S3 Providers
This guide provides comprehensive configuration instructions for integrating Palmr. with various S3-compatible storage providers. Whether you're using cloud services like AWS S3 or self-hosted solutions like MinIO, this guide will help you set up reliable object storage for your files.
Overview: Palmr. supports any S3-compatible storage provider, giving you flexibility to choose the solution that best fits your needs and budget.
Note: Some configuration options (like presigned URL expiration) apply to all storage types, including filesystem storage. These are marked accordingly in the documentation.
When to use S3-compatible storage
Consider using S3-compatible storage when you need:
- Cloud storage for distributed deployments
- Scalability beyond local filesystem limitations
- Redundancy and backup capabilities
- CDN integration for faster file delivery
- Multi-region file distribution
Environment variables
General configuration (applies to all storage types)
| Variable | Description | Required | Default |
|---|---|---|---|
PRESIGNED_URL_EXPIRATION | Duration in seconds for presigned URL expiration | No | 3600 (1 hour) |
S3-specific configuration
To enable S3-compatible storage, set ENABLE_S3=true and configure the following environment variables:
| Variable | Description | Required | Default |
|---|---|---|---|
S3_ENDPOINT | S3 provider endpoint URL | Yes | - |
S3_PORT | Connection port | No | Based on protocol |
S3_USE_SSL | Enable SSL/TLS encryption | Yes | true |
S3_ACCESS_KEY | Access key for authentication | Yes | - |
S3_SECRET_KEY | Secret key for authentication | Yes | - |
S3_REGION | Storage region | Yes | - |
S3_BUCKET_NAME | Bucket/container name | Yes | - |
S3_FORCE_PATH_STYLE | Use path-style URLs | No | false |
S3_REJECT_UNAUTHORIZED | Enable strict SSL certificate validation | No | true |
Provider configurations
Below are tested configurations for popular S3-compatible providers. Replace the example values with your actual credentials and settings.
Security Note: Never commit real credentials to version control. Use environment files or secure secret management systems.
AWS S3
Amazon S3 is the original S3 service, offering global availability and extensive features.
Getting credentials:
- Go to AWS IAM Console
- Create a new user with S3 permissions
- Generate access keys for programmatic access
MinIO (Self-hosted)
MinIO is perfect for self-hosted deployments and development environments.
Setup notes:
- Use
S3_FORCE_PATH_STYLE=truefor MinIO - Default MinIO port is 9000
- SSL can be disabled for local development
For MinIO with self-signed SSL certificates:
Google Cloud Storage
Google Cloud Storage offers competitive pricing and global infrastructure.
Getting credentials:
- Enable Cloud Storage API in Google Cloud Console
- Create HMAC keys for S3 compatibility
- Use the generated access ID and secret
DigitalOcean Spaces
DigitalOcean Spaces provides simple, scalable object storage.
Available regions:
nyc3(New York)ams3(Amsterdam)sgp1(Singapore)fra1(Frankfurt)
Backblaze B2
Backblaze B2 offers cost-effective storage with S3-compatible API.
Cost advantage:
- Significantly lower storage costs
- Free egress to Cloudflare CDN
- Pay-as-you-go pricing model
Wasabi
Wasabi provides hot cloud storage with predictable pricing.
Benefits:
- No egress fees
- Fast performance
- Simple pricing structure
Azure Blob Storage
Azure Blob Storage with S3-compatible API for Microsoft ecosystem integration.
Setup requirements:
- Enable S3-compatible API in Azure
- Use container name as bucket name
- Configure appropriate access policies
Presigned URL configuration
Palmr. uses presigned URLs to provide secure, temporary access to files stored in both S3-compatible storage and filesystem storage. These URLs have a configurable expiration time to balance security and usability.
Note: This configuration applies to all storage types (S3, filesystem, etc.), not just S3-compatible storage.
Understanding presigned URLs
Presigned URLs are temporary URLs that allow direct access to files without exposing storage credentials or requiring authentication. They automatically expire after a specified time period, enhancing security by limiting access duration.
How it works:
- S3 Storage: URLs are signed by AWS/S3-compatible provider credentials
- Filesystem Storage: URLs use temporary tokens that are validated by Palmr server
Default behavior:
- Upload URLs: 1 hour (3600 seconds)
- Download URLs: 1 hour (3600 seconds)
Configuring expiration time
You can customize the expiration time using the PRESIGNED_URL_EXPIRATION environment variable:
Choosing the right expiration time
Shorter expiration (15-30 minutes):
- [+] Higher security
- [+] Reduced risk of unauthorized access
- [-] May interrupt long uploads/downloads
- [-] Users may need to refresh links more often
Longer expiration (2-6 hours):
- [+] Better user experience for large files
- [+] Fewer interruptions during transfers
- [-] Longer exposure window if URLs are compromised
- [-] Potential for increased storage costs if users leave downloads incomplete
Recommended settings:
- High security environments: 1800 seconds (30 minutes)
- Standard usage: 3600 seconds (1 hour) - default
- Large file transfers: 7200-21600 seconds (2-6 hours)
Example configurations
For Backblaze B2 with extended expiration:
For high-security environments:
Configuration best practices
Security considerations
- Use IAM policies to limit access to specific buckets and operations
- Enable encryption at rest and in transit
- Rotate credentials regularly
- Monitor access logs for unusual activity
- Use HTTPS for all connections (
S3_USE_SSL=true)
Performance optimization
- Choose regions close to your users or server location
- Configure CDN for faster file delivery
- Use appropriate bucket policies for public file access
- Monitor bandwidth usage and costs
Troubleshooting common issues
Connection errors:
- Verify endpoint URL and port settings
- Check firewall and network connectivity
- Ensure SSL/TLS settings match provider requirements
SSL certificate errors (self-signed certificates):
If you encounter errors like unable to verify the first certificate or UNABLE_TO_VERIFY_LEAF_SIGNATURE, you're likely using self-signed SSL certificates. This is common with self-hosted MinIO or other S3-compatible services.
Solution:
Set S3_REJECT_UNAUTHORIZED=false in your environment variables to allow self-signed certificates:
Note: SSL certificate validation is enabled by default (true) for security. Set it to false only when using self-hosted S3 services with self-signed certificates.
Authentication failures:
- Confirm access key and secret key are correct
- Verify IAM permissions for bucket operations
- Check if credentials have expired
Bucket access issues:
- Ensure bucket exists and is accessible
- Verify region settings match bucket location
- Check bucket policies and ACL settings
Testing your configuration
After configuring your S3 provider, test the connection by:
- Upload a test file through the Palmr. interface
- Verify file appears in your S3 bucket
- Download the file to confirm retrieval works
- Check file permissions and access controls
Tip: Start with a development bucket to test your configuration before using production storage.
Switching between providers
To switch from filesystem to S3 storage or between S3 providers:
- Backup existing files if switching from filesystem storage
- Update environment variables with new provider settings
- Restart the Palmr. container to apply changes
- Test file operations to ensure everything works correctly
Remember that existing files won't be automatically migrated when switching storage providers.