Skip to main content

S3 Sink Configuration

The S3 decision log sink allows publishing decision log entries as JSON files onto any S3-compatible blob store. It is configured by creating a sink with an output.type of s3.

Example Configuration

decision_logs:
plugin: eopa_dl
plugins:
eopa_dl:
output:
- type: s3
endpoint: https://internal.s3.example.com
bucket: logs
access_key_id: mysecretkeyid
access_secret: F66CB198AC4B4E08A6A6A33775B7ACFE
timeout: "10s"
tls:
cert: path/to/cert.pem
private_key: path/to/key.pem
ca_cert: path/to/ca.pem
skip_cert_verify: false # default false
batching:
at_period: "10s" # flush batch every 10 seconds
at_count: 10 # flush batch every 10 log entries
at_bytes: 10240 # flush batch whenever 10240 bytes are exceeded
FieldTypeRequiredDefaultDescription
output.endpointstringNoempty (use AWS S3)API Endpoint for the S3 compatible blob store.
output.regionstringYesThe API region to use.
output.bucketstringYesThe bucket where logs are sent to.
output.access_key_idstringYesThe API access key ID to use.
output.access_secretstringYesThe API access secret to use.
output.force_pathboolNo falseUse path-style API calls (e.g. for S3-compatible APIs without wildcard DNS entries).
output.timeoutstringNoTimeout (e.g. 10s)
output.tlsObjectNoSee TLS configuration
output.batchingObjectNoSee Batching configuration
output.mask_decisionstringNoSee Mask and Drop decisions configuration
output.drop_decisionstringNoSee Mask and Drop decisions configuration