Skip to main content

Advanced AWS S3 bucket setup

Before you can add buckets to Nebbl, you need to create them in the cloud storage provider services. Here are the detailed instructions for the Amazon AWS S3 service. The similar principles can be applied to other S3 compatible object storage services. You can also read the general guidelines for S3 compatible object storage in this article.

Creating an AWS S3 bucket

Our task is to get 5 credential items for our bucket, which are:

  • Bucket name
  • Region
  • Endpoint
  • Access key
  • Secret key

Creating an Amazon AWS account and activating the S3 service

Go to https://aws.amazon.com/s3 and sign up for an account if you haven't already.

After registering and activating the account, in your AWS management console simply search for S3 in the search bar:

AWS account Overview page

Click on the S3 service in the search results:

AWS console search results - S3

The Create bucket page will open, click Create bucket.

AWS S3 Overview page

Enter your bucket name. For our purposes we choose nebbl-bucket as the name. This will be the first of our 5 credentials, please note it down.

AWS S3 Create a Bucket page

Scroll down to the Block all public access section and uncheck the box. Check the box for I acknowledge that the current settings will block all public access to this bucket. This is needed temporarily to set up the bucket for Nebbl and will be changed later.

AWS S3 Create a Bucket page - Block all public access

Leave all other settings unchanged and click the Create bucket button at the bottom:

AWS S3 Create a Bucket page - Create bucket

Getting the Region and Endpoint values

After the bucket is created you'll see it on the Buckets page. Please note down the Region value (eu-north-1 in our case), it will be the second of our 5 credentials:

AWS S3 Buckets page

Now we can also get the Endpoint value.

For AWS S3 buckets you need to simply insert the region name instead of REGION in the following pattern:

https://s3.REGION.amazonaws.com

For example, if your region is us-east-1, your endpoint will be https://s3.us-east-1.amazonaws.com. Please note it down, it is the third credential from our list.

Changing bucket settings

Now we need to change some settings for the bucket, so click on the bucket name to open its page and then click the Permissions tab:

AWS S3 Bucket page

Setting the bucket policy

Scroll down to the Bucket Policy section and click the Edit button.

AWS S3 Bucket page - Permissions tab

Add this policy JSON, replace BUCKET_NAME both times with your new bucket name:

{
  "Version": "2012-10-17",
  "Id": "Policy1715955038945",
  "Statement": [
    {
      "Sid": "Stmt1715955035474",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME",
        "arn:aws:s3:::BUCKET_NAME/*"
      ]
    }
  ]
}

So it would look like this:

AWS S3 Bucket Policy page - Edit bucket policy

Click Save changes in the bottom-right.

Setting the CORS policy

On the same Permissions tab, scroll down to the Cross-origin resource sharing (CORS) section and click the Edit button.

AWS S3 bucket Settings page - CORS section

CORS settings for general buckets

If you don't need zero-knowledge mode, you can go with more narrow CORS policy.

Paste the following snippet in the text field:

[
  {
    "AllowedOrigins": [
      "https://nebbl.com"
    ],
    "AllowedMethods": [
      "GET",
      "PUT"
    ],
    "AllowedHeaders": [
      "Origin",
      "Content-Type",
      "Cache-Control",
      "Pragma",
      "Expires",
      "X-Requested-With",
      "X-Content-Type-Options"
    ],
    "ExposeHeaders": [
      "ETag"
    ]
  }
]

So it would look like this:

AWS S3 Add CORS Policy page - General CORS policy

Make sure the AllowedOrigins address is exactly https://nebbl.com and doesn't contain a trailing slash (the / symbol after .com). Hit the Save changes button.

CORS settings for zero-knowledge buckets

If you want to use zero-knowledge mode for your bucket, you need a bit different CORS policy.

Paste the following snippet in the text field:

[
  {
    "AllowedOrigins": [
      "https://nebbl.com"
    ],
    "AllowedMethods": [
      "GET",
      "PUT",
      "DELETE",
      "POST",
      "HEAD"
    ],
    "AllowedHeaders": [
      "Origin",
      "Content-Type",
      "Cache-Control",
      "Pragma",
      "Expires",
      "X-Requested-With",
      "X-Content-Type-Options",
      "Authorization",
      "x-amz-date",
      "x-amz-content-sha256",
      "x-amz-user-agent",
      "Access-Control-Request-Headers",
      "Amz-Sdk-Invocation-Id",
      "Amz-Sdk-Request"
    ],
    "ExposeHeaders": [
      "ETag"
    ]
  }
]

So it would look like this:

AWS S3 Add CORS Policy page - Zero-knowledge CORS policy

Make sure the AllowedOrigins address is exactly https://nebbl.com and doesn't contain a trailing slash (the / symbol after .com). Hit the Save changes button.

Disabling the Block all public access setting

After the bucket policies are set, we can disable the Block all public access setting.

warning

The Block all public access setting disables unauthorized access to the bucket items. This is necessary to limit operations on the bucket to avoid excessive costs which can occur when your bucket items are accessed via direct links by large number of people or services, for example when they download them or request to show them in a web page.

So basically if your goal is to make these items available to the public via direct links, you need to leave this setting disabled.

tip

If you just want to share your files via Nebbl short links (not direct links), you can enable the Block all public access setting to ensure that you won't run into unexpected costs.

Scroll down to the Block all public access section and click the Edit button:

AWS S3 Bucket page - Block all public access section

Check the box for Block all public access and click the Save changes button:

AWS S3 Bucket page - Block all public access - Edit

A dialog will open asking you to confirm the change. Write confirm in the text field and click Confirm to disable the Block all public access setting:

AWS S3 Bucket page - Block all public access - Confirm

These are all the settings we need to change for the bucket and we can move on to getting the access credentials.

Getting the access credentials

There are several ways to create access keys, but the simplest secure way is to start by creating a new User.

To do that, we’ll need to search for IAM in the search bar and click IAM to go to IAM (Identity and Access Management) dashboard:

AWS S3 IAM page

click Users under Access management in the left sidebar:

AWS S3 IAM page

Then click Create user in the top-right:

AWS S3 IAM page

Add a user name and click Next:

AWS S3 Create User page

Click Next with the default setting on the next page:

AWS S3 Create User page

Then click Create user on the final page:

AWS S3 Create User page

Click on the username for the User you just created:

AWS S3 Create Access Key page

Then click Create access key:

AWS S3 Create Access Key page

Select the option Third-party service, check the box at the bottom and click Next:

AWS S3 Create Access Key page

You can skip the description tag and just click Create access key here:

AWS S3 Create Access Key page

The token detail page will open with the rest of the necessary credentials for us.

warning

The credentials on this final page will be shown only once for security reasons, so be sure to copy them to a safe private place.

Click the Copy buttons in the Access Key ID and Secret Access Key sections and copy these values to a safe private place. They are the third and fourth credentials from our list. Finally click the Done button.

AWS S3 Create Access Key credentials page
Warning

Treat your Secret access key as a password. Don't share it anywhere outside of Nebbl or your cloud provider account.

tip

Your Secret access key will be securely encrypted within the Nebbl service and is never transmitted outside of it.

That's all! Now we have all five credentials and we can add this bucket to Nebbl.