S3
#S3 resources represent bucket-based object storage exposed via the S3 protocol. This includes AWS S3, Scaleway Object Storage, MinIO, and any other S3-compatible storage system.
Configuration
#S3 resources can be configured as a source, store, or destination connector.
Access Key and Secret Access Key
#The access key and secret access key used to authenticate with the S3 endpoint.
Integration
#Automatically set to the S3 integration for any resource with class Object Storage and subclass S3.
Hostname
#Optional. Hint Plakar Control Plane how to reach the resource in case the hostname is ambiguous. Control Plane suggests hostnames discovered from the inventory, for example plakar-staging-data.s3.eu-west-3.amazonaws.com for AWS S3 or s3.fr-par.scw.cloud for Scaleway Object Storage.
Root
#Optional. The bucket path prefix Plakar Control Plane uses when reading and writing objects. When the bucket name is not part of the hostname, the bucket name needs to be provided here as a path prefix, for example /bucket-name for Scaleway. When the bucket name is already in the hostname, this can be left as /.
Endpoint
#Optional. The S3 service URL. Only needed when the bucket name contains a dot, which breaks virtual host-style URL resolution. For example, for an AWS S3 bucket named eu.mybucket, set this to https://s3.amazonaws.com and enable Virtual Host. Not needed for Scaleway Object Storage.
Port
#Optional. The TCP port to connect on. Only needed when the endpoint runs on a
non-standard port, for example 9000 for a local MinIO instance. AWS S3 and Scaleway Object Storage use the standard HTTPS port and do not require this to be set.
SSE Customer Key
#Optional. A Base64-encoded 256-bit (32-byte) customer-provided AES-256 key for SSE-C server-side encryption. Only needed if the bucket is configured to require customer-provided encryption keys.
Virtual Host
#Optional. Tells Plakar Control Plane whether the bucket name is part of the hostname. For AWS S3, the bucket name is included in the hostname by default e.g
plakar-staging-data.s3.eu-west-3.amazonaws.com so this should be enabled. For
Scaleway Object Storage, the hostname is just the endpoint e.g s3.fr-par.scw.cloud so this should be disabled.
Use TLS
#Optional. Enables TLS when connecting to the S3 endpoint. Should be enabled whenever communicating over the internet, such as with AWS S3 or Scaleway Object Storage. For local endpoints like MinIO on localhost:9000 this is not needed.
TLS Insecure No Verify
#Optional. Disables TLS certificate verification. This should only ever be used for testing, enabling it in production means Plakar Control Plane will not verify the identity of the endpoint it is connecting to.
Additional configuration
#Source
#Environment
#Optional. The SLA environment covering this source, for example production, staging, or development. See the policies documentation for more details.
Data Class
#Optional. The SLA data class covering this source, for example critical, database, or PII. See the policies documentation for more details.
Store
#Passphrase
#The passphrase Plakar Control Plane uses to encrypt the store. This passphrase is required to access the store and must be kept safe.
Permissions
#AWS
#Plakar Control Plane requires a set of IAM permissions to access your S3 bucket(s). These permissions should be attached to an IAM user or role that Plakar will use to authenticate. See the documentation on Managing IAM Roles, Users, and Access Keys on AWS for instructions on how to set up the permissions and generate an access key and secret access key.
| Permission | Description |
|---|---|
s3:ListBucket |
List objects in a bucket |
s3:GetObject |
Read object content |
s3:GetObjectVersion |
Read a specific version of an object |
s3:GetObjectTagging |
Read object tags |
s3:GetObjectVersionTagging |
Read tags on a specific object version |
s3:GetBucketLocation |
Know which region the bucket is in |
s3:GetBucketVersioning |
Know if versioning is enabled |
s3:PutObject |
Write backup data or restored objects |
s3:PutObjectTagging |
Write tags on objects (metadata, retention) |
s3:DeleteObject |
Prune old backups or clean before restore |
s3:PutBucketVersioning |
Restore versioning config to match original |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:PutBucketVersioning"
],
"Resource": ["arn:aws:s3:::your-bucket", "arn:aws:s3:::your-bucket/*"]
}
]
}Scaleway
#Plakar Control Plane requires a set of IAM permissions on your Scaleway project to access Object Storage. These permissions should be attached to an IAM application that Plakar Control Plane will use to authenticate. See the documentation on Managing IAM Policies and API Keys on Scaleway for instructions on how to set up the permissions and generate an access key and secret access key.
| Permission | Description |
|---|---|
ObjectStorageBucketsRead |
Read access to buckets and bucket configuration including lifecycle rules |
ObjectStorageBucketsWrite |
Access to create and edit buckets, bucket configuration including lifecycle rules |
ObjectStorageObjectsRead |
Read access to objects, tags, metadata and storage class |
ObjectStorageObjectsWrite |
Access to create and edit objects, tags, metadata and storage class |
ObjectStorageObjectsDelete |
Access to delete objects |