Sources of type S3 allow imglab to access resources on a specific Amazon S3 bucket or S3 compatible service bucket.
To explore how Images API URLs are used for S3 Sources please take a look to the serving images documentation section.
To generate an S3 source follow these steps:
-
On imglab go to Sources section and click on Add Source.
-
Set a valid Name.
-
On Security section select if the source will use secured requests or not.
-
On Type section select S3 type.
S3 Source Settings
Under S3 Settings you will see some attributes specific to this type of source:
-
Bucket (required): the name of the bucket on your Amazon S3 account or S3 compatible service.
-
Region (required): the name of the region where your bucket is located.
-
Access Key ID (required): the access key id used to sign requests to access your bucket.
-
Secret Access Key (required): the secret access key used to sign requests to access your bucket.
-
Endpoint (optional): an endpoint to be used instead of the Amazon S3 default one. This attribute is useful when you want to use S3 compatible services like MinIO, Cloudflare R2, and others. If you are accessing a bucket on AWS S3 left this attribute empty.
-
Prefix (optional): a path prefix that will be added to access objects in the bucket, useful if you want to scope the source to a specific prefix in the bucket.
Once you have your AWS S3 bucket up and working you need to generate a valid Access Key ID and Secret Access Key to be used with imglab. Please follow these steps:
-
On your AWS console go to IAM -> Users section.
-
Click on Add users.
-
Assign a user name and select Access key - Programmatic access as AWS access type.
-
Click on Next: Permissions.
-
On Set permissions select Attach existing policies directly and select AmazonS3ReadOnlyAccess policy.
-
Click on Next: Tags.
-
Click on Next: Review.
-
Click on Create user.
-
Copy and paste Access key ID and Secret access key into your new S3 imglab source form.
In order to improve security so the user can only access the specific bucket related with the source (and not all your buckets) you can attach an inline policy with the following steps:
-
On you AWS console go to IAM -> Users section.
-
Select the user created in the previous section.
-
Select Permissions tab and click on Add inline policy.
-
On Create Policy section click on JSON and paste the following (replace
your-bucket-name
with your actual bucket name)
{
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
]
}]
}
-
Click on Review policy and assign a name.
-
Click on Create policy.
-
After that delete previous AmazonS3ReadOnlyAccess policy for the user.
If your data is stored in MinIO or other S3 compatible services you can still use S3 source type but indicating an endpoint where your service is listening. Please follow these steps:
-
On imglab go to Sources section and click on Add Source.
-
Set a valid Name.
-
On Security section select if the source will use secured requests or not.
-
On Type section select S3 type.
-
Specify the Bucket.
-
Specify the Region where your bucket is located.
-
Specify the Access Key ID and Secret Access Key.
-
Specify the Endpoint where your S3 compatible service is hosted. (i.e.
https://minio.myorganization.com
)