Skip to main content
Version: 1.6.1

How to setup external S3 storage

One of the steps involved in running epinio push is storing the requested version of the code in the configured Epinio S3 compatible storage. By default, Epinio installs and configures Minio to be used for this purpose. This document describes how to point Epinio to another S3 compatible storage and skip the Minio installation.

The Epinio Helm chart has the following optional parameters:

Variable nameDescriptionMandatoryDefault
minio.enabledWhether to install Minio or notyes"true"
s3.bucketS3 bucket where you want to store your appsyesepinio
s3.endpointS3 endpointyesminio.epinio.svc.cluster.local
s3.accessKeyIDS3 access key id to authenticate to the endpointnorandom value when Minio is enabled
s3.secretAccessKeyS3 secret access key id to authenticate to the endpointnorandom value when Minio is enabled
s3.useSSLUse SSL for encryptionnotrue
s3.regionS3 region where your bucket isno""
s3.certificateSecretAn existing TLS secret to be trusted (if self signed)no"minio-tls" if Minio is enabled

To configure Epinio to store application sources to an external S3 compatible storage, at least the mandatory options should be set.

NOTE: Some implementations don't need the location (e.g. Minio) and s3.useSSL has a default value of "true".

For instance, add the following options to your Helm command to make Epinio pointing to AWS:

--set minio.enabled=false \
--set \
--set s3.bucket=<your_bucket_here> \
--set s3.region=<your_region_here> \
--set s3.accessKeyID=<your_access_key_here> \
--set s3.secretAccessKey=<your_secret_access_key_here> \

If the bucket doesn't exist, Epinio will try to create it when it first tries to write to it. Make sure the access key and the access secret have enough permissions to create a bucket and then write to it.

When you successfully push a new version of your application, Epinio will remove the resources of the previous staging process from the Kubernetes cluster and will also delete the previous version of the sources from S3. This way, Epinio doesn't store more than it needs on the S3 storage and the user doesn't need to manually cleanup.

Authentication through an IAM profile

When using AWS S3 Epinio further supports authentication by AWS IAM profile, instead of through regular credentials.

Epinio activates this mode when the credential keys are left empty. I.e. s3.accessKeyID="", and s3.secretAccessKey="".

In AWS the kubernetes cluster in question has to have an IAM policy attached to it which provides the permissions for access to S3.


Create a policy with

aws iam create-policy \
--policy-name EpinioECEKSClusterPolicy \
--policy-document \
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": [

Attach that policy ot the instance role with

aws iam attach-role-policy \
--role-name "<your instance role here>" \
--policy-arn "<your policy arn here>"

The instance role can be determined with:

kubectl -n kube-system describe configmap aws-auth | grep rolearn | cut -d':' -f7 | cut -d'/' -f2