Publishing to Amazon S3

aptly could be configured to publish repository directly to Amazon S3 (or S3-compatible cloud storage). First, publishing endpoints should be described in aptly configuration file. Each endpoint has name and associated settings:

  • region: Amazon region for S3 bucket (e.g. us-east-1)
  • bucket: bucket name
  • endpoint: (optional) when using S3-compatible cloud storage, specify hostname of service endpoint here, region is ignored if endpoint is set (set region to some human-readable name) (should be left blank for real Amazon S3)
  • prefix: (optional) do publishing under specified prefix in the bucket, defaults to no prefix (bucket root)
  • acl: (optional) assign ACL to published files (one of the canned ACLs in Amazon terminology). Useful values: private (default) or public-read (public repository). Public repositories could be consumed by apt using HTTP endpoint (Amazon bucket should be configured for “website hosting”), for private repositories special apt S3 transport is required.
  • awsAccessKeyID, awsSecretAccessKey: (optional) Amazon credentials to access S3 bucket. If not supplied, environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are used.
  • storageClass: (optional) Amazon S3 storage class, defaults to STANDARD. Other values available: REDUCED_REDUNDANCY (lower price, lower redundancy)
  • encryptionMethod: (optional) server-side encryption method, defaults to none. Currently the only available encryption method is AES256
  • plusWorkaround: (optional) workaround misbehavior in apt and Amazon S3 (see bug) by creating two copies of package files with + in filename: one original and another one with spaces instead of plus signs
    Warning: With plusWorkaround enabled, package files with plus sign would be stored twice. aptly might not cleanup files with spaces when published repository is dropped or updated (switched) to new version of repository (snapshot).
  • disableMultiDel: (optional) for S3-compatible cloud storages which do not support MultiDel S3 API, enable this setting (file deletion would be slower with this setting enabled)
  • forceSigV2: (optional) disable Signature V4 support, useful with non-AWS S3-compatible object stores which do not support SigV4, shouldn’t be enabled for AWS
  • debug: (optional) enables detailed request/response dump for each S3 operation

S3 bucket used for publishing should be empty initially and should not be used to store other data, as aptly might remove objects while doing cleanup operation. If prefix is configured, bucket should be empty under the prefix (aptly won’t touch any objects outside prefix).

In order to publish to S3, specify endpoint as s3:endpoint-name: before publishing prefix on the command line, e.g.:

$ aptly publish snapshot wheezy-main s3:test:

Or, with prefix:

$ aptly publish snapshot wheezy-main s3:test:debian/

If you would like to publish public repository to Amazon S3, create bucket, enable website hosting option at Amazon console. Specify bucket name, region and access keys in aptly configuration under S3PublishEndpoints. Use public-read as value for acl parameter. Published repository could be added to /etc/apt/sources.list by using public HTTP URL, like any other HTTP repository.

For accessing S3 based private repositories apt-transport-s3 should be used. Package providing this functionality is available in Ubuntu 15.04 and Debian Strech (currently Jessie+1). For information how to use it read docs on project website or read the man page (apt-transport-s3(8)).

Other options like apt-s3 are also available to use. Please don’t enable website hosting option and use private as value for acl parameter.

Install apt-transport-s3, apt-s3 or any other similar tool to enable s3:// transport in apt.

It is recommended to setup separate user in Amazon IAM for publishing to S3. This user would have access only to one bucket for publishing and limited operations. Sample policy (change bucket to match you bucket name):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1405592139000",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::bucket/*", "arn:aws:s3:::bucket"
      ]
    }
  ]
}