Scroll to navigation

APT-TRANSPORT-S3(8) System Manager's Manual APT-TRANSPORT-S3(8)

NAME

DESCRIPTION

apt-transport-s3 - it's a package which contains apt transport ('plugin') allowing apt to fetch files stored in private repositories held on AWS S3.

Bucket name

According to the S3 bucket naming convention to make it working with this transport over TLS bucket name can NOT contain dots in it. More information about it can be found at https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

AWS Credentials

To access repositories held on S3 it is compulsory to have correct permissions into the bucket where repository is located and those permissions have to be reflected in at least one of below two places.

IAM Roles default place where S3 transport is looking for credentials allowing for fetching files from S3 bucket

Configuration

/etc/apt/s3auth.conf or IAM role (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) can provide credentials required for using private apt repositories.

NOTE: Region MUST match the region the buckets are stored in and if not defined it will try to fetch it from the metadata service.

Setting Endpoint allows for using providers other than Amazon AWS. If set, Endpoint disregards Region.

Example of s3auth.conf file:

AccessKeyId     = myaccesskey
SecretAccessKey = mysecretaccesskey
Region          = 'us-east-1'
Endpoint        = 'nyc3.digitaloceanspaces.com'
PathStyle       = True

Minimal IAM policy for accessing repository

{


    "Version": "2012-10-17",


    "Statement": [


        {


            "Sid": "VisualEditor0",


            "Effect": "Allow",


            "Action": [


                "s3:GetObject",


                "s3:ListBucket"


            ],


            "Resource": [


                "arn:aws:s3:::[BUCKET_ID]/*",


                "arn:aws:s3:::[BUCKET_ID]"


            ]


        }


    ]
}

Usage

Install the .deb package from the releases page. The bucket repo should be specified using an s3:// prefix, for example:

deb s3://aptbucketname/repo/ trusty main contrib non-free

if you need to use a proxy to connect to the internet you can specify this as an APT configuration directive (for example in /etc/apt/apt.conf.d/90apt-transport-s3)

Acquire::http::Proxy "http://myproxy:3128/";

Bucket name hosting repo can not contain dots in it’s name as this (according to AWS S3 naming convention (https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html)) will invalidate virtual host style paths TLS certificates.

Testing

The module will run in interactive mode. It accepts on stdin and outputs on stdout. The messages it accepts on stdin are in the following format and documented here (http://www.fifi.org/doc/libapt-pkg-doc/method.html/index.html#abstract).

600 URI Acquire
URI:s3://my-s3-repository/project-a/dists/trusty/main/binary-amd64/Packages
Filename:Packages.downloaded
Fail-Ignore:true
Index-File:true

This message will trigger an s3 get from the above bucket and key and save it to Filename. It needs a blank line after the message to trigger the processing by the s3 method.

Contribution

If you want to contribute a patch via PR please create it against development branch. Patches via email are welcome as well.

October 7, 2024