Amazon S3

This page describes configuration when using Amazon S3 for object storage with IAM role authentication.

Anchore strongly recommends using IAM roles for secure access to Amazon S3.

IAM Role Authentication

For Anchore to use an AWS IAM role, the environment it runs in (such as an EC2 instance, ECS task, or Kubernetes pod) must have an AWS IAM role with the necessary S3 bucket permissions:

  "Action": [
      "s3:PutObject*",
      "s3:GetObject*",
      "s3:DeleteObject*"
  ]

In your values.yaml file storage_driver section, set the iamauto parameter to true:

services:
  catalog:
    object_store:
      storage_driver:
        name: 's3'
        config:
          iamauto: true

With iamauto: true, Anchore automatically adopts the IAM role of its host environment. This is the most secure method for granting Amazon S3 access as it removes the need to store credentials such as ACCESS_KEY and SECRET_KEY in configuration files. For docker-compose environments the IAM role will be shared with the instance profile. For Helm deployments there are multiple options for assigning the IAM role to Anchore:

Pod Identity
IRSA
EKS Worker Role (least secure)

For Pod Identity and IRSA you can designate the name of the service account via the Helm values file as follows:

serviceAccountName: "anchore-sa" # This should match the name of the service account created in EKS

If using an IAM role to grant access to ECR then you will need to combine the S3 permissions with the ECR permissions in the same IAM role.

Please note that serviceAccountName needs to be set on the OSAAMigrationJob specifically, if running the OSAA migration. In doing so this will give the migration job access to S3 but it will not be able to spin down the Anchore pods during the migration.

Other S3 Configuration Options

Below are other configurable parameters for the Anchore S3 driver:

The Anchore S3 driver supports document compression to reduce storage space. Set to true to enable or false to disable and min_size_kbytes sets the minimum document size in kilobytes to be compressed.

        config:
          ...
          compression:
            enabled: true
            min_size_kbytes: 100

region - the AWS region of your Amazon S3 bucket. It is required if url is not specified.

bucket - the name of the Aamzon S3 bucket for Anchore’s data storage.

create_bucket - if set to true, Anchore will attempt to create the bucket if it doesn’t exist. It is, however, recommended to pre-create the bucket.

Example

Here is a full configuration example for the S3 driver using IAM role authentication (config.yaml used in docker-compose):

services:
  catalog:
    object_store:
      verify_content_digests: true
      storage_driver:
        name: 's3'
        config:
          # AWS IAM role authentication
          iamauto: true
          # Amazon S3 bucket configuration
          region: 'us-east-1'
          bucket: 'my-anchore-data'
          create_bucket: false
      # Optional compression
      compression:
        enabled: true
        min_size_kbytes: 100

Helm chart values for kubernetes deployment:

anchoreConfig:
  catalog:
    object_store:
      verify_content_digests: true
      storage_driver:
        name: 's3'
        config:
          # AWS IAM role authentication
          iamauto: true
          # Amazon S3 bucket configuration
          region: 'us-east-1'
          bucket: 'my-anchore-data'
          create_bucket: false
      # Optional compression
      compression:
        enabled: true
        min_size_kbytes: 100

Last modified November 19, 2025