Skip to content

Files

Latest commit

 

History

History
115 lines (104 loc) · 4.18 KB

config-fields-storage-aws.adoc

File metadata and controls

115 lines (104 loc) · 4.18 KB

AWS S3 storage

The following YAML shows a sample configuration using AWS S3 storage.

# ...
DISTRIBUTED_STORAGE_CONFIG:
  default:
    - S3Storage (1)
    - host: s3.us-east-2.amazonaws.com
      s3_access_key: ABCDEFGHIJKLMN
      s3_secret_key: OL3ABCDEFGHIJKLMN
      s3_bucket: quay_bucket
      s3_region: <region> (2)
      storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
# ...

  1. The S3Storage storage driver should only be used for AWS S3 buckets. Note that this differs from general S3 access, where the RadosGW driver or other storage services can be used. For an example, see "Example B: Using RadosGW with general S3 access".

  2. Optional. The Amazon Web Services region. Defaults to us-east-1.

AWS STS S3 storage

The following YAML shows an example configuration for using Amazon Web Services (AWS) Security Token Service (STS) with {productname-ocp} configurations.

# ...
DISTRIBUTED_STORAGE_CONFIG:
   default:
    - STSS3Storage
    - sts_role_arn: <role_arn> (1)
      s3_bucket: <s3_bucket_name>
      storage_path: <storage_path>
      sts_user_access_key: <s3_user_access_key> (2)
      sts_user_secret_key: <s3_user_secret_key> (3)
      s3_region: <region> (4)
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
    - default
# ...

  1. The unique Amazon Resource Name (ARN).

  2. The generated AWS S3 user access key.

  3. The generated AWS S3 user secret key.

  4. Optional. The Amazon Web Services region. Defaults to us-east-1.

AWS Cloudfront storage

Use the following example when configuring AWS Cloudfront for your {productname} deployment.

Note

  • When configuring AWS Cloudfront storage, the following conditions must be met for proper use with {productname}:

    • You must set an Origin path that is consistent with {productname}'s storage path as defined in your config.yaml file. Failure to meet this require results in a 403 error when pulling an image. For more information, see Origin path.

    • You must configure a Bucket policy and a Cross-origin resource sharing (CORS) policy.
Cloudfront S3 example YAML
DISTRIBUTED_STORAGE_CONFIG:
    default:
      - CloudFrontedS3Storage
      - cloudfront_distribution_domain: <CLOUDFRONT_DISTRIBUTION_DOMAIN>
        cloudfront_key_id: <CLOUDFRONT_KEY_ID>
        cloudfront_privatekey_filename: <CLOUDFRONT_PRIVATE_KEY_FILENAME>
        host: <S3_HOST>
        s3_access_key: <S3_ACCESS_KEY>
        s3_bucket: <S3_BUCKET_NAME>
        s3_secret_key: <S3_SECRET_KEY>
        storage_path: <STORAGE_PATH>
        s3_region: <S3_REGION>
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS:
  - default
DISTRIBUTED_STORAGE_PREFERENCE:
  - default
Bucket policy example
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:user/CloudFront Origin Access Identity <CLOUDFRONT_OAI_ID>" (1) (2)
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<S3_BUCKET_NAME>/*" (3)
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:user/CloudFront Origin Access Identity <CLOUDFRONT_OAI_ID>" (1) (2)
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<S3_BUCKET_NAME>"
        }
    ]
}

  1. The identifier, or account ID, of the AWS account that owns the CloudFront OAI and S3 bucket.

  2. The CloudFront Origin Access Identity (OAI) that accesses the S3 bucket.

  3. Specifies that CloudFront can access all objects (/*) inside of the S3 bucket.