Amazon S3
This page describes configuration when using Amazon S3 for object storage with IAM role authentication.
IAM Role Authentication
For Anchore to use an AWS IAM role, the environment it runs in (such as an EC2 instance, ECS task, or Kubernetes pod) must have an AWS IAM role with the necessary S3 bucket permissions:
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:DeleteObject*",
],
In your values.yaml file storage_driver section, set the iamauto parameter to true:
services:
catalog:
archive:
storage_driver:
name: 's3'
config:
iamauto: true
With iamauto: true, Anchore automatically adopts the IAM role of its host environment. This is the most secure method for granting Amazon S3 access as it removes the need to store credentials such as ACCESS_KEY and SECRET_KEY in configuration files.
Other S3 Configuration Options
Below are other configurable parameters for the Anchore S3 driver:
The Anchore S3 driver supports document compression to reduce storage space. Set to true to enable or false to disable and
min_size_kbytes sets the minimum document size in kilobytes to be compressed.
config:
...
compression:
enabled: true
min_size_kbytes: 1
region - the AWS region of your Amazon S3 bucket. It is required if url is not specified.
bucket - the name of the Aamzon S3 bucket for Anchore’s data storage.
create_bucket - if set to true, Anchore will attempt to create the bucket if it doesn’t exist. It is, however, recommended to pre-create the bucket.
Example
Here is a full configuration example for the S3 driver using IAM role authentication:
services:
catalog:
archive:
storage_driver:
name: 's3'
config:
# AWS IAM role authentication
iamauto: true
# Amazon S3 bucket configuration
region: 'us-east-1'
bucket: 'my-anchore-data'
create_bucket: false
# Optional compression
compression:
enabled: true
min_size_kbytes: 1