Amazon S3 permissions
For configuration options, refer to the storage section on the configuration page.
The following authentication methods are supported:
- AWS environment variables
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
- Static access key and secret credentials specified in
access_key
andsecret_key
- MinIO environment variables
MINIO_ACCESS_KEY
andMINIO_SECRET_KEY
- AWS shared credentials configuration file
- MinIO client credentials configuration file
- AWS IAM (IRSA via WebIdentity,
- AWS EC2 instance role)
- AWS EKS Pod Identity
The following IAM policy shows minimal permissions required by Tempo, where the bucket has already been created.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TempoPermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
]
}
]
}
Lifecycle policy
A lifecycle policy is recommended that deletes incomplete multipart uploads after one day.