ConfigurationS3

S3 Configuration

S3 backend is configured in the storage block. Tempo requires a dedicated bucket since it maintains a top-level object structure and does not support a custom prefix to nest within a shared bucket.

storage:
    trace:
        backend: s3                                         # store traces in s3
        s3:
            bucket: tempo                                   # store traces in this bucket
            endpoint: s3.dualstack.us-east-2.amazonaws.com  # api endpoint
            region: us-east-2                               # optional. By default the region is inferred from the endpoint
                                                            #           but is required for some S3-compatible storage engines.
            access_key: ...                                 # optional. access key when using static credentials. 
            secret_key: ...                                 # optional. secret key when using static credentials.
            insecure: false                                 # optional. enable if endpoint is http
            forcepathstyle: false                           # optional. enable to use path-style requests.

Permissions

The following authentication methods are supported:

The following IAM policy shows minimal permissions required by Tempo, where the bucket has already been created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TempoPermissions",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::<bucketname>/*",
                "arn:aws:s3:::<bucketname>"
            ]
        }
    ]
}

Lifecycle Policy

A lifecycle policy is recommended that deletes incomplete multipart uploads after one day.