Configuring the S3 Proxy
An instance of the S3 proxy corresponds with a single tenant in the Antimatter system. The proxy must be configured to both interact with your Antimatter domain and with your AWS account. There are a number of environment variables to configure the Antimatter specific settings, the AWS settings, configuration test settings, and the S3 proxy settings.
Antimatter Configuration
The is the domain ID and API key for the Antimatter account to use to encrypt and decrypt the data in Antimatter capsules.
ANTIMATTER_DOMAIN_ID
ANTIMATTER_API_KEY
The read and write contexts for the Antimatter domain. If not set, the 'default' contexts will be used.
ANTIMATTER_READ_CONTEXT
ANTIMATTER_WRITE_CONTEXT
Because the S3 proxy endpoint for presigned URLs will generally be publicly accessible, the AWS presigned URL is wrapped in an Antimatter presigned URL. The Antimatter metadata will be signed using a pre-configured presigned secret key. If this is not defined, the ANTIMATTER_API_KEY will be used for signing URLs.
ANTIMATTER_PRESIGN_SECRET
AWS Configuration
The AWS region of the bucket(s) that will be interacted with.
AWS_REGION
If using an AWS access key, set the access key ID and secret.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
Otherwise, if using a service account, set the location of the web ID token file, and optionally set the role ARN.
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_ROLE_ARN
To override the default expiry of AWS presigned URLs, set:
AWS_S3_EXPIRES
The endpoint URL to use for AWS can be explicitly set.
AWS_ENDPOINT_URL
If no AWS_ENDPOINT_URL is set, the transfer acceleration and fips mode flags can be set to direct which AWS URL should be used.
AWS_S3_TRANSFER_ACCELERATION_ENABLED
AWS_S3_FIPS_MODE
Configuration Test Settings
To catch configuration errors with AWS or Antimatter on startup, the configuration health check can be enabled to test general operations that are expected to succeed when the S3 proxy starts up. There are two environment variables, and both must be set to enable the configuration health check:
TEST_BUCKET
TEST_KEY_PREFIX
The TEST_BUCKET is the S3 bucket to interact with, and the TEST_KEY_PREFIX is the prefix for the objects keys to interact with.
Any files in the TEST_BUCKET matching the TEST_KEY_PREFIX are subject to deletion by the configuration test. Objects will be deleted from TEST_BUCKET where object key 'k' starts with TEST_KEY_PREFIX and the remainder of k matches the randomly generated file name pattern.
Assign these values carefully!
The configuration test will attempt to:
- Clean up old objects in TEST_BUCKET with key matching TEST_KEY_PREFIX + generated remainder
- PutObject - put a new object to TEST_BUCKET with key TEST_KEY_PREFIX + new generated remainder
- CopyObject - copy the new object to TEST_BUCKET with key TEST_KEY_PREFIX + new generated remainder
- GetObject - get the new objects
- DeleteObject - delete the new objects
Enabling the configuration test is strongly recommended as the S3 proxy will not report as healthy if the configuration test does not successfully pass.
Proxy General Configuration
The host and port to listen on. Host defaults to 127.0.0.1, and port to 9234.
S3PROXY_HOST
S3PROXY_PORT
A separate listener for presigned URLs runs on S3PROXY_HOST:S3PROXY_PRESIGNED_PORT. This is run separately as presigned URL endpoints will often be publicly accessible. The default presigned port is 9235.
S3PROXY_PRESIGNED_PORT
The S3 proxy has endpoints for generating presigned URLs. Generally it is more efficient to do this locally rather than making an extra network call (and examples of this are provided in S3 Proxy Usage), but if using the presigned URL generating endpoints, the externally accessible address of the S3 proxy must be set. Otherwise, the generated presigned URL will be http://S3PROXY_HOST:S3PROXY_PRESIGNED_PORT/am-presigned/HTTP_METHOD/?QUERY_PARAMS
S3PROXY_PRESIGNED_ADDRESS