Overview
This guide assumes you have already deployed a Big Peer and that it runs on Amazon EKS (for S3) or Azure AKS (for Azure Blob Storage). The steps below configure attachments on that existing Big Peer. Attachment setup has two halves:- You provision the cloud storage and identity — the bucket or container, and the cloud identity your Big Peer will use to access it. The Operator does not create these.
- The Operator wires that identity into the Big Peer workloads — based on
spec.attachments.backend, it sets the right service account annotations, pod labels, and environment variables.
Attachment Service Accounts
A single Big Peer runs three workloads that access attachments, each under its own service account. For a Big Peer namedexample in namespace ditto, they are:
ditto-example-apiditto-example-subscriptionditto-example-replication
Secret, not a service account identity, so this doesn’t apply.)
Object Key Layout
Each attachment is stored as an object in your S3 bucket or Azure container. An object’s key is its full path within that bucket or container. So that several Big Peers can share one bucket or container without colliding, the Operator gives every Big Peer its own key prefix — a folder-like path that all of its attachment objects’ keys begin with. The prefix is<root>/<big-peer-name>/<namespace>, and <root> defaults to big-peer/attachments. So the example Big Peer in the ditto namespace stores its attachment objects under keys that start with:
prefix field under spec.attachments.backend.s3 (or .azure). For example, prefix: my-team/blobs stores objects under my-team/blobs/example/ditto/. The Operator always appends /<big-peer-name>/<namespace>, so each Big Peer stays isolated.
Amazon S3 (EKS)
This path uses IAM Roles for Service Accounts (IRSA): the Big Peer’s service accounts assume an IAM role via your cluster’s OIDC provider — no static credentials are stored in the cluster.Confirm prerequisites
aws CLI configured for the target account, and your Big Peer’s name (example) and namespace (ditto).Check whether the OIDC provider is associated:Create the S3 bucket
us-east-1, omit --create-bucket-configuration (that region rejects a LocationConstraint). We recommend enabling default encryption and blocking public access on the bucket.Create a least-privilege IAM policy
Create the IAM role with an IRSA trust policy
StringLike wildcard ditto-example-* covers -api, -subscription, and -replication in one statement.eksctl create iamserviceaccount to create the service account — the Ditto Operator owns and manages those service accounts. Create the role directly (as above), or use eksctl create iamserviceaccount --role-only. The Operator applies the eks.amazonaws.com/role-arn annotation for you from the iamRoleArn you set on the Big Peer.Configure the Big Peer
network, auth, version, and other settings untouched. Replace the account ID in iamRoleArn with your own (the $ACCOUNT_ID from the first step):attachments block to that file (alongside network, auth, and transactions) and re-apply it. Don’t kubectl apply a spec that contains only attachments — that would remove your other settings.Azure Blob Storage (AKS)
The recommended path uses Azure Workload Identity: the Big Peer’s service accounts federate with a user-assigned managed identity, so no storage credential is stored in the cluster. An account-key alternative is documented at the end of this section.spec.version to a supported release — check the Big Peer release notes.Confirm prerequisites
az CLI logged in to the target subscription, and your Big Peer’s name (example) and namespace (ditto).Enable the OIDC issuer and Workload Identity if they aren’t already:Create the storage account and container
account must match ^[a-z0-9]{3,24}$ and container must match ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$.Create a user-assigned managed identity
Grant the identity data-plane access to the container
Create federated identity credentials — one per service account
Configure the Big Peer
network, auth, version, and other settings untouched. Set clientId to the identity’s client ID (the $CLIENT_ID from the managed-identity step):attachments block to that file (alongside network, auth, and transactions) and re-apply it. Don’t kubectl apply a spec that contains only attachments — that would remove your other settings.Alternative: authenticate with a storage-account access key
Alternative: authenticate with a storage-account access key
Secret.First, read an account key and create the Secret in the Big Peer’s namespace:Secret from the Big Peer with a merge patch. The accessKey property defaults to AZURE_STORAGE_ACCESS_KEY:S3-Compatible Storage
Use this backend for any object store that speaks the S3 API but isn’t AWS S3 accessed through IRSA — for example MinIO, Google Cloud Storage (through its S3-compatible endpoint), or AWS S3 itself with a static access key. It authenticates with an access key and secret held in a KubernetesSecret, so — unlike the Amazon S3 (EKS) and Azure Blob Storage (AKS) paths — it works on any Kubernetes cluster, needs no EKS/AKS identity setup, and does not use the three-service-account trust.
Create the bucket and get an access key
- MinIO
- Google Cloud Storage
- Amazon S3
mc mb myminio/ditto-example-attachments) and an access key / secret key pair with read/write access. Set endpoint to your MinIO URL — for example an in-cluster http://minio.ditto.svc.cluster.local:9000.MinIO supports both S3 addressing styles; choose based on your DNS:- Virtual-hosted (
<bucket>.<endpoint>) — the Big Peer’s default, and works today. The bucket subdomain must resolve, so configure MinIO for virtual-host addressing (itsMINIO_DOMAINsetting) with matching wildcard DNS. AWS S3 and Google Cloud Storage provide this automatically. - Path-style (
<endpoint>/<bucket>) — coming in a future Ditto Operator release. When theforcePathStylefield ships, setforcePathStyle: trueto drop the bucket-subdomain DNS requirement (the simplest option for a MinIO reached by an in-cluster service name or a plain hostname). Until then, use virtual-hosted addressing (above).
Store the credentials in a Secret
Secret in the Big Peer’s namespace holding the access key ID and secret:Configure the Big Peer
s3Compatible backend to your existing Big Peer, using the endpoint, bucket, and Secret from the previous steps:region is optional — use auto for Google Cloud Storage, or the bucket’s region (for example us-west-2) for AWS S3 or MinIO deployments that require one. credentialsSecretRef reads the keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY by default; set accessKeyId / secretAccessKey if your Secret uses different keys.Verify Attachment Storage
Secret instead, so it has no service account annotation or injected identity token; for that path, skip to the upload-and-fetch check.Confirm the service account identity annotation
metadata.annotations:- AWS:
eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/ditto-example-attachments - Azure (Workload Identity):
azure.workload.identity/client-id: <clientId>
ditto-example-subscription and ditto-example-replication.Confirm credentials are wired into the pods
AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE:azure.workload.identity/use: "true" label, and the AKS webhook injects the AZURE_* environment:Upload and fetch an attachment
newAttachment / fetchAttachment round-trip, or the HTTP API attachment endpoints, and confirm the blob round-trips. You can also confirm objects appear under your bucket or container (these commands reuse the $BUCKET / $ACCOUNT / $CONTAINER variables you exported earlier — set them again if you’re in a new shell):