# S3 S3 resources represent bucket-based object storage exposed via the S3 protocol. This includes AWS S3, Scaleway Object Storage, MinIO, and any other S3-compatible storage system. ## Configuration S3 resources can be configured as a source, store, or destination connector. ### Access Key and Secret Access Key The access key and secret access key used to authenticate with the S3 endpoint. ### Integration Automatically set to the S3 integration for any resource with `class` Object Storage and `subclass` S3. ### Hostname Optional. Hint Plakar Control Plane how to reach the resource in case the hostname is ambiguous. Control Plane suggests hostnames discovered from the inventory, for example `plakar-staging-data.s3.eu-west-3.amazonaws.com` for AWS S3 or `s3.fr-par.scw.cloud` for Scaleway Object Storage. ### Root Optional. The bucket path prefix Plakar Control Plane uses when reading and writing objects. When the bucket name is not part of the hostname, the bucket name needs to be provided here as a path prefix, for example `/bucket-name` for Scaleway. When the bucket name is already in the hostname, this can be left as `/`. ### Endpoint Optional. The S3 service URL. Only needed when the bucket name contains a dot, which breaks virtual host-style URL resolution. For example, for an AWS S3 bucket named `eu.mybucket`, set this to `https://s3.amazonaws.com` and enable Virtual Host. Not needed for Scaleway Object Storage. ### Port Optional. The TCP port to connect on. Only needed when the endpoint runs on a non-standard port, for example `9000` for a local MinIO instance. AWS S3 and Scaleway Object Storage use the standard HTTPS port and do not require this to be set. ### SSE Customer Key Optional. A Base64-encoded 256-bit (32-byte) customer-provided AES-256 key for SSE-C server-side encryption. Only needed if the bucket is configured to require customer-provided encryption keys. ### Virtual Host Optional. Tells Plakar Control Plane whether the bucket name is part of the hostname. For AWS S3, the bucket name is included in the hostname by default e.g `plakar-staging-data.s3.eu-west-3.amazonaws.com` so this should be enabled. For Scaleway Object Storage, the hostname is just the endpoint e.g `s3.fr-par.scw.cloud` so this should be disabled. ### Use TLS Optional. Enables TLS when connecting to the S3 endpoint. Should be enabled whenever communicating over the internet, such as with AWS S3 or Scaleway Object Storage. For local endpoints like MinIO on `localhost:9000` this is not needed. ### TLS Insecure No Verify Optional. Disables TLS certificate verification. This should only ever be used for testing, enabling it in production means Plakar Control Plane will not verify the identity of the endpoint it is connecting to. ## Additional configuration ### Source #### Environment Optional. The SLA environment covering this source, for example production, staging, or development. See the [policies documentation](../../../operations/policies) for more details. #### Data Class Optional. The SLA data class covering this source, for example critical, database, or PII. See the [policies documentation](../../../operations/policies) for more details. ### Store #### Passphrase The passphrase Plakar Control Plane uses to encrypt the store. This passphrase is required to access the store and must be kept safe. ## Permissions ### AWS Plakar Control Plane requires a set of IAM permissions to access your S3 bucket(s). These permissions should be attached to an IAM user or role that Plakar will use to authenticate. See the documentation on [Managing IAM Roles, Users, and Access Keys on AWS](../../../guides/aws/iam-users-roles-and-access-keys) for instructions on how to set up the permissions and generate an access key and secret access key. | Permission | Description | | ---------------------------- | ------------------------------------------- | | `s3:ListBucket` | List objects in a bucket | | `s3:GetObject` | Read object content | | `s3:GetObjectVersion` | Read a specific version of an object | | `s3:GetObjectTagging` | Read object tags | | `s3:GetObjectVersionTagging` | Read tags on a specific object version | | `s3:GetBucketLocation` | Know which region the bucket is in | | `s3:GetBucketVersioning` | Know if versioning is enabled | | `s3:PutObject` | Write backup data or restored objects | | `s3:PutObjectTagging` | Write tags on objects (metadata, retention) | | `s3:DeleteObject` | Prune old backups or clean before restore | | `s3:PutBucketVersioning` | Restore versioning config to match original | ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:PutObject", "s3:PutObjectTagging", "s3:DeleteObject", "s3:PutBucketVersioning" ], "Resource": ["arn:aws:s3:::your-bucket", "arn:aws:s3:::your-bucket/*"] } ] } ``` ### Scaleway Plakar Control Plane requires a set of IAM permissions on your Scaleway project to access Object Storage. These permissions should be attached to an IAM application that Plakar Control Plane will use to authenticate. See the documentation on [Managing IAM Policies and API Keys on Scaleway](../../../guides/scaleway/iam-and-api-keys) for instructions on how to set up the permissions and generate an access key and secret access key. | Permission | Description | | ---------------------------- | --------------------------------------------------------------------------------- | | `ObjectStorageBucketsRead` | Read access to buckets and bucket configuration including lifecycle rules | | `ObjectStorageBucketsWrite` | Access to create and edit buckets, bucket configuration including lifecycle rules | | `ObjectStorageObjectsRead` | Read access to objects, tags, metadata and storage class | | `ObjectStorageObjectsWrite` | Access to create and edit objects, tags, metadata and storage class | | `ObjectStorageObjectsDelete` | Access to delete objects |