Prerequisites
-
New Parseable cluster requires a fully empty S3 bucket.
-
For optimum performance, please ensure the S3 bucket is in the same region as the compute (EC2, EKS, ECS, Lightsail or others) instances.
Authentication
Parseable supports authentication to S3 via
-
Access Key and Secret Key: The AWS access key and the secret key can be used to authenticate to AWS S3 bucket. To use this method, set the environment variables
P_S3_ACCESS_KEY
andP_S3_SECRET_KEY
before starting the Parseable server(s). -
Instance Metadata Service (IMDS): For Parseable instances running on EC2, AWS credentials can be sourced from the Instance Metadata Service (IMDS), avoiding the need for explicit
P_S3_ACCESS_KEY
andP_S3_SECRET_KEY
. To use this method,-
Ensure that
Instance Metadata Service (IMDS)
is enabled when creating the EC2 instance (under Advanced details section). Select the Metadata version toV1 and V2 (token optional)
. Please refer to the metadata service docs for more. You setP_AWS_IMDSV1_FALLBACK
totrue
if you want to use theV1
method. -
By default, Parseable uses the standard AWS metadata endpoint. If you’re using a custom metadata endpoint, add the optional environment variable
P_AWS_METADATA_ENDPOINT
to specify a custom endpoint URL for retrieving instance metadata.
-
-
IAM Roles for Service Accounts (IRSA): This is useful for EKS deployments. With IRSA you can associate an IAM role with a Kubernetes service account and configure Parseable to use the service account. To use this method, refer to Parseable EKS documentation.
SSE-C Support
Parseable supports server side encryption for AWS S3 with customer provided encryption keys (SSE-C). With SSE-C, you can store your data encrypted with your own encryption keys. Amazon S3 or a compatible service like MinIO manages data encryption and decryption transparently.
Note that SSE-C requires HTTPS and Amazon S3 or compatible service might reject any requests made over HTTP when using SSE-C.
Setting up
The encryption key must be a 256-bit key for AES-256 encryption. To add SSE-C encryption key, add the environment variable P_S3_SSEC_ENCRYPTION_KEY
before starting the server. The value should be in the format - SSE-C:AES256:<base64_encryption_key>
. Here is example of adding the SSE-C encryption key to Parseable
Generate a 256-bit AES key and Base64
encode it
ENCRYPTION_KEY=$(openssl rand -base64 32)
echo "Encryption Key: $ENCRYPTION_KEY"
Add the Base64
encoded encryption key to the environment variable
P_S3_SSEC_ENCRYPTION_KEY=SSE-C:AES256:$ENCRYPTION_KEY
For distributed deployments, the environment variable P_S3_SSEC_ENCRYPTION_KEY
needs to be set for Query as well as Ingestor nodes.
If you lose the encryption key, you’ll lose access to the log data. Hence, we recommend secure storage for the encryption key such as AWS Secrets Manager or similar.