S3 Configuration
S3 backend is configured in the storage block. Tempo requires a dedicated bucket since it maintains a top-level object structure and does not support a custom prefix to nest within a shared bucket.
storage:
trace:
backend: s3 # store traces in s3
s3:
bucket: tempo # store traces in this bucket
endpoint: s3.dualstack.us-east-2.amazonaws.com # api endpoint
region: us-east-2 # optional. By default the region is inferred from the endpoint
# but is required for some S3-compatible storage engines.
access_key: ... # optional. access key when using static credentials.
secret_key: ... # optional. secret key when using static credentials.
insecure: false # optional. enable if endpoint is http
forcepathstyle: false # optional. enable to use path-style requests.
Permissions
The following authentication methods are supported:
- AWS environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
- Static access key and secret credentials specified in
access_keyandsecret_key - MinIO environment variables MINIO_ACCESS_KEY and MINIO_SECRET_KEY
- AWS shared credentials configuration file
- MinIO client credentials configuration file
- AWS IAM ( IRSA via WebIdentity,
- AWS EC2 instance role)
The following IAM policy shows minimal permissions required by Tempo, where the bucket has already been created.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TempoPermissions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*",
"arn:aws:s3:::<bucketname>"
]
}
]
}
Lifecycle Policy
A lifecycle policy is recommended that deletes incomplete multipart uploads after one day.
