S3 Configuration

S3 backend is configured in the storage block. Tempo requires a dedicated bucket since it maintains a top-level object structure and does not support a custom prefix to nest within a shared bucket.

        backend: s3                                         # store traces in s3
            bucket: tempo                                   # store traces in this bucket
            endpoint:  # api endpoint
            region: us-east-2                               # optional. By default the region is inferred from the endpoint
                                                            #           but is required for some S3-compatible storage engines.
            access_key: ...                                 # optional. access key when using static credentials. 
            secret_key: ...                                 # optional. secret key when using static credentials.
            insecure: false                                 # optional. enable if endpoint is http
            forcepathstyle: false                           # optional. enable to use path-style requests.


The following authentication methods are supported:

The following IAM policy shows minimal permissions required by Tempo, where the bucket has already been created.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "TempoPermissions",
            "Effect": "Allow",
            "Action": [
            "Resource": [

Lifecycle Policy

A lifecycle policy is recommended that deletes incomplete multipart uploads after one day.