Docs/S3 Exports

S3 Exports

Export artifacts directly to S3.

Credentials

Supported authentication methods:

IAM Role (Recommended)

If your nodes have an IAM role with S3 access, no additional configuration is needed. Just specify the bucket name in your export commands.

IAM Roles for Service Accounts (IRSA)

On EKS, configure IRSA for the reel agent service account. No secret needed.

Kubernetes Secret

Create a secret with AWS credentials:

kubectl create secret generic aws-credentials -n reel \
--from-literal=AWS_ACCESS_KEY_ID=<key> \
--from-literal=AWS_SECRET_ACCESS_KEY=<secret> \
--from-literal=AWS_REGION=us-west-2

Reference as explained below.

Export Methods

CLI

# With IAM role
reel export sbom my-app -n production --dest s3://my-bucket/sbom.json
# With Kubernetes secret
reel export sbom my-app -n production \
--s3-secret-name aws-credentials \
--dest s3://my-bucket/sbom.json
FlagDescription
--destS3 URI (s3://bucket/path)
--s3-bucketS3 bucket name
--s3-regionAWS region
--s3-secret-nameKubernetes secret with AWS credentials

Annotations

Set default S3 configuration on pods or namespaces:

annotations:
reel.io/s3-bucket: "my-bucket"
reel.io/s3-region: "us-west-2"
# Optional: if using a Kubernetes secret
reel.io/s3-secret: "aws-credentials"
AnnotationDescription
reel.io/s3-bucketDefault S3 bucket
reel.io/s3-regionAWS region
reel.io/s3-secretK8s secret name with AWS credentials

Scheduled Exports

Combine S3 configuration with scheduling annotations:

annotations:
reel.io/s3-bucket: "compliance-bucket"
reel.io/s3-region: "us-west-2"
reel.io/schedule: |
0 2 * * * | export layer --dest layer-next.tar.gz
next | export sbom --dest sbom-next.json

Priority

S3 settings can be configured at multiple levels. When the same setting is defined in more than one place, higher priority wins:

  1. CLI flags — override everything
  2. Pod annotations — per-workload defaults
  3. Namespace annotations — shared defaults for all pods in a namespace

See configuration priority for more details.