| At line 1 removed one line |
| __S3 integration__\\ |
| At line 3 changed one line |
| Allows you to use a S3 bucket as the backend filesystem. However, since S3 isn't hierarchical, you only get simulated folders, and no ability to rename, and some other gotchas about how S3 works. These aren't limitations we impose, but just due to the design decisions S3 made in that it's intended for static item consumption and not as a location for holding and manipulating file names. \\ |
| !! S3 Integration Overview:\\ |
| The __Amazon S3 REST API__ provides a comprehensive set of HTTPS operations for managing and interacting with objects and buckets in Amazon S3. [Amazon S3 API Reference Link|https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html]\\ |
| __Authentication__: Supports __AWS Signature Version 4__ for secure request authentication.\\ |
| ---- |
| __⚠️ General restrictions:__ This integration allows you to use an Amazon S3 bucket as the backend virtual file system ([VFS]) in CrushFTP. However, since S3 is not a true hierarchical file system, folder structures are simulated using object key prefixes. As a result, renaming folders is not supported. These are not limitations imposed by CrushFTP, but inherent to S3’s object storage architecture, which is optimized for static content access, not for dynamic file manipulation.\\ |
| ---- |
| __⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, ensure that the necessary S3 domains are whitelisted to allow successful communication with the S3 REST API.\\ |
| ---- |
| !1. Amazon S3 Configuration.\\ |
| At line 5 changed one line |
| !1. Configuration.\\ |
| Amazon S3 can be configured in CrushFTP using __Access Key Authentication__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.1AccessKeyAuthentication], __EC2 IAM Authentication__ [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.2AmazonEC2IAMAuthenticationSupport], or __Assume Role__ authentication [Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-2.AccessAmazonS3UsingAssumeRole].\\ |
| At line 7 changed one line |
| The URL should look like this (Replace the URL with your corresponding data!):\\ |
| !1.1 Access Key Authentication\\ |
| At line 16 added 2 lines |
| The URL should be structured as follows (replace placeholders with your actual values):\\ |
| \\ |
| At line 10 changed one line |
| s3://ACCESS_KEY_ID:SEECRET_ACCESS_KEY@SERVER/BUCKET/}}} |
| General S3 : s3://ACCESS_KEY_ID:SEECRET_ACCESS_KEY@SERVER/BUCKET/ |
|
| Amazon S3 Example: s3://AKIAEXAMPLE:abcd1234example@s3.amazonaws.com/my-bucket/ |
| }}}\\ |
| At line 12 changed one line |
| The security credentials (Access key ID and Secret Access Key) were offered to save at S3 user creation. The server and bucket information can be found on the S3 portal (at AWS site S3 -> Buckets).\\ |
| To access S3, you must authenticate using standard AWS credentials:\\ |
| • __Access Key ID__ – Your AWS access key.\\ |
| • __Secret Access Key__ – The corresponding secret key.\\ |
| At line 28 added 4 lines |
| The __Access Key ID__ and __Secret Access Key__ are generated and offered for download when creating an S3 user (IAM user) in the AWS Management Console (More info: [Manage access keys for IAM users Link|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey]). ⚠️ Make sure to save them securely, as the secret key will not be shown again.\\ |
| \\ |
| The __S3 Server Endpoint__ and __Bucket Name__ can be found in the AWS Console under: __S3 -> Buckets__. This information is required to correctly configure your S3 integration.\\ |
| \\ |
| At line 16 changed one line |
| Then paste them on the appropriate fields in CrushFTP.\\ |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| At line 18 changed 2 lines |
| [attachments|S3_VFS_config.png]\\ |
| We support the IAM auth scenario too, its just not the default mode. Setting the S3 username to "iam_lookup" and S3 password to "lookup" will use this method.\\ |
| !1.2 Amazon EC2 IAM Authentication Support\\ |
| CrushFTP supports S3 authentication using IAM roles assigned to EC2 instances. This allows secure access without embedding static credentials.\\ |
| To use this mode:\\ |
| • Set the S3 Remote [VFS] -> Username to: __iam_lookup__\\ |
| • Set the S3 Remote [VFS] -> Password to: __lookup__\\ |
| At line 21 changed one line |
| The following policy permissions are needed on S3:\\ |
| This instructs CrushFTP to __automatically retrieve temporary credentials from the EC2 instance’s IAM role__ via the instance metadata service. Use this approach to securely avoid hardcoding static credentials in environments where IAM roles are configured properly.\\ |
| \\ |
| __General EC2-Related Settings__ (Admin -> Preferences -> Misc -> S3 Configuration):\\ |
| \\ |
| • __Enable IMDSv2__: __IMDS (Instance Metadata Service) V2__ is the more secure version of the metadata endpoint used by EC2 instances to retrieve IAM role credentials. Enabling this option ensures that CrushFTP uses token-based access to the metadata service, protecting against SSRF attacks and adhering to AWS security best practices.\\ |
| __⚠️ Important:__ Always enable IMDSv2 unless your instance or security policies require legacy IMDSv1.\\ |
| \\ |
| • __EC2 Use relative URL__: When enabled, CrushFTP uses a relative URI path instead of an absolute path when communicating with the EC2 metadata service (http://169.254.169.254). This setting may be required in hardened environments or with certain proxy configurations that restrict full URL usage for local metadata requests. ⚠️ Note: Only enable this setting if you are encountering metadata access issues or are instructed to do so by AWS or your network/security administrator.\\ |
| \\ |
| [S3 integration/s3_ec2_general_settings.png]\\ |
| \\ |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| \\ |
| !1.3 Required S3 IAM Policy Permissions\\ |
| ---- |
| __❗Troubleshooting__: An __AccessDenied__ error in the logs typically indicates missing permissions. Verify that all required IAM policies are correctly attached to the user or role.\\ |
| ---- |
| To allow proper integration with Amazon S3, ensure that your IAM user or role has the following permissions assigned:\\ |
| \\ |
| At line 35 changed one line |
| !2. Access other cloud storage through S3 REST API\\ |
| ||Permission||Description||Why It’s Needed\\ |
| |s3:GetBucketLocation |Retrieves the AWS region of a specified bucket.|Required to validate bucket location and endpoint.\\ |
| |s3:ListAllMyBuckets|Lists all buckets owned by the requester.|Required for bucket verification.\\ |
| |s3:ListBucket|Lists objects within a specific bucket.|Allows viewing file/folder listings in a bucket.\\ |
| |s3:ListBucketMultipartUploads|Lists ongoing multipart uploads in a bucket.|Enables resuming or cleaning up incomplete multipart uploads.\\ |
| |s3:PutObject|Uploads an object to a bucket.|Required for writing (uploading) files.\\ |
| |s3:AbortMultipartUpload|Cancels an in-progress multipart upload.|Used to clean up failed or canceled large file uploads.\\ |
| |s3:ListMultipartUploadParts|Lists parts of a multipart upload.|Required when managing multipart uploads for large files.\\ |
| |s3:DeleteObject|Deletes an object from a bucket.|Allows file deletion capabilities.\\ |
| |s3:GetObject|Downloads or retrieves an object.|Required to read or download files.\\ |
| |s3:GetObjectAttributes|Retrieves metadata and properties of an object (e.g., size, last-modified).|Useful for showing detailed file info without downloading the entire object.\\ |
| At line 37 changed 2 lines |
| Google Cloud - [Google Cloud Storage Integration] \\ |
| BackBlaze(b2) - [BackBlaze(b2) integration]\\ |
| You may scope the "Resource" field to specific buckets or prefixes for more secure and limited access (e.g., "arn:aws:s3:::your-bucket-name/*").\\ |
| __⚠️ Important__: In the CrushFTP S3 Remote item configuration, be sure to check the __Don’t check the Bucket at login__ flag if the user does not have permission to list or access the bucket root directly.\\ |
| At line 40 changed one line |
| !3. Assume Role access\\ |
| !1.4 S3 Remote [VFS] settings\\ |
| Select the __S3__ remote item type.\\ |
| At line 42 changed one line |
| You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. (for more info see: [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html], and [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html])\\ |
| __Server:__ The base domain of the S3-compatible server (s3.us-east-1.amazonaws.com for Amazon S3). To use a non-Amazon provider, enter the provider’s endpoint hostname in the __URL__ field. |
| At line 94 added 32 lines |
| __Bucket__: The S3 bucket name where files will be stored.\\ |
| __Path__: Optional folder path within the bucket to restrict or set as the default working directory.\\ |
| \\ |
| __Accelerate__: (For AWS only) Enables S3 Transfer Acceleration — faster uploads/downloads using AWS edge locations. [Amazon S3 Transfer Acceleration – AWS Docs Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html]\\ |
| __Fast S3 item lookup__: Enables a faster way to resolve S3 items. ⚠️ Must be enabled! Without this option, CrushFTP may perform slower lookups, especially on buckets with a large number of objects.\\ |
| __SHA256 enabled on signing (Signing Version 4)__: ⚠️ Uses AWS Signature Version 4 for authentication (required in most regions now).\\ |
| __Show Partial Uploads__: When enabled, incomplete (multipart) uploads will appear in the file listing. Useful for debugging or managing failed uploads. Usually disabled to avoid cluttering the file list.\\ |
| __Use Bucket in Path__: Includes the bucket name as part of the S3 object key/path. This is typically not required unless working with a non-standard or custom S3-compatible backend that expects this behavior.\\ |
| __Don’t check bucket at login__: Skips checking if the bucket exists on login. Useful if your credentials lack s3:ListBucket permissions or the bucket is very large. Useful for non-Amazon providers too.\\ |
| __List Version 2__: Enables S3 ListObjectsV2 API, which is more efficient and recommended over the legacy ListObjects (v1). Supports better pagination and consistent performance.Should be enabled for all modern S3 services unless the backend only supports the older version.\\ |
| \\ |
| __User Name__: Your S3 Access Key ID or for Amazon EC2 IAM Authentication: __iam_lookup__.\\ |
| __Password__: Your Secret Access Key or for Amazon EC2 IAM Authentication: __lookup__\\ |
| \\ |
| __Server Side Encrypt?__: When checked, files uploaded to S3 will use Amazon S3 Server-Side Encryption (SSE-S3). This tells S3 to encrypt objects at rest using AWS-managed keys. If you want to use KMS keys instead, leave this unchecked and provide a key in the KMS Key Id field. See the [Using Server-Side Encryption with Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html]\\ |
| Supported types: __AES256__,__AWS_KMS__\\ |
| __Canned ACL__: Sets default Access Control for uploaded files: private, public-read, authenticated-read See the [Canned ACLs – Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl]\\ |
| __Storage Class__: S3 storage tier. Like: STANDARD, GLACIER, INTELLIGENT_TIERING See the [Storage Classes – Amazon S3 Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html]\\ |
| __KMS Key Id__: Optional: If using AWS KMS encryption, provide the full ARN of the key here. See the [ Using Server-Side Encryption with AWS KMS (SSE-KMS) Link|https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html]\\ |
| __Assume Role ARN__: Optional. For cross-account access using IAM Role with sts:AssumeRole. See the [3. Assume role Access Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-3.AssumeRoleAccess]\\ |
| __Assume Role Region__: AWS region where the IAM role resides (needed with Assume Role ARN).\\ |
| \\ |
| __Multithreaded S3 Uploads?__, __Multithreaded S3 Downloads?__: Configure parallel upload/download parts for large files. Default settings: Admin -> Preferences -> Misc -> S3 Configuration\\ |
| __Add meta data: MD5 and uploaded by user__: If enabled, CrushFTP will automatically add two pieces of metadata to each uploaded file:\\ |
| • md5 – The MD5 checksum of the file content (used for integrity verification).\\ |
| • uploaded_by – The username of the CrushFTP user who uploaded the file.\\ |
| \\ |
| [attachments|S3_VFS_config.png]\\ |
| ---- |
| !2. Access Amazon S3 using Assume Role\\ |
| IAM roles in AWS allow you to delegate access to resources without sharing credentials. Instead of hardcoding access keys, you can configure trusted entities to assume a role with specific permissions. (Official Docs for Deeper Understanding: [Amazon ID Roles Create for User Link|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html], and [Amazon API Assume Role Link|https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html] )\\ |
| \\ |
| At line 54 changed one line |
| Add permission policy to the specified user. This policy will use the above-created assume role.\\ |
| Attach a permission policy to the specified user that allows assuming the previously created IAM role.\\ |
| At line 140 added 28 lines |
| {{{ |
| { |
| "Version": "2012-10-17", |
| "Statement": [ |
| { |
| "Sid": "Statement1", |
| "Effect": "Allow", |
| "Action": "sts:AssumeRole", |
| "Resource": "arn:aws:iam::XXXXX:role/AssumeRoleS3" |
| } |
| ] |
| } |
| }}}\\ |
| \\ |
| Use the specified user’s __Access Key__ and __Secret Key__ together with the __Assume Role ARN__ to obtain credentials for accessing S3.\\ |
| \\ |
| [attachments|assume_role_vfs_settings.png]\\ |
| \\ |
| Ensure that your __S3 permissions are correctly configured__ as described in [1.3 Required S3 IAM Policy Permissions|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.3RequiredS3IAMPolicyPermissions], and then configure the S3 Remote VFS item as described in [1.4 S3 Remote VFS Settings|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=S3%20integration#section-S3+integration-1.4S3RemoteVFSSettings].\\ |
| ---- |
| !3. Access other cloud storage through S3 REST API\\ |
| \\ |
| __Google Cloud__ - __⚠️ Important__: Check the __SHA256 enabled on signing (Signing Version 4)__ flag. [Google Cloud Storage Access Through S3 REST API | https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Google%20Cloud%20Storage%20Integration#section-Google+Cloud+Storage+Integration-2.AccessThroughS3RESTAPI] \\ |
| \\ |
| __BackBlaze(b2)__ - __⚠️ Important__: __SHA256 enabled on signing (Signing Version 4)__ and __Include SHA256 to request headers (Signing Version 4 related)__ flags must be checked. [BackBlaze(b2) Access Through S3 REST API| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=BackBlaze%28b2%29%20integration#section-BackBlaze_28b2_29+integration-2.AccessThroughS3RESTAPI]\\ |
| \\ |
| __Yandex__ - __⚠️ Important__: Ensure that the __Server Side Encryption__ option is unchecked.\\ |
| ---- |
