Configure to use AWS S3 and RDS

I am trying to make my openBalena stack stateless such that I can put multiple instances behind a load balancer / auto-scaling group in AWS. I was able to start up an RDS instance and connect openBalena to it, removing the need for the db to run within the openBalena stack. To my understanding the only data stored on my instance should be from the registry. I am trying to set up the registry to use an AWS S3 bucket instead of storing the data in the regisrty or s3 containers. I have updated the environment variables for the registry container to point to https://s3-us-west-2.amazonaws.com, as well as providing it AWS IAM credentials granting access to S3. Unfortunately it seems that these changes aren’t enough. Anyone have any ideas on how to accomplish this?

We added support for configuring registry to look into S3 just a few days ago, in version 2.0: https://github.com/balena-io/open-balena/blob/master/CHANGELOG.md#v200 – it’s now just a matter of passing the correct values via config/env.

I noticed the update the other day, it is actually what started me on this path. Is there any documentation as to how to properly configure openBalena to use S3?

Not really unfortunately. The quickstart will automatically configure the registry to use a private minio-based S3 instance. You can point it however anywhere you like by editing these keys after you’ve created an initial config/env: https://github.com/balena-io/open-balena/blob/master/scripts/make-env#L68-L72

I updated my make-env script with:

export OPENBALENA_S3_ACCESS_KEY=“aws_access_key”
export OPENBALENA_S3_BUCKETS=“my_s3_bucket_name”
export OPENBALENA_S3_ENDPOINT=“https://s3.us-west-1.amazonaws.com
export OPENBALENA_S3_REGION=us-west-2
export OPENBALENA_S3_SECRET_KEY=“aws_secret_key”

Ran ./scripts/quickstart -c -U my-user-email -P my-password -d my-domain
./scripts/compose up -d

Then from a different machine, logged into the openbalena instance via the cli and attempted to deploy to an app. When the image was built, it would attempt to send it to openbalena, but stays at 0% then throws an internal server error 500.

Just noticed my endpoint was for the incorrect region, updated it and testing again now…

It worked!

Glad you got it running. It’s best if you run quickstart to get the config created and then edit the config/env file and change the values you need. This way you won’t run into issues updating openBalena in the future. (The config folder is ignored by git, but the scripts aren’t and any changes you make may cause conflicts if you git pull)

Thanks for the heads up on that.

I am not sure if this would be best put here or as an issue on the openBalena github page, but functionality to enable using an IAM Role attached to an EC2 instance instead of hard coding an IAM Users credentials would be great.

Generally a feature request would be better in the component repo. It allows the work to be triaged more easily and also for you to be able to follow the development process of the feature.