Antimatter on startup, the configuration health check can be enabled to test general operations that are expected to succeed when the S3 proxy starts up. There are two environment variables, and both must be set to enable the configuration health check:

TEST_BUCKET

TEST_KEY_PREFIX

The TEST_BUCKET is the S3 bucket to interact with, and the TEST_KEY_PREFIX is the prefix for the objects keys to interact with.

warning

Any files in the TEST_BUCKET matching the TEST_KEY_PREFIX are subject to deletion by the configuration test. Objects will be deleted from TEST_BUCKET where object key 'k' starts with TEST_KEY_PREFIX and the remainder of k matches the randomly generated file name pattern.

Assign these values carefully!

The configuration test will attempt to:

  • Clean up old objects in TEST_BUCKET with key matching TEST_KEY_PREFIX + generated remainder
  • PutObject - put a new object to TEST_BUCKET with key TEST_KEY_PREFIX + new generated remainder
  • CopyObject - copy the new object to TEST_BUCKET with key TEST_KEY_PREFIX + new generated remainder
  • GetObject - get the new objects
  • DeleteObject - delete the new objects

Enabling the configuration test is strongly recommended as the S3 proxy will not report as healthy if the configuration test does not successfully pass.

Proxy General Configuration

The host and port to listen on. Host defaults to 127.0.0.1, and port to 9234.

S3PROXY_HOST

S3PROXY_PORT

A separate listener for presigned URLs runs on S3PROXY_HOST:S3PROXY_PRESIGNED_PORT. This is run separately as presigned URL endpoints will often be publicly accessible. The default presigned port is 9235.

S3PROXY_PRESIGNED_PORT

The S3 proxy has endpoints for generating presigned URLs. Generally it is more efficient to do this locally rather than making an extra network call (and examples of this are provided in S3 Proxy Usage), but if using the presigned URL generating endpoints, the externally accessible address of the S3 proxy must be set. Otherwise, the generated presigned URL will be http://S3PROXY_HOST:S3PROXY_PRESIGNED_PORT/am-presigned/HTTP_METHOD/?QUERY_PARAMS

S3PROXY_PRESIGNED_ADDRESS