Vaulthalla Logo

S3 Gateway Administration

Manage S3 Gateway service status, credentials, bucket bindings, budgets, and client snippets from the web console or CLI.

S3 Gateway Administration

S3 Gateway is documented as a top-level protocol surface in S3 Gateway. This administration page focuses on the management workflows operators use after deciding to expose Vaulthalla vaults to downstream S3 clients.

Web Console

Navigate to Admin -> S3 Gateway.

Operators can use the page to:

  • Check service status, readiness, configured endpoint, and request counters.
  • Create gateway credentials for downstream S3 clients.
  • Copy the secret access key immediately after creation; it is shown only once.
  • Choose user_access, vault_allowlist, or global scope.
  • Edit credential scope, expiry, description, local/cache budget enforcement, default gateway vault role, selected vaults, per-vault role exceptions, and path overrides.
  • Create local gateway buckets and bind existing local or S3/R2 vaults.
  • Save, disable, inspect, and troubleshoot gateway key and key/vault budgets.
  • Review recent budget ledger rows and budget status.
  • Copy client snippets for AWS CLI and MinIO mc.

Use Credentials And Scopes, Buckets, and Cost Controls for the full model behind these controls.

Gateway authorization is RBAC-native: the principal user's Vaulthalla RBAC is always the ceiling. user_access uses only that principal RBAC. vault_allowlist uses selected vaults plus a key-level default vault role, default overrides, and optional per-vault exceptions. global covers gateway bucket bindings but still requires a key-level default vault role. Assigning a gateway credential to a principal other than the actor requires admin.s3_gateway.assign_principal. Local gateway bucket creation remains self-service for the actor when they have normal vault-create permission for themselves; creating for another owner requires S3 Gateway bucket-management authority plus vault-create authority for that owner.

CLI Equivalents

Service:

1vh s3-gateway status2vh s3-gateway enable3vh s3-gateway disable

Credentials:

1vh s3-gateway creds create laptop --json2vh s3-gateway creds list3vh s3-gateway creds revoke VH...4vh s3-gateway creds scope backup show5vh s3-gateway creds scope backup set --scope vault-allowlist --default-role reader --selected-vault archive6vh s3-gateway creds role assign backup --vault archive --role contributor7vh s3-gateway creds role override add backup --vault archive --pattern "/private/*" --permission download --effect deny8vh s3-gateway creds role override list backup --vault archive9vh s3-gateway creds role override remove backup --vault archive 4210vh s3-gateway creds role revoke backup --vault archive

vh s3-gateway creds scope allow-vault and boolean create flags remain compatibility shorthand only. They are converted into selected vaults, an inferred default role, and per-vault exceptions only when needed.

Buckets:

1vh s3-gateway bucket list2vh s3-gateway bucket bind photos --vault 12 --mode local3vh s3-gateway bucket create-local archive4vh s3-gateway bucket create-remote-cache edge --api-key r2-main --upstream-bucket origin --encrypt5vh s3-gateway bucket backfill archive

Bucket bindings are routing: downstream bucket name -> Vaulthalla vault. They do not grant access to gateway credentials.

Budgets:

1vh s3-gateway budget set-key backup --monthly 5 --mode enforce --currency USD2vh s3-gateway budget set-key-vault backup --vault archive --monthly 2 --mode enforce3vh s3-gateway budget list --key backup4vh s3-gateway budget disable-key backup5vh s3-gateway budget disable-key-vault backup --vault archive6vh s3-gateway budget status --key backup7vh s3-gateway budget ledger --key backup --limit 50
  • S3 Gateway Setup covers service enablement, direct listener access, managed Nginx S3-domain endpoints, and path-style SigV4 behavior.
  • S3 Gateway Clients shows AWS CLI, rclone, and MinIO mc examples for downstream S3 access.
  • S3 Gateway Semantics explains LIST, HEAD, GET, PUT, DELETE, ETags, multipart uploads, backfill, and limitations.