Skip to content

S3-Compatible Object Storage

Use this Drive with AWS S3 and compatible services such as COS, OSS, and MinIO.

FieldDescription
Access Key / Secret KeyAccess credentials
BucketName of an existing bucket
RegionService region; usually required for AWS
EndpointAPI address for a compatible service; may be left empty for AWS depending on the environment
Path styleUses endpoint/bucket/key; often required by MinIO and similar services
Proxy upload/downloadForces file contents through go-drive
Cache TTLEntry cache time

The credentials need at least permission to list, read, write, copy, and delete objects in the target bucket. Create a dedicated least-privilege account for go-drive.

CORS for direct browser transfers

When proxy upload/download is disabled, the browser accesses S3 directly. The bucket's CORS policy must at least allow the go-drive site origin to use:

  • Upload: PUT and POST, request headers content-type and x-amz-content-sha256, with etag exposed.
  • Download: GET and HEAD.

AWS example:

json
[
  {
    "AllowedHeaders": ["content-type", "x-amz-content-sha256"],
    "AllowedMethods": ["PUT", "POST"],
    "AllowedOrigins": ["https://drive.example.com"],
    "ExposeHeaders": ["etag"]
  },
  {
    "AllowedHeaders": [],
    "AllowedMethods": ["GET", "HEAD"],
    "AllowedOrigins": ["https://drive.example.com"],
    "ExposeHeaders": []
  }
]

Also add the site domain to the object store's Referer or hotlink-protection allowlist. Do not use * instead of explicit domains and request headers in production.

Troubleshooting

  • HeadBucket fails: check the endpoint, region, DNS, certificate, and credential permissions.
  • Addressing errors with a compatible service: switch path-style mode.
  • Browser uploads fail but background copies succeed: this is usually CORS or hotlink protection, not the S3 credentials.
  • An internal-only site cannot access cloud direct links: enable proxy upload/download.

Released under the MIT License.