RT 4.4.1 Documentation

RT::ExternalStorage::AmazonS3

NAME

RT::ExternalStorage::AmazonS3 - Store files in Amazon's S3 cloud

SYNOPSIS

    Set(%ExternalStorage,
        Type            => 'AmazonS3',
        AccessKeyId     => '...',
        SecretAccessKey => '...',
        Bucket          => '...',
    );

DESCRIPTION

This storage option places attachments in the S3 cloud file storage service. The files are de-duplicated when they are saved; as such, if the same file appears in multiple transactions, only one copy will be stored in S3.

Files in S3 must not be modified or removed; doing so may cause internal inconsistency. It is also important to ensure that the S3 account used maintains sufficient funds for your RT's storage and bandwidth needs.

SETUP

In order to use this storage type, you must grant RT access to your S3 account.

  1. Log into Amazon S3, https://aws.amazon.com/s3/, as the account you wish to store files under.

  2. Navigate to "Security Credentials" under your account name in the menu bar.

  3. Open the "Access Keys" pane.

  4. Click "Create New Access Key".

  5. Copy the provided values for Access Key ID and Secret Access Key into your RT_SiteConfig.pm file:

        Set(%ExternalStorage,
            Type            => 'AmazonS3',
            AccessKeyId     => '...', # Put Access Key ID between quotes
            SecretAccessKey => '...', # Put Secret Access Key between quotes
            Bucket          => '...',
        );
  6. Set up a Bucket for RT to use. You can either create and configure it in the S3 web interface, or let RT create one itself. Either way, tell RT what bucket name to use in your RT_SiteConfig.pm file:

        Set(%ExternalStorage,
            Type            => 'AmazonS3',
            AccessKeyId     => '...',
            SecretAccessKey => '...',
            Bucket          => '...', # Put bucket name between quotes
        );

Direct Linking

This storage engine supports direct linking. This means that RT can link directly to S3 when listing attachments, showing image previews, etc. This relieves some bandwidth pressure from RT because ordinarily it would have to download each attachment from S3 to be able to serve it.

To enable direct linking you must first make all content in your bucket publicly viewable.

Beware that this could have serious implications for billing and privacy. RT cannot enforce its access controls for content on S3. This is tempered somewhat by the fact that users must be able to guess the SHA-256 digest of the file to be able to access it. But there is nothing stopping someone from tweeting a URL to a file hosted on your S3. These concerns do not arise when using an RT-mediated link to S3, since RT uses an access key to upload to and download from S3.

To make all content in an S3 bucket publicly viewable, navigate to the bucket in the S3 web UI. Select the "Properties" tab and inside "Permissions" there is a button to "Add bucket policy". Paste the following content in the provided textbox:

    {
        "Version": "2008-10-17",
        "Statement": [
            {
                "Sid": "AllowPublicRead",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::BUCKET/*"
            }
        ]
    }

Replace BUCKET with the bucket name that is used by your RT instance.

Finally, set $ExternalStorageDirectLink to 1 in your RT_SiteConfig.pm file:

    Set($ExternalStorageDirectLink, 1);
← Back to index