Add Object Storage

Create a Tigris Storage Buckets

fly storage create

? Select Organization: fly-ephemeral (fly-ephemeral)
? Choose a name, use the default, or leave blank to generate one:
Your project (summer-grass-2004) is ready.

Set one or more of the following secrets on your target app.
BUCKET_NAME: summer-grass-2004
AWS_ENDPOINT_URL_S3: https://fly.storage.tigris.dev
AWS_ACCESS_KEY_ID: tid_xxxxxx
AWS_SECRET_ACCESS_KEY: tsec_xxxxxx

Public buckets

By default, buckets are private. If you need to serve public assets like images or JavaScript files, create a public bucket:

fly storage create --public

You can also make a public bucket private.

fly storage update mybucket --private

Objects in a public bucket can be accessed by anyone without authentication. Public content is served from dedicated domains using the bucket name as a subdomain:

https://mybucket.t3.tigrisfiles.io/key-name (primary)
https://mybucket.t3.tigrisbucket.io/key-name
https://mybucket.t3.tigrisblob.io/key-name

No credentials or pre-signed URLs are needed. For production use, we recommend setting up a custom domain so your public URLs stay stable:

flyctl storage update mybucket --custom-domain assets.example.com

Then create a CNAME record for assets.example.com pointing to mybucket.t3.tigrisbucket.io. See the Tigris Custom Domain docs for full setup instructions and the Tigris Public Bucket docs for details on all available public domains.

Object Level Access Control

By default, all objects inherit the access control settings of the bucket they are in. If a bucket is private, all objects in it are also private and vice versa. However, you can make individual objects in a bucket public-read (or private) by setting an object level ACL on them. This lets you serve a public object from an otherwise private bucket, or a private object from an otherwise public bucket. For details on how to set this up see the Tigris Object ACL docs

To verify that everything has gone well, we can check whether the appropriate secrets have been set for our app:

fly secrets list

Connecting to the Bucket

The de-facto library for interacting with s3 storage is boto3, let’s add it to the project:

poetry add boto3

Now we can initialize the client:

    import boto3

S3_URL = os.getenv("AWS_ENDPOINT_URL_S3")
svc = boto3.client('s3', endpoint_url=S3_URL)

The AWS credentials will be automatically extracted from the environment.

Let’s plug that into our app:

    @app.get("/")
async def read_root():
    buckets = svc.list_buckets()
    return {"buckets": [bucket["Name"] for bucket in buckets["Buckets"]]}

  

At this point you can interact with the bucket through the boto3 interface; refer to the docs for all the possibilities.

When you re-deploy your app you should see a list of the buckets you have access to:

fly deploy

Take a look at the gist of this setup to get a full picture.

or Open in ChatGPT

Report an issue or edit this page on GitHub