imgproxy/docs/serving_files_from_s3.md

# Serving files from S3

imgproxy can process images from S3 buckets. To use this feature, do the following:

1. Set the `IMGPROXY_USE_S3` environment variable to be `true`.
2. [Set up the necessary credentials](#set-up-credentials) to grant access to your bucket.
3. _(optional)_ Specify the AWS region with `IMGPROXY_S3_REGION` or `AWS_REGION`. Default: `us-west-1`
4. _(optional)_ Specify the S3 endpoint with `IMGPROXY_S3_ENDPOINT`.
5. _(optional)_ Specify the AWS IAM Role to Assume with `IMGPROXY_S3_ASSUME_ROLE_ARN`
6. Use `s3://%bucket_name/%file_key` as the source image URL.

If you need to specify the version of the source object, you can use the query string of the source URL:

```
s3://%bucket_name/%file_key?%version_id
```

### Set up credentials

There are three ways to specify your AWS credentials. The credentials need to have read rights for all of the buckets given in the source URLs:

#### IAM Roles

If you're running imgproxy on an Amazon Web Services platform, you can use IAM roles to to get the security credentials to make calls to AWS S3.

* **Elastic Container Service (ECS):** Assign an [IAM role to a task](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
* **Elastic Kubernetes Service (EKS):** Assign a [service account to a pod](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html).
* **Elastic Beanstalk:** Assign an [IAM role to an instance](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html).

#### Environment variables

You can specify an AWS Access Key ID and a Secret Access Key by setting the standard `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.

``` bash
AWS_ACCESS_KEY_ID=my_access_key AWS_SECRET_ACCESS_KEY=my_secret_key imgproxy

# same for Docker
docker run -e AWS_ACCESS_KEY_ID=my_access_key -e AWS_SECRET_ACCESS_KEY=my_secret_key -it darthsim/imgproxy
```

This is the recommended method when using dockerized imgproxy.

#### Shared credentials file

Alternatively, you can create the `.aws/credentials` file in your home directory with the following content:

```ini
[default]
aws_access_key_id = %access_key_id
aws_secret_access_key = %secret_access_key
```

#### Cross-Account Access

S3 access credentials may be acquired by assuming a role using STS. To do so specify the IAM Role arn with the `IMGPROXY_S3_ASSUME_ROLE_ARN` environment variable. This approach still requires you to provide initial AWS credentials by using one of the ways described above. The provided credentials role should allow assuming the role with provided ARN.

## Minio

[Minio](https://github.com/minio/minio) is an object storage server released under Apache License v2.0. It is compatible with Amazon S3, so it can be used with imgproxy.

To use Minio as source images provider, do the following:

* Set up Amazon S3 support as usual using environment variables or a shared config file.
* Specify an endpoint with `IMGPROXY_S3_ENDPOINT`. Use the `http://...` endpoint to disable SSL.
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00			`# Serving files from S3`

Update docs 2018-10-08 08:23:20 +02:00			`imgproxy can process images from S3 buckets. To use this feature, do the following:`
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			1. Set the `IMGPROXY_USE_S3` environment variable to be `true`.
Update docs and changelog 2022-12-05 16:43:25 +02:00			`2. [Set up the necessary credentials](#set-up-credentials) to grant access to your bucket.`
Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			3. _(optional)_ Specify the AWS region with `IMGPROXY_S3_REGION` or `AWS_REGION`. Default: `us-west-1`
			4. _(optional)_ Specify the S3 endpoint with `IMGPROXY_S3_ENDPOINT`.
allow acquiring s3 access credentials through role assumption (#1152) * allow acquiring s3 access credentials through role assumption * improve cross-account access docs * Update docs/serving_files_from_s3.md Co-authored-by: Sergey Alexandrovich <DarthSim@users.noreply.github.com> --------- Co-authored-by: Sergey Alexandrovich <DarthSim@users.noreply.github.com> 2023-05-09 16:50:02 +02:00			5. _(optional)_ Specify the AWS IAM Role to Assume with `IMGPROXY_S3_ASSUME_ROLE_ARN`
			6. Use `s3://%bucket_name/%file_key` as the source image URL.
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			`If you need to specify the version of the source object, you can use the query string of the source URL:`
Version IDs for S3 and generations for GCS 2018-11-13 16:04:04 +02:00
			```
			`s3://%bucket_name/%file_key?%version_id`
			```

Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			`### Set up credentials`
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
Update docs and changelog 2022-12-05 16:43:25 +02:00			`There are three ways to specify your AWS credentials. The credentials need to have read rights for all of the buckets given in the source URLs:`

			`#### IAM Roles`

			`If you're running imgproxy on an Amazon Web Services platform, you can use IAM roles to to get the security credentials to make calls to AWS S3.`

Update docs 2022-12-11 19:22:58 +02:00			`* Elastic Container Service (ECS): Assign an [IAM role to a task](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).`
			`* Elastic Kubernetes Service (EKS): Assign a [service account to a pod](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html).`
			`* Elastic Beanstalk: Assign an [IAM role to an instance](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html).`
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
			`#### Environment variables`

Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			You can specify an AWS Access Key ID and a Secret Access Key by setting the standard `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
			``` bash
Add "Copy to clipboard" buttons to code blocks in docs 2019-10-15 17:48:33 +02:00			`AWS_ACCESS_KEY_ID=my_access_key AWS_SECRET_ACCESS_KEY=my_secret_key imgproxy`
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
			`# same for Docker`
			`docker run -e AWS_ACCESS_KEY_ID=my_access_key -e AWS_SECRET_ACCESS_KEY=my_secret_key -it darthsim/imgproxy`
			```

Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			`This is the recommended method when using dockerized imgproxy.`
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
			`#### Shared credentials file`

Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			Alternatively, you can create the `.aws/credentials` file in your home directory with the following content:
Merge branch 'crohr/s3-protocol' into version/2.0 2018-10-04 17:12:51 +02:00
			```ini
			`[default]`
			`aws_access_key_id = %access_key_id`
			`aws_secret_access_key = %secret_access_key`
			```

allow acquiring s3 access credentials through role assumption (#1152) * allow acquiring s3 access credentials through role assumption * improve cross-account access docs * Update docs/serving_files_from_s3.md Co-authored-by: Sergey Alexandrovich <DarthSim@users.noreply.github.com> --------- Co-authored-by: Sergey Alexandrovich <DarthSim@users.noreply.github.com> 2023-05-09 16:50:02 +02:00			`#### Cross-Account Access`

			S3 access credentials may be acquired by assuming a role using STS. To do so specify the IAM Role arn with the `IMGPROXY_S3_ASSUME_ROLE_ARN` environment variable. This approach still requires you to provide initial AWS credentials by using one of the ways described above. The provided credentials role should allow assuming the role with provided ARN.

Update S3 docs 2018-12-09 14:12:46 +02:00			`## Minio`

			`[Minio](https://github.com/minio/minio) is an object storage server released under Apache License v2.0. It is compatible with Amazon S3, so it can be used with imgproxy.`

			`To use Minio as source images provider, do the following:`

Docs/edits overhaul (#785) * Update landing page / README.md * Update GETTING_STARTED.md * Update installation.md * Update getting_the_image_info.md * update signing_the_url.md * Update watermark.md * Update presets.md * Update object_detection.md * Update autoquality.md * Update serving_local_files.md * Update docs/serving_files_from_s3.md * Update configuration.md * Update generating_the_url.md * Update chained_pipelines.md but chained pipelines section is not finished * Update serving_files_from_google_cloud_storage.md * Update new_relic.md * Update prometheus.md * Update datadog.md * Update image_formats_support.md * Update about_processing_pipeline.md * Update healthcheck.md * Update memory_usage_tweaks.md * Remove GIF/ICO/BMP/HEIF/AVIF support sections from docs/image_formats_support.md * Minor fixes of the docs * Update serving_files_from_azure_blob_storage.md * Fix issue with x and y offset for 're' watermark property * Fix params description in docs/watermark.md * Fix Alexander Madyankin GH name * Special thanks to Travis * Fix README Co-authored-by: DarthSim <darthsim@gmail.com> 2022-02-01 11:43:36 +02:00			`* Set up Amazon S3 support as usual using environment variables or a shared config file.`
			* Specify an endpoint with `IMGPROXY_S3_ENDPOINT`. Use the `http://...` endpoint to disable SSL.