S3 Cloud Storage
Access and Secret Keys authentication
Docker-based
ReportPortal supports cloud storage options through the Java library JCLOUDS.
To configure storage using Amazon S3, ReportPortal uses the following environment variables for the services API, Jobs, and Authorization:
RP_FEATURE_FLAGS: singleBucket # Enable single-bucket storage (recommended)
DATASTORE_TYPE: s3
DATASTORE_REGION: us-standard # Region of the bucket (JCloud ref. to `us-east-1`)
DATASTORE_ACCESSKEY: <access_key>
DATASTORE_SECRETKEY: <secret_key>
DATASTORE_DEFAULTBUCKETNAME: my-bucket # Name of the bucket
IAM Role-based authentication
Amazon EKS-based
1. S3 Bucket
Create an Amazon S3 bucket to store your data. Replace my-rp-bucket with a unique bucket name and specify the desired AWS region.
aws s3api create-bucket --bucket my-rp-bucket --region us-east-1
To create a bucket outside of the
us-east-1region, add the following flag:--create-bucket-configuration LocationConstraint=<region>, replacing<region>with your desired AWS region.
Ensure that the bucket name adheres to Amazon S3 bucket naming rules.
2. AWS IAM Role
To enable secure access to your S3 bucket, you need to create an AWS IAM role with the appropriate trust and permissions policies.
Step 1: Define the Trust Policy
The trust policy specifies which AWS service or entity is allowed to assume the role. Save the following JSON content to a file named trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDC_ID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.REGION.amazonaws.com/id/OIDC_ID:aud": "sts.amazonaws.com",
"oidc.eks.REGION.amazonaws.com/id/OIDC_ID:sub": "system:serviceaccount:NAMESPACE:reportportal"
}
}
}
]
}
Replace the placeholders with the appropriate values:
ACCOUNT_ID: Your AWS account ID.REGION: The AWS region where your EKS cluster is deployed.OIDC_ID: The unique identifier of your OIDC provider. How to create an IAM OIDC provider for your clusterNAMESPACE: The Kubernetes namespace of the service account.reportportal: The name of the Kubernetes service account.
This trust policy ensures that only the specified Kubernetes service account can assume the IAM role via the OIDC provider.
Step 2: Create the IAM Role
Use the AWS CLI to create the IAM role with the trust policy:
aws iam create-role --role-name my-rp-s3-role \
--assume-role-policy-document file://trust-policy.json
Step 3: Define the Permissions Policy
The permissions policy specifies the actions the IAM role can perform on the S3 bucket. Save the following JSON content to a file named s3-rw-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAndLocation",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::my-rp-bucket"
},
{
"Sid": "AllowObjectOpsAnywhere",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::my-rp-bucket/*"
}
]
}
Step 4: Attach the Permissions Policy
Attach the permissions policy to the IAM role using the AWS CLI:
aws iam put-role-policy --role-name my-rp-s3-role \
--policy-name S3AccessPolicy \
--policy-document file://s3-rw-policy.json
By completing these steps, the IAM role will have the necessary permissions to interact with the specified S3 bucket securely.
3. EKS-based Installation
To grant a Kubernetes pod on EKS read/write access to S3, use IAM Roles for Service Accounts (IRSA). This approach issues temporary credentials by having the pod assume an IAM role via OIDC
Update the values.yaml file with the appropriate storage configuration:
# Activate Service Account for the ReportPortal application
global:
serviceAccount:
create: true
name: reportportal
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/my-rp-s3-role"
storage:
# Ref.: https://reportportal.io/docs/installation-steps-advanced/file-storage-options/
type: s3
# Leave `accesskey` and `secretkey` empty for IAM role-based access
accesskey:
secretkey:
# Specify the AWS region. Ref.: https://jclouds.apache.org/reference/javadoc/2.6.x/org/jclouds/aws/domain/Region.html
region: "us-standard" # JCloud ref. to `us-east-1`
bucket:
type: single
bucketDefaultName: "my-rp-bucket" # Bucket created from step 1
# Disable the MinIO dependency
minio:
enable: false
Install ReportPortal using Helm:
helm install my-release \
--set uat.superadminInitPasswd.password="MyPassword" \
-f values.yaml \
reportportal/reportportal
This configuration ensures that ReportPortal uses Amazon S3 for storage with IAM role-based access, while disabling the default MinIO dependency.
EC2 Docker-based
1. S3 Bucket
Create an Amazon S3 bucket to store ReportPortal data:
aws s3api create-bucket --bucket my-rp-docker-bucket --region us-east-1
💡 To create a bucket outside
us-east-1, add the following option:--create-bucket-configuration LocationConstraint=<region>
Ensure your bucket name complies with S3 bucket naming rules.
2. AWS IAM Role
The IAM role enables the EC2 instance to assume identity and access S3 using instance metadata.
Step 1: Define the Trust Policy
Save the following to a file named trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
Step 2: Create the IAM Role
Create the role using the trust policy:
aws iam create-role --role-name my-ec2-rp-s3-role \
--assume-role-policy-document file://trust-policy.json
Step 3: Define the Permissions Policy
Save the following to s3-rw-policy.json, replacing my-rp-docker-bucket with your bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAndLocation",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::my-rp-docker-bucket"
},
{
"Sid": "AllowObjectOpsAnywhere",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::my-rp-docker-bucket/*"
}
]
}
Step 4: Attach the Permissions Policy
Attach the inline policy to the role:
aws iam put-role-policy --role-name my-ec2-rp-s3-role \
--policy-name S3AccessPolicy \
--policy-document file://s3-rw-policy.json
3. IAM Instance Profile
Step 1: Create an Instance Profile
aws iam create-instance-profile --instance-profile-name my-ec2-rp-s3-profile
Step 2: Attach the Role to the Instance Profile
aws iam add-role-to-instance-profile \
--instance-profile-name my-ec2-rp-s3-profile \
--role-name my-ec2-rp-s3-role
Step 3: Associate the Profile with the EC2 Instance
Replace INSTANCE_ID with your EC2 instance ID:
aws ec2 associate-iam-instance-profile \
--region us-east-1 \
--instance-id <INSTANCE_ID> \
--iam-instance-profile Name=my-ec2-rp-s3-profile
Step 4: Enable Instance Metadata Access
To allow a Docker container to access IMDSv2 metadata, you must increase the instance metadata service (IMDS) hop limit in the EC2 instance configuration:
aws ec2 modify-instance-metadata-options \
--instance-id <INSTANCE_ID> \
--http-put-response-hop-limit 2 \
--http-endpoint enabled \
--region us-east-1
Ref.: Access instance metadata for an EC2 instance (AWS Docs)
4. ReportPortal Configuration
In your docker-compose.yml, configure ReportPortal to use IAM-based S3 access:
x-environment: &common-environment
# IAM Role-Based S3 Access - Leave credentials empty
DATASTORE_ACCESSKEY: ""
DATASTORE_SECRETKEY: ""
DATASTORE_TYPE: s3
DATASTORE_REGION: us-standard # JClouds alias for us-east-1
DATASTORE_DEFAULTBUCKETNAME: my-rp-docker-bucket
For full configuration options, see the ReportPortal S3 integration guide.
5. Docker-Based Installation
Launch ReportPortal with Docker Compose:
docker-compose -p reportportal up -d --force-recreate
This step brings up all ReportPortal services configured to use S3 as the storage backend with IAM role-based credentials via EC2 instance metadata.