S3

Server Source code Package

S3-compatible object storage store using s3mini (~20 KB, zero dependencies). Works with AWS S3, Cloudflare R2, Scaleway, DigitalOcean Spaces, Backblaze B2, MinIO, and any S3-compatible provider.

Installation

Integrated
Bundled

Add to your flow.json:

Configuration

This store uses the standard store config wrapper (consent, data, env, id, ...). For the shared fields see store configuration. Package-specific fields live under config.settings and are listed below.

Settings

Property	Type	Description
`bucket*`	`string`	S3 bucket name
`endpoint*`	`string`	S3-compatible endpoint URL
`accessKeyId*`	`string`	S3 access key ID
`secretAccessKey*`	`string`	S3 secret access key
`region*`	`string`	AWS region for SigV4 signing
`prefix`	`string`	Key prefix prepended to all store keys for scoping

* Required fields

Mapping

This package does not define custom rule-level settings. For the standard rule fields (consent, condition, data, batch, name, policy) see mapping.

Examples

prefix scoping

Event

Out

read aws s3

Event

Out

Provider examples

Provider	Endpoint	Notes
AWS S3	`https://s3.<region>.amazonaws.com`	Set `region` to your actual region
Cloudflare R2	`https://<account>.r2.cloudflarestorage.com`	No egress fees
Scaleway	`https://s3.<region>.scw.cloud`	EU hosting
DigitalOcean	`https://<region>.digitaloceanspaces.com`	Simple pricing
Backblaze B2	`https://s3.<region>.backblazeb2.com`	Cheapest storage
MinIO	`http://localhost:9000`	Self-hosted

Credentials

Use $env. references in Flow.Config to avoid hardcoding secrets:

Unlike the AWS SDK, s3mini has no implicit credential chain: accessKeyId and secretAccessKey are always required.

File serving pattern

The primary use case is serving static files via the file transformer. This is the recommended pattern for managed deployments (Mode D) where files live in a bucket rather than needing to be baked into a Docker image:

A request to /static/walker.js looks up public/walker.js in the my-assets bucket.

Security

Key validation: Path traversal attempts (.., absolute paths) are rejected
Prefix scoping: The prefix setting restricts all operations to a subdirectory
No credential chain: Credentials must be explicitly provided (no ambient AWS credentials)

API

get() returns Buffer for compatibility with the file transformer, which uses content instanceof Buffer for Content-Length calculation.

💡 Need implementation support?

elbwalker offers hands-on support: setup review, measurement planning, destination mapping, and live troubleshooting. Book a 2-hour session (€399)

Installation​

Configuration​

Settings​

Mapping​

Examples

prefix scoping

read aws s3

Provider examples​

Credentials​

File serving pattern​

Security​

API​