Self-hosting Novu
Object Storage (S3, Blob, GCS)
Using S3 as a storage backend for your application
For local development we use LocalStack.cloud. It is utilized as a local emulation of S3 during development.
This might be beneficial for testing and development purposes before transitioning to actual S3 service like in a production environment.
AWS S3
Configuration
AWS S3 requires the following environment variables to be set:
- S3_REGION:
- S3_LOCAL_STACK (optional): S3 endpoint to connect to, leave blank if your connecting directly to AWS
- S3_BUCKET_NAME: Name of the bucket to use
- STORAGE_SERVICE: Name of the storage service to use, ‘AWS’ or ‘LOCALSTACK’ for S3.
Bucket Configuration
In general, access to the S3 bucket is very permissive.
The following process is used to manage access to the S3 bucket.
General design:
- public read access (for logo and email attachments—all data is open for read to anyone)
- write access is via pre-signed url (client-side PUT to S3 after server-side request)
- private write access (get, put, delete)
- objects are written with organisationIdTenancy/objectId (at least for brand logos)
Specifics for access:
- CORS access on bucket (this is documented)
- bucket object do not need versioning (as all uploads are deemed unique)
- ACL on buckets is ‘public-read’ (as part of the pre-signed URLs)
- image uploads (as pre-signed) could also have rules to limit (DENY policy) on extension types (although UI also does this but leaves open a vector)
- AWS (specific): ensure that Allow owenership controls is ‘BucketOwnerPreferred’ to allow ACL access (rather than role/user) (ie PutObjectAcl)
Example Terraform
Azure Blob Storage Configuration
Configuration
Azure Blob Storage requires the following environment variables to be set:
Required
- STORAGE_SERVICE: Name of the storage service to use, ‘AZURE’ Azure Blob.
- AZURE_CONTAINER_NAME: The name of the container in your Azure Storage account that you wish to use for your blob storage.
- AZURE_ACCOUNT_NAME: The name of your Azure Storage account. This is used to form the URL at which your blob storage is accessible.
- AZURE_ACCOUNT_KEY: The access key for your Azure Storage account. This is used to authenticate requests made against your blob storage.
- AZURE_HOST_NAME: The host name of your Azure Storage account . This is used to form the URL at which your blob storage is accessible. Ref.
Bucket Configuration
TBD
Google Cloud Storage Configuration
Configuration
Google Cloud Storage requires the following environment variables to be set:
GCS_BUCKET_NAME
: Name of the bucket to use.GOOGLE_APPLICATION_CREDENTIALS
: Path to the service account key file.STORAGE_SERVICE
: Name of the storage service to use, ‘GCS’ for Google Cloud Storage.
Bucket Configuration
TBD
Was this page helpful?