Back to blog
Modern test automation reporting tools like ReportPortal often require a reliable, scalable storage backend to handle artifacts, logs, and attachments. Amazon S3 is an excellent choice: it’s cost-effective, highly available, and integrates seamlessly with AWS IAM for secure access. Below is a concise overview of how to configure ReportPortal to use S3 as its storage layer in two common deployment scenarios—Kubernetes on EKS (using IAM Roles for Service Accounts) and Docker on an EC2 instance (using an instance profile).
Brief Summary
Set up an S3 bucket where ReportPortal will store all data (e.g., attachments, screenshots, logs).
Create an IAM role that grants read/write access to that bucket.
For EKS: configure a trust policy allowing a specific Kubernetes service account (via the cluster’s OIDC provider) to assume the role.
For EC2: attach the role as an instance profile so the Docker containers inherit its permissions from the instance metadata.
Deploy ReportPortal using either:
Kubernetes on EKS (IRSA — IAM Roles for Service Accounts): annotate the ReportPortal service account with the new role’s ARN so pods retrieve temporary credentials automatically.
Docker on EC2: configure environment variables in the docker-compose.yml so the SDK picks up credentials from the instance profile without specifying access keys.
By following these steps, ReportPortal will read and write directly to S3—eliminating the need for MinIO (its default local storage) and leveraging AWS’s managed storage infrastructure.
Core Points
1. Create an S3 Bucket
Command (us-east-1):
aws s3api create-bucket --bucket my-rp-bucket --region us-east-1If your region isn’t us-east-1, add:
--create-bucket-configuration LocationConstraint=<region>Ensure the bucket name (e.g., my-rp-bucket) follows AWS naming rules.
2. Define and Create the IAM Role
a. Trust Policy (for EKS/IRSA)
Create a file named trust-policy.json with content similar to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC_ID" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "oidc.eks.REGION.amazonaws.com/id/OIDC_ID:aud": "sts.amazonaws.com", "oidc.eks.REGION.amazonaws.com/id/OIDC_ID:sub": "system:serviceaccount:NAMESPACE:SA_NAME" } } } ] }Replace placeholders:
ACCOUNT_ID: your AWS account number
REGION: EKS cluster region (e.g., us-east-1)
OIDC_ID: the unique OIDC identifier for your cluster
NAMESPACE: Kubernetes namespace (e.g., default or a custom namespace)
SA_NAME: name of the service account you’ll create for ReportPortal (e.g., reportportal)
Create the role:
aws iam create-role \ --role-name my-rp-s3-role \ --assume-role-policy-document file://trust-policy.json
b. Permissions Policy
Save this as s3-rw-policy.json (grant Listing, GetBucketLocation, GetObject, PutObject, DeleteObject):
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListAndLocation", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::my-rp-bucket" }, { "Sid": "AllowObjectOpsAnywhere", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::my-rp-bucket/*" } ] }Attach to the role:
aws iam put-role-policy \ --role-name my-rp-s3-role \ --policy-name S3AccessPolicy \ --policy-document file://s3-rw-policy.json
3. Kubernetes on EKS (IRSA)
Ensure prerequisites:
EKS cluster version ≥ 1.28
OIDC provider enabled (follow AWS guide)
Configure ReportPortal’s Helm values.yaml:
global: serviceAccount: create: true name: reportportal annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/my-rp-s3-role" storage: type: s3 accesskey: "" secretkey: "" region: "us-standard" bucket: type: single bucketDefaultName: "my-rp-bucket" minio: enable: falseWhen using IRSA (IAM Roles for Service Accounts), access and secret keys are not required—they should remain empty.
The region name "us-standard" is used by JClouds as an alias for AWS region us-east-1.
MinIO, a local S3-compatible storage service, is turned off since an external S3 bucket is being used instead.
Install or upgrade ReportPortal with Helm:
This ensures pods assume the IAM role and communicate with S3 directly.helm install my-reportportal \ --namespace reportportal-namespace \ --set uat.superadminInitPasswd.password="MyPassword" \ -f values.yaml \ reportportal/reportportal
4. Docker on EC2 (Instance Profile)
Attach the IAM role to your EC2 instance as an instance profile:
If launching a new instance, select or create an IAM role with the same my-rp-s3-role attached.
For an existing instance, follow AWS docs to associate the role.
By leaving DATASTORE_ACCESSKEY blank, the AWS SDK (DefaultCredentialsProvider) automatically pulls temporary credentials from IMDS.
Prepare docker-compose.yml for ReportPortal to use S3: Here’s a minimal example so ReportPortal knows to use S3. We leave DATASTORE_ACCESSKEY and DATASTORE_SECRETKEY blank so the SDK picks up the IAM role automatically:
The region us-standard is a JClouds alias for AWS region us-east-1.version: '3.8' services: reportportal: image: reportportal/reportportal:latest environment: RP_FEATURE_FLAGS: singleBucket DATASTORE_TYPE: s3 DATASTORE_REGION: us-standard DATASTORE_ACCESSKEY: "" DATASTORE_SECRETKEY: "" DATASTORE_DEFAULTBUCKETNAME: my-rp-bucket UAT_SUPERADMIN_INIT_PASSWORD: YourStrongPassword ports: - "8080:8080" networks: - rp-network networks: rp-network: driver: bridgeLaunch ReportPortal:
docker-compose -p reportportal up -d
Key Benefits & Takeaways
Security best practices:
Neither AWS access keys nor secrets are stored in plain text.
Pods (via IRSA) or containers (via instance profile) assume temporary credentials that automatically rotate.
Flexibility:
Same IAM role can be used in multiple contexts (EKS, EC2, Lambda, etc.), as long as the trust policy is configured.
Scalability:
S3 can handle unlimited data, and you only pay for what you store and transfer.
Minimal configuration changes:
ReportPortal’s Helm chart and Docker Compose only require toggling off MinIO, switching to S3, and supplying the bucket name and region.
Switching ReportPortal’s storage backend from its default MinIO to Amazon S3 is straightforward and aligns with AWS best practices. By creating a dedicated S3 bucket and a properly scoped IAM role, you can grant read/write access without embedding credentials. In Kubernetes on EKS, leverage IAM Roles for Service Accounts (IRSA) to keep your pods secure and ephemeral. In Docker-on-EC2 scenarios, attach the IAM role to the instance so containers automatically receive valid credentials via the EC2 metadata service. Either way, your test reports, attachments, and logs will live in S3—ensuring durability, availability, and easier lifecycle management.