1--- 2layout: docs 3page_title: S3 - Storage Backends - Configuration 4sidebar_title: S3 5description: |- 6 The S3 storage backend is used to persist Vault's data in an Amazon S3 7 bucket. 8--- 9 10# S3 Storage Backend 11 12The S3 storage backend is used to persist Vault's data in an [Amazon S3][s3] 13bucket. 14 15- **No High Availability** – the S3 storage backend does not support high 16 availability. 17 18- **Community Supported** – the S3 storage backend is supported by the 19 community. While it has undergone review by HashiCorp employees, they may not 20 be as knowledgeable about the technology. If you encounter problems with them, 21 you may be referred to the original author. 22 23```hcl 24storage "s3" { 25 access_key = "abcd1234" 26 secret_key = "defg5678" 27 bucket = "my-bucket" 28} 29``` 30 31## `s3` Parameters 32 33- `bucket` `(string: <required>)` – Specifies the name of the S3 bucket. This 34 can also be provided via the environment variable `AWS_S3_BUCKET`. 35 36- `endpoint` `(string: "")` – Specifies an alternative, AWS compatible, S3 37 endpoint. This can also be provided via the environment variable 38 `AWS_S3_ENDPOINT`. 39 40- `region` `(string "us-east-1")` – Specifies the AWS region. This can also be 41 provided via the environment variable `AWS_REGION` or `AWS_DEFAULT_REGION`, 42 in that order of preference. 43 44The following settings are used for authenticating to AWS. If you are 45running your Vault server on an EC2 instance, you can also make use of the EC2 46instance profile service to provide the credentials Vault will use to make 47S3 API calls. Leaving the `access_key` and `secret_key` fields empty will 48cause Vault to attempt to retrieve credentials from the AWS metadata service. 49 50- `access_key` – Specifies the AWS access key. This can also be provided via 51 the environment variable `AWS_ACCESS_KEY_ID`, AWS credential files, or by 52 IAM role. 53 54- `secret_key` – Specifies the AWS secret key. This can also be provided via 55 the environment variable `AWS_SECRET_ACCESS_KEY`, AWS credential files, or 56 by IAM role. 57 58- `session_token` `(string: "")` – Specifies the AWS session token. This can 59 also be provided via the environment variable `AWS_SESSION_TOKEN`. 60 61- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent 62 requests to S3. 63 64- `s3_force_path_style` `(string: "false")` - Specifies whether to use host 65 bucket style domains with the configured endpoint. 66 67- `disable_ssl` `(string: "false")` - Specifies if SSL should be used for the 68 endpoint connection (highly recommended not to disable for production). 69 70- `kms_key_id` `(string: "")` - Specifies the ID or Alias of the KMS key used to 71 encrypt data in the S3 backend. Vault must have `kms:Encrypt` and `kms:Decrypt` 72 permissions for this key. You can use `alias/aws/s3` to specify the default 73 key for the account. 74 75- `path` `(string: "")` - Specifies the path in the S3 Bucket where Vault 76 data will be stored. 77 78## `s3` Examples 79 80### Default Example 81 82This example shows using Amazon S3 as a storage backend. 83 84```hcl 85storage "s3" { 86 access_key = "abcd1234" 87 secret_key = "defg5678" 88 bucket = "my-bucket" 89} 90``` 91 92### S3 KMS Encryption with Default Key 93 94This example shows using Amazon S3 as a storage backend using KMS 95encryption with the default S3 KMS key for the account. 96 97```hcl 98storage "s3" { 99 access_key = "abcd1234" 100 secret_key = "defg5678" 101 bucket = "my-bucket" 102 kms_key_id = "alias/aws/s3" 103} 104``` 105 106### S3 KMS Encryption with Custom Key 107 108This example shows using Amazon S3 as a storage backend using KMS 109encryption with a customer managed KMS key. 110 111```hcl 112storage "s3" { 113 access_key = "abcd1234" 114 secret_key = "defg5678" 115 bucket = "my-bucket" 116 kms_key_id = "001234ac-72d3-9902-a3fc-0123456789ab" 117} 118``` 119 120[s3]: https://aws.amazon.com/s3/ 121