AWS S3 Sink

The Vector aws_s3 sink batches log events to Amazon Web Service's S3 service via the PutObject API endpoint.

Configuration

vector.toml
[sinks.my_sink_id]
# General
type = "aws_s3" # required
inputs = ["my-source-id"] # required
bucket = "my-bucket" # required
compression = "gzip" # required
healthcheck = true # optional, default
region = "us-east-1" # required, required when endpoint = ""
# Batch
batch.max_size = 10490000 # optional, default, bytes
batch.timeout_secs = 300 # optional, default, seconds
# Buffer
buffer.type = "memory" # optional, default
buffer.max_events = 500 # optional, default, events, relevant when type = "memory"
# Encoding
encoding.codec = "ndjson" # required
# Naming
key_prefix = "date=%F/" # optional, default
  • stringenumoptional

    acl

    Canned ACL to apply to the created objects. For more information, see Canned ACL.

    See Object access control list (ACL) for more info.

    • No default
    • Enum, must be one of: "private" "public-read" "public-read-write" "aws-exec-read" "authenticated-read" "log-delivery-write"
    • View examples
  • stringoptional

    grant_full_control

    Gives the named grantee READ, READ_ACP, and WRITE_ACP permissions on the created objects.

    See Cross account object writing and Object access control list (ACL) for more info.

    • No default
    • View examples
  • stringoptional

    grant_read

    Allows the named grantee to read the created objects and their metadata.

    See Object access control list (ACL) for more info.

    • No default
    • View examples
  • stringoptional

    grant_read_acp

    Allows the named grantee to read the created objects' ACL.

    See Object access control list (ACL) for more info.

    • No default
    • View examples
  • stringoptional

    grant_write_acp

    Allows the named grantee to write the created objects' ACL.

    See Object access control list (ACL) for more info.

    • No default
    • View examples
  • tablecommonoptional

    batch

    Configures the sink batching behavior.

    • int (bytes)commonoptional

      max_size

      The maximum size of a batch, in bytes, before it is flushed.

      See Buffers & Batches for more info.

      • Default: 10490000 (bytes)
      • View examples
    • int (seconds)commonoptional

      timeout_secs

      The maximum age of a batch before it is flushed.

      See Buffers & Batches for more info.

      • Default: 300 (seconds)
      • View examples
  • tablecommonoptional

    buffer

    Configures the sink specific buffer behavior.

    • stringenumcommonoptional

      type

      The buffer's type and storage mechanism.

      • Default: "memory"
      • Enum, must be one of: "memory" "disk"
      • View examples
    • int (events)commonoptional

      max_events

      The maximum number of events allowed in the buffer.

      • Only relevant when: type = "memory"
      • Default: 500 (events)
      • View examples
    • int (bytes)required*

      max_size

      The maximum size of the buffer on the disk.

      See Buffers & Batches for more info.

      • Only required when: type = "disk"
      • No default
      • View examples
    • stringenumoptional

      when_full

      The behavior when the buffer becomes full.

      • Default: "block"
      • Enum, must be one of: "block" "drop_newest"
      • View examples
  • tablecommonrequired

    encoding

    Configures the encoding specific sink behavior.

    • stringenumcommonrequired

      codec

      The encoding codec used to serialize the events before outputting.

      • No default
      • Enum, must be one of: "ndjson" "text"
      • View examples
    • [string]optional

      except_fields

      Prevent the sink from encoding the specified labels.

      • No default
      • View examples
    • [string]optional

      only_fields

      Limit the sink to only encoding the specified labels.

      • No default
      • View examples
    • stringenumoptional

      timestamp_format

      How to format event timestamps.

      • Default: "rfc3339"
      • Enum, must be one of: "rfc3339" "unix"
      • View examples
  • stringenumoptional

    server_side_encryption

    The server-side encryption algorithm used when storing these objects.

    See Server-side encryption (SSE) for more info.

    • No default
    • Enum, must be one of: "AES256" "aws:kms"
    • View examples
  • stringoptional

    ssekms_key_id

    If server_side_encryption has the value "aws.kms", this specifies the ID of the AWS Key Management Service (AWS KMS) symmetrical customer managed customer master key (CMK) that will used for the created objects. If not specified, Amazon S3 uses the AWS managed CMK in AWS to protect the data.

  • stringoptional

    assume_role

    The ARN of an IAM role to assume at startup.

    See AWS Authentication for more info.

    • No default
    • View examples
  • stringcommonrequired

    bucket

    The S3 bucket name. Do not include a leading s3:// or a trailing /.

    • No default
    • View examples
  • stringenumcommonrequired

    compression

    The compression mechanism to use.

    • No default
    • Enum, must be one of: "gzip" "none"
    • View examples
  • stringoptional

    endpoint

    Custom endpoint for use with AWS-compatible services. Providing a value for this option will make region moot.

    • Only relevant when: region = null
    • No default
    • View examples
  • boolcommonoptional

    healthcheck

    Enables/disables the sink healthcheck upon start.

    See Health Checks for more info.

    • Default: true
    • View examples
  • stringcommonrequired*

    region

    The AWS region of the target service. If endpoint is provided it will override this value since the endpoint includes the region.

    • Only required when: endpoint = null
    • No default
    • View examples
  • tableoptional

    tags

    The tag-set for the object.

    • stringoptional

      [tag-name]

      A custom tag to be added to the created objects.

      • No default
      • View examples
  • booloptional

    filename_append_uuid

    Whether or not to append a UUID v4 token to the end of the file. This ensures there are no name collisions high volume use cases.

    See Object naming for more info.

    • Default: true
    • View examples
  • stringoptional

    filename_extension

    The filename extension to use in the object name.

    • Default: "log"
    • View examples
  • stringoptional

    filename_time_format

    The format of the resulting object file name. strftime specifiers are supported.

    See Object naming for more info.

    • Default: "%s"
    • View examples
  • templateablestringcommonoptional

    key_prefix

    A prefix to apply to all object key names. This should be used to partition your objects, and it's important to end this value with a / if you want this to be the root S3 "folder".

    See Object naming, Partitioning, and Template Syntax for more info.

    • Default: "date=%F/"
    • View examples
  • tableoptional

    request

    Configures the sink request behavior.

    • int (requests)commonoptional

      in_flight_limit

      The maximum number of in-flight requests allowed at any given time.

      See Rate Limits for more info.

      • Default: 50 (requests)
      • View examples
    • int (seconds)commonoptional

      rate_limit_duration_secs

      The time window, in seconds, used for the rate_limit_num option.

      See Rate Limits for more info.

      • Default: 1 (seconds)
      • View examples
    • intcommonoptional

      rate_limit_num

      The maximum number of requests allowed within the rate_limit_duration_secs time window.

      See Rate Limits for more info.

      • Default: 250
      • View examples
    • intoptional

      retry_attempts

      The maximum number of retries to make for failed requests.

      See Retry Policy for more info.

      • Default: -1
      • View examples
    • int (seconds)optional

      retry_initial_backoff_secs

      The amount of time to wait before attempting the first retry for a failed request. Once, the first retry has failed the fibonacci sequence will be used to select future backoffs.

      • Default: 1 (seconds)
      • View examples
    • int (seconds)optional

      retry_max_duration_secs

      The maximum amount of time, in seconds, to wait between retries.

      • Default: 10 (seconds)
      • View examples
    • int (seconds)commonoptional

      timeout_secs

      The maximum time a request can take before being aborted. It is highly recommended that you do not lower value below the service's internal timeout, as this could create orphaned requests, pile on retries, and result in duplicate data downstream.

      See Buffers & Batches for more info.

      • Default: 30 (seconds)
      • View examples
  • stringenumoptional

    storage_class

    The storage class for the created objects. See the S3 Storage Classes for more details.

    See Storage class for more info.

    • No default
    • Enum, must be one of: "STANDARD" "REDUCED_REDUNDANCY" "INTELLIGENT_TIERING" "STANDARD_IA" "ONEZONE_IA" "GLACIER" "DEEP_ARCHIVE"
    • View examples

Env Vars

  • stringoptional

    AWS_ACCESS_KEY_ID

    Used for AWS authentication when communicating with AWS services. See relevant AWS components for more info.

    See AWS Authentication for more info.

    • No default
    • View examples
  • stringoptional

    AWS_SECRET_ACCESS_KEY

    Used for AWS authentication when communicating with AWS services. See relevant AWS components for more info.

    See AWS Authentication for more info.

    • No default
    • View examples

How It Works

AWS Authentication

Vector checks for AWS credentials in the following order:

  1. Environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  2. The credential_process command in the AWS config file. (usually located at ~/.aws/config)
  3. The AWS credentials file. (usually located at ~/.aws/credentials)
  4. The IAM instance profile. (will only work if running on an EC2 instance with an instance profile/role)

If credentials are not found the healtcheck will fail and an error will be logged.

Obtaining an access key

In general, we recommend using instance profiles/roles whenever possible. In cases where this is not possible you can generate an AWS access key for any user within your AWS account. AWS provides a detailed guide on how to do this.

Assuming Roles

Vector can assume an AWS IAM role via the assume_role option. This is an optional setting that is helpful for a variety of use cases, such as cross account access.

Buffers & Batches

The aws_s3 sink buffers & batches data as shown in the diagram above. You'll notice that Vector treats these concepts differently, instead of treating them as global concepts, Vector treats them as sink specific concepts. This isolates sinks, ensuring services disruptions are contained and delivery guarantees are honored.

Batches are flushed when 1 of 2 conditions are met:

  1. The batch age meets or exceeds the configured timeout_secs.
  2. The batch size meets or exceeds the configured max_size.

Buffers are controlled via the buffer.* options.

Cross account object writing

If you're using Vector to write objects across AWS accounts then you should consider setting the grant_full_control option to the bucket owner's canonical user ID. AWS provides a full tutorial for this use case. If don't know the bucket owner's canoncial ID you can find it by following this tutorial.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Health Checks

Health checks ensure that the downstream service is accessible and ready to accept data. This check is performed upon sink initialization. If the health check fails an error will be logged and Vector will proceed to start.

Require Health Checks

If you'd like to exit immediately upon a health check failure, you can pass the --require-healthy flag:

vector --config /etc/vector/vector.toml --require-healthy

Disable Health Checks

If you'd like to disable health checks for this sink you can set the healthcheck option to false.

Object access control list (ACL)

AWS S3 supports access control lists (ACL) for buckets and objects. In the context of Vector, only object ACLs are relevant (Vector does not create or modify buckets). You can set the object level ACL by using one of the acl, grant_full_control, grant_read, grant_read_acp, or grant_write_acp options.

acl vs the grant_* options

The grant_* options name a specific entity to grant access to. The acl options is one of a set of specific canned ACLs that can only name the owner or world.

Object naming

By default, Vector will name your S3 objects in the following format:

<key_prefix><timestamp>-<uuidv4>.log

For example:

date=2019-06-18/1560886634-fddd7a0e-fad9-4f7e-9bce-00ae5debc563.log

Vector appends a UUIDV4 token to ensure there are no name conflicts in the unlikely event 2 Vector instances are writing data at the same time.

You can control the resulting name via the key_prefix, filename_time_format, and filename_append_uuid options.

Partitioning

Partitioning is controlled via the key_prefix options and allows you to dynamically partition data on the fly. You'll notice that Vector's template sytax is supported for these options, enabling you to use field values as partition keys.

Rate Limits

Vector offers a few levers to control the rate and volume of requests to the downstream service. Start with the rate_limit_duration_secs and rate_limit_num options to ensure Vector does not exceed the specified number of requests in the specified window. You can further control the pace at which this window is saturated with the in_flight_limit option, which will guarantee no more than the specified number of requests are in-flight at any given time.

Please note, Vector's defaults are carefully chosen and it should be rare that you need to adjust these. If you found a good reason to do so please share it with the Vector team by opening an issue.

Retry Policy

Vector will retry failed requests (status == 429, >= 500, and != 501). Other responses will not be retried. You can control the number of retry attempts and backoff rate with the retry_attempts and retry_backoff_secs options.

Server-side encryption (SSE)

AWS S3 offers server-side encryption. You can apply defaults at the bucket level or set the encryption at the object level. In the context, of Vector only the object level is relevant (Vector does not create or modify buckets). Although, we recommend setting defaults at the bucket level whne possible. You can explicitly set the object level encryption via the server_side_encryption option.

Storage class

AWS S3 offers storage classes. You can apply defaults, and rules, at the bucket level or set the storage class at the object level. In the context of Vector only the object level is relevant (Vector does not create or modify buckets). You can set the storage class via the storage_class option.

Tags & metadata

Vector currently only supports AWS S3 object tags and does not support object metadata. If you require metadata support see issue #1694.

We believe tags are more flexible since they are separate from the actual S3 object. Youc an freely modify tags without modifying the object. Conversely, object metadata requires a full rewrite of the object to make changes.

Template Syntax

The key_prefix options support Vector's template syntax, enabling dynamic values derived from the event's data. This syntax accepts strptime specifiers as well as the {{ field_name }} syntax for accessing event fields. For example:

vector.toml
[sinks.my_aws_s3_sink_id]
# ...
key_prefix = "date=%F/"
key_prefix = "date=%F/hour=%H/"
key_prefix = "year=%Y/month=%m/day=%d/"
key_prefix = "application_id={{ application_id }}/date=%F/"
# ...

You can learn more about the complete syntax in the templating reference.