s3

package module
v0.0.0-...-cae2153 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2025 License: Apache-2.0 Imports: 24 Imported by: 0

README

Certmagic Storage Backend for S3

This library allows you to use any S3-compatible provider as key/certificate storage backend for your Certmagic-enabled HTTPS server. To protect your keys from unwanted attention, client-side encryption is possible using the secretbox package.

Configuration Options

  • endpoint: Custom endpoint URL (optional)
  • host: Deprecated - Use endpoint instead.
  • insecure: Skip TLS certificate verification (optional, defaults to false)
  • bucket: S3 bucket name (required, no default value)
  • region: AWS region (optional, defaults to us-east-1)
  • access_key: AWS access key (optional)
  • secret_key: AWS secret key (optional)
  • profile: AWS profile name (optional)
  • role_arn: IAM role ARN for role assumption (optional)
  • prefix: Object key prefix (defaults to "acme")
  • encryption_key: 32-byte encryption key for client-side encryption (optional, if not set, then files will be plaintext in object storage)
  • use_path_style: Force path-style URLs (optional, enforced as true when a custom endpoint is used)

If both host and endpoint are specified, an error is reported.

What is an S3-compatible service?

Any service must support the following:

  • v4 Signatures
  • Basic S3 operations:
    • GetObject
    • PutObject
    • DeleteObject
    • HeadObject
    • ListObjectsV2

Configuration Examples

Using Static Credentials (AWS S3)
{
  storage s3 {
    bucket "my-certificates"
    region "us-west-2"
    access_key "AKIAEXAMPLE"
    secret_key "EXAMPLE"
    prefix "caddy-certs"
    encryption_key "your-32-byte-encryption-key-here"
  }
}
Using Custom S3-Compatible Provider
{
  storage s3 {
    endpoint "https://minio.example.com"
    bucket "my-certificates"
    region "us-east-1"
    access_key "minioadmin"
    secret_key "minioadmin"
    prefix "caddy-certs"
  }
}

Credits & Thanks

This project was forked from @thomersch's wonderful Certmagic Storage Backend for Generic S3 Providers repository.

License

This project is licensed under Apache 2.0, an open source license.

Documentation

Index

Constants

View Source 
const (
	NonceSize = 24
)

Variables

View Source 
var (
	LockExpiration   = 2 * time.Minute
	LockPollInterval = 1 * time.Second
	LockTimeout      = 15 * time.Second
)
View Source 
var ErrInvalidKey = errors.New("invalid key")

Functions

This section is empty.

Types

type CleartextIO 

type CleartextIO struct{}

func (*CleartextIO) ByteReader 

func (ci *CleartextIO) ByteReader(buf []byte) Reader

func (*CleartextIO) WrapReader 

func (ci *CleartextIO) WrapReader(r io.Reader) io.Reader

type IO 

type IO interface {
	WrapReader(io.Reader) io.Reader
	ByteReader([]byte) Reader
}

type Reader 

type Reader struct {
	// contains filtered or unexported fields
}

func (*Reader) Len 

func (r *Reader) Len() int64

func (*Reader) Read 

func (r *Reader) Read(buf []byte) (int, error)

func (*Reader) Seek 

func (r *Reader) Seek(offset int64, whence int) (int64, error)

type S3 

type S3 struct {
	Logger *zap.Logger

	// S3
	Client       *s3sdk.Client
	Host         string `json:"host"`
	Endpoint     string `json:"endpoint"`
	Insecure     bool   `json:"insecure"`
	Bucket       string `json:"bucket"`
	Region       string `json:"region"`
	AccessKey    string `json:"access_key"`
	SecretKey    string `json:"secret_key"`
	Profile      string `json:"profile"`
	RoleARN      string `json:"role_arn"`
	Prefix       string `json:"prefix"`
	UsePathStyle bool   `json:"use_path_style,omitempty"`

	// EncryptionKey is optional. If you do not wish to encrypt your certficates and key inside the S3 bucket, leave it empty.
	EncryptionKey string `json:"encryption_key"`
	// contains filtered or unexported fields
}

func (*S3) CaddyModule 

func (s3 *S3) CaddyModule() caddy.ModuleInfo

func (*S3) CertMagicStorage 

func (s3 *S3) CertMagicStorage() (certmagic.Storage, error)

CertMagicStorage converts s to a certmagic.Storage instance.

func (*S3) Delete 

func (s3 *S3) Delete(ctx context.Context, key string) error

func (*S3) Exists 

func (s3 *S3) Exists(ctx context.Context, key string) bool

func (*S3) List 

func (s3 *S3) List(ctx context.Context, prefix string, recursive bool) ([]string, error)

func (*S3) Load 

func (s3 *S3) Load(ctx context.Context, key string) ([]byte, error)

func (*S3) Lock 

func (s3 *S3) Lock(ctx context.Context, key string) error

func (*S3) Provision 

func (s3 *S3) Provision(ctx caddy.Context) error

func (*S3) Stat 

func (s3 *S3) Stat(ctx context.Context, key string) (certmagic.KeyInfo, error)

func (*S3) Store 

func (s3 *S3) Store(ctx context.Context, key string, value []byte) error

func (*S3) Unlock 

func (s3 *S3) Unlock(ctx context.Context, key string) error

func (*S3) UnmarshalCaddyfile 

func (s3 *S3) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

type SecretBoxIO 

type SecretBoxIO struct {
	SecretKey [32]byte
}

func NewSecretBoxIO 

func NewSecretBoxIO(key [32]byte) *SecretBoxIO

func (*SecretBoxIO) ByteReader 

func (sb *SecretBoxIO) ByteReader(msg []byte) Reader

func (*SecretBoxIO) IsValid 

func (sb *SecretBoxIO) IsValid() bool

func (*SecretBoxIO) WrapReader 

func (sb *SecretBoxIO) WrapReader(r io.Reader) io.Reader

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.