Artifactory's filestore is configured through the binarystore.xml file. The binarystore.xml configuration file is located in the $JFROG_HOME/artifactory/var/etc/artifactory folder.
Amazon S3 Official SDK Template
JFrog recommends the s3-storage-v3-direct template to configure your S3 Cloud Storage using the official Amazon SDK.
High Availability clusters with eventual template (non-direct) will need to use a shared mount for the S3 provider
Using the Amazon S3 Official SDK eventual template requires a shared mount for cluster. This is because an arbitrary node will handle the object store interaction, while all of the nodes will be able to add files to the shared mount eventual directory.
If you are using a direct template or eventual cluster, a shared mount is not needed for High Availability.
Authentication Mechanism
The following authentication methods are supported.
Basic credentials - these are the identity and credential parameters in the table below
Default Amazon Provider Chain credentials - these are the default Amazon Provider chain searches for credentials, which follow this order:
System property based credentials
Credentials delivered through the Amazon ECS container service.
Instance profile credentials delivered through the Amazon ECS metadata service.
Amazon S3 Template Parameters
The Amazon S3 Official Amazon SDK template supports the following set of parameters. The first three parameters listed below are mandatory, the rest are optional.
Parameter | Description |
|---|---|
bucketName | Your globally unique bucket name. Mandatory parameter |
path | Default: filestore The path relative to the bucket where binary files are stored. Mandatory parameter |
endpoint | The cloud storage provider’s URL. Amazon Endpoints: Supported JFrog SubscriptionsOnly official AWS endpoints, such as |
region | The region offered by your cloud storage provider with which you want to work. Mandatory parameter if the default value is used for |
type | s3-storage-v3 |
testConnection | Default: true When set to true, the binary provider uploads and downloads a file when Artifactory starts up to verify that the connection to the cloud storage provider is fully functional. |
identity | Your cloud storage provider identity. |
credential | Your cloud storage provider authentication credential. |
port | The cloud storage providers port. When a port is not assigned and the |
rootFoldersNameLength | Default: 2 The number of initial characters in the object's checksum that should be used to name the folder in storage. This can take any value between 0 - 5.0 means that checksum files will be stored at the root of the object store bucket. For example, if the object's checksum is 8c335149... and |
proxyIdentity | Corresponding parameters if you are accessing the cloud storage provider through a proxy server. |
proxyCredential | |
proxyPort | |
proxyHost | |
nonProxyHost (Available from Artifactory 7.77.6 self-hosted version.) | |
useHttp | Default: false Defines the connection schema. When set to true, you can set a non-secure HTTP connection. |
kmsClientSideEncryptionKeyId (named kmsServerSideEncryptionKeyId prior to Artifactory version 7.31.10) | Default is N/A. Use KMS Encryption client with the given KMS encryption key ID or alias. The name, |
server-side-encryption-aws-kms | Default is N/A. If set to true, S3 encrypts artifacts on the server based on the default KMS key. You can also set it with the encryption key ID or alias instead of true. |
kmsCryptoMode | Default: EncryptionOnly. This only applies to the s3-storage-v3 template. Use KMS encryption with one of the following crypto policies:
For more information, see https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-crypto-kms.html. |
useInstanceCredentials | Default: false. Set to true to use the AWS S3 as your default provider chain according to the Authentication mechanism. |
usePresigning | Default: false. When set to true, applies to signed URLs for adding, deleting, and getting client methods on s3 objects. Note: Enabling Presigning restricts the maximum size of objects that are uploaded to under 5GB. For more information, see AWS Documentation. |
multiPartLimit | Default: 100,000,000 bytes When usePresigning is set to false, or for the s3old and s3 templates File size threshold (in bytes) over which file uploads are chunked and multi-threaded. |
multipartElementSize | Default: A 5 MB chunk. The chunk size when multiPartLimit is used. If a tag is not set, the AWS client default of 5MB will be applied. Specify the chunk size (similar to the functionality in Azure BP). |
transferManagerThreads | Default: 10. Only applies to the s3-storage-v3 template. Applies when usePresigning is set to false This applies to multipart uploads, configured by the multiPartLimit. |
signatureExpirySeconds | Default: 300 Sets the validity period in seconds for signed URLs used internally for uploads and downloads. |
maxConnections | Default: 50. Sets the maximum HTTP client connections for the AWS client |
connectionTimeout | Default: 10x1000. Sets the connection timeout (in milliseconds) for the AWS client. |
socketTimeout | Default: 50 * 1000. Sets the socket timeout (in milliseconds) for the AWS client. |
enablePathStyleAccess | Default: false Amazon S3 supports virtual-hosted-style and path-style access in all regions. The path-style syntax requires that using the region-specific endpoint when attempting to access a bucket. For non-AWS users, this property may need to be set to true. For CEPH storage, set this property to true. |
disableChunkedEncoding | Default: false The default behavior is to enable chunked encoding automatically for PutObjectRequest and UploadPartRequest. Setting this flag will result in disabling chunked encoding for all requests, which may impact performance. Using this option is recommended only if your endpoint does not implement chunked uploading. |
useDeprecatedBucketExistenceCheck | Default: false Setting this property will force checking bucket existence based on a HEAD request to the bucket. (Deprecated in AWS) |
enableSignedUrlRedirect | Enables direct cloud storage download. |
signedUrlExpirySeconds | Default: 30 (optional) Specifies the number of seconds that a signed URL provided to a requesting client for direct download from cloud storage is valid. Note that direct download is available for AWS, Azure, and GCP. Direct download for Azure and GCP is only available for Self-Hosted environments. |