Skip to main content

How to Manage S3 Buckets

Overview

This guide explains how to create and manage Amazon S3 buckets using the AWS Controller for Kubernetes (ACK) on the PortX Integration Manager Platform. ACK allows you to manage AWS services directly through Kubernetes Custom Resource Definitions (CRDs).

Prerequisites

Before creating S3 buckets, ensure you have:

  • Access to the PortX Integration Manager Platform
  • Proper AWS credentials configured
  • ACK S3 controller installed and running in your cluster
  • Appropriate IAM permissions for S3 operations

Creating an S3 Bucket

Step 1: Prepare the Bucket Configuration

Configure your S3 bucket in the chart's values.yaml file using the apps array structure. Here's a basic example:

## Config for ack deployment
apps:
- name: my-portx-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: my-portx-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2

Step 2: Key Configuration Parameters

Basic Settings

  • name: The chart resource name and Kubernetes resource name
  • spec.name: The actual S3 bucket name (must be globally unique)
  • apiVersion: Always s3.services.k8s.aws/v1alpha1 for S3 buckets
  • kind: Always Bucket for S3 bucket resources

Advanced Configuration Options

apps:
- name: advanced-portx-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: advanced-portx-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    corsConfiguration:
      corsRules:
        - allowedHeaders:
            - "*"
          allowedMethods:
            - GET
            - POST
          allowedOrigins:
            - "*"
          maxAgeSeconds: 3000
    lifecycleConfiguration:
      rules:
        - id: delete-old-objects
          status: Enabled
          expiration:
            days: 90
    versioningConfiguration:
      status: Enabled

Step 3: Deploy the Configuration

Deploy the S3 bucket configuration using the chart deployment process:

  1. Add your S3 bucket configuration to the values.yaml file in the apps array
  2. Commit the updated values.yaml file to your GitOps repository
  3. Push the changes to trigger the chart deployment pipeline

The chart deployment process will automatically create the S3 bucket resources in your cluster.

Step 4: Verify Bucket Creation

After the chart deployment completes, verify that your bucket has been created successfully by checking your AWS console or using AWS CLI tools to confirm the bucket exists with the expected configuration.

Managing Bucket Properties

Versioning Configuration

Enable or disable versioning on your S3 bucket in the values.yaml:

apps:
- name: my-versioned-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: my-versioned-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    versioningConfiguration:
      status: Enabled  # or Suspended

CORS Configuration

Configure Cross-Origin Resource Sharing (CORS) rules in the values.yaml:

apps:
- name: cors-enabled-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: cors-enabled-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    corsConfiguration:
      corsRules:
        - allowedHeaders:
            - "Content-Type"
            - "Authorization"
          allowedMethods:
            - GET
            - POST
            - PUT
            - DELETE
          allowedOrigins:
            - "https://your-domain.com"
          exposeHeaders:
            - "ETag"
          maxAgeSeconds: 3600

Lifecycle Management

Set up lifecycle rules to automatically manage object storage classes and deletion in the values.yaml:

apps:
- name: lifecycle-managed-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: lifecycle-managed-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    lifecycleConfiguration:
      rules:
        - id: transition-to-ia
          status: Enabled
          transitions:
            - days: 30
              storageClass: STANDARD_IA
            - days: 90
              storageClass: GLACIER
          expiration:
            days: 365

Bucket Encryption

Configure server-side encryption for your bucket in the values.yaml:

apps:
- name: encrypted-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: encrypted-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    encryptionConfiguration:
      rules:
        - applyServerSideEncryptionByDefault:
            sseAlgorithm: AES256
          bucketKeyEnabled: true

Bucket Access Control

Public Access Block

Configure public access settings for security in the values.yaml:

apps:
- name: secure-portx-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: secure-portx-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    publicAccessBlockConfiguration:
      blockPublicAcls: true
      blockPublicPolicy: true
      ignorePublicAcls: true
      restrictPublicBuckets: true

Bucket Policy

Apply custom bucket policies for fine-grained access control in the values.yaml:

apps:
- name: policy-controlled-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: policy-controlled-bucket-unique-name
    createBucketConfiguration:
      locationConstraint: us-west-2
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "AllowSpecificUser",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::ACCOUNT-ID:user/specific-user"
            },
            "Action": [
              "s3:GetObject",
              "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::your-bucket-name/*"
          }
        ]
      }

Monitoring and Troubleshooting

Checking Bucket Status

Monitor your S3 bucket resources through the following methods:

  • AWS Console: Check the S3 service in your PortX Integration Manager AWS console to verify bucket creation and configuration
  • Chart Deployment Logs: Review the deployment logs to ensure successful resource creation
  • AWS CLI: Use AWS CLI commands to verify bucket properties and status
# List all buckets in your AWS account
aws s3 ls

# Get bucket details
aws s3api head-bucket --bucket <bucket-name>

# Check bucket configuration
aws s3api get-bucket-location --bucket <bucket-name>

Common Issues and Solutions

Issue: Bucket Creation Failed

Symptoms: Bucket resource shows error status

Solutions:

  • Verify OIDC AWS credentials are properly working
  • Check if bucket name is globally unique
  • Ensure proper IAM permissions
  • Review chart deployment logs for errors

Issue: Access Denied

Symptoms: Cannot perform operations on the bucket

Solutions:

  • Review IAM policies
  • Check bucket policies and ACLs
  • Verify public access block settings

Issue: Configuration Not Applied

Symptoms: Bucket exists but configuration changes not reflected

Solutions:

  • Check chart deployment logs
  • Verify values.yaml syntax and structure
  • Ensure proper resource configuration in the apps array

Best Practices

Security

  • Always enable public access block unless specifically needed
  • Use least-privilege IAM policies
  • Enable bucket versioning for important data
  • Implement proper encryption settings

Naming Conventions

  • Use descriptive, consistent bucket names
  • Include environment indicators (dev, staging, prod)
  • Follow organizational naming standards
  • Ensure global uniqueness

Resource Management

  • Use namespaces to organize bucket resources
  • Tag buckets appropriately for cost tracking
  • Implement lifecycle policies to manage costs
  • Regular monitoring and cleanup

Configuration Management

  • Store bucket configurations in version control
  • Use GitOps practices for deployment
  • Test configurations in non-production environments
  • Document custom policies and configurations

Example: Complete Bucket Configuration

Here's a comprehensive example combining multiple features in the values.yaml format:

## Config for ack deployment
apps:
- name: production-data-bucket
  apiVersion: "s3.services.k8s.aws/v1alpha1"
  kind: "Bucket"
  spec:
    name: portx-production-data-bucket-2025
    createBucketConfiguration:
      locationConstraint: us-west-2
    
    # Security Configuration
    publicAccessBlockConfiguration:
      blockPublicAcls: true
      blockPublicPolicy: true
      ignorePublicAcls: true
      restrictPublicBuckets: true
    
    # Encryption
    encryptionConfiguration:
      rules:
        - applyServerSideEncryptionByDefault:
            sseAlgorithm: AES256
          bucketKeyEnabled: true
    
    # Versioning
    versioningConfiguration:
      status: Enabled
    
    # Lifecycle Management
    lifecycleConfiguration:
      rules:
        - id: optimize-storage
          status: Enabled
          transitions:
            - days: 30
              storageClass: STANDARD_IA
            - days: 90
              storageClass: GLACIER
            - days: 365
              storageClass: DEEP_ARCHIVE
          noncurrentVersionExpiration:
            noncurrentDays: 90
    
    # CORS for web applications
    corsConfiguration:
      corsRules:
        - allowedHeaders:
            - "*"
          allowedMethods:
            - GET
            - POST
          allowedOrigins:
            - "https://app.portx.io"
          maxAgeSeconds: 3600

This guide provides a comprehensive overview of managing S3 buckets using ACK on the PortX Integration Manager Platform. For additional support or advanced configurations, consult the AWS ACK documentation or contact your platform administrator.