Amazon S3 permissions

For configuration options, refer to the storage section on the configuration page.

The following authentication methods are supported:

AWS environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Static access key and secret credentials specified in access_key and secret_key
MinIO environment variables MINIO_ACCESS_KEY and MINIO_SECRET_KEY
AWS shared credentials configuration file
MinIO client credentials configuration file
AWS IAM (IRSA via WebIdentity,
AWS EC2 instance role)
AWS EKS Pod Identity

The following IAM policy shows minimal permissions required by Tempo, where the bucket has already been created.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TempoPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject",
        "s3:GetObjectTagging",
        "s3:PutObjectTagging"
      ],
      "Resource": ["arn:aws:s3:::<bucketname>/*", "arn:aws:s3:::<bucketname>"]
    }
  ]
}

Lifecycle policy

A lifecycle policy is recommended that deletes incomplete multipart uploads after one day.

Was this page helpful?

Suggest an edit in GitHub

Create a GitHub issue

Email docs@grafana.com

Help and support

Community

Amazon S3 permissions

Lifecycle policy

Was this page helpful?

Related resources from Grafana Labs