AWS S3
Amazon S3 (Simple Storage Service) is a secure and scalable object storage service from AWS. This integration allows you to forward your deployment and audit logs from env0 directly to an S3 bucket for long-term storage, analysis, or compliance purposes.
Prerequisites
Before you begin, make sure you have:
- Enabled OIDC in your env0 organization.
- Configured an Identity provider as explained in Set up an AWS OIDC authentication Guide.
Setup
To allow env0 to send logs to CloudWatch, you need an IAM policy with the necessary permissions. This policy will be attached to an IAM Role you use for OIDC authentication.
The policy allows env0 to create and write to two log groups: env0-deployments
and env0-audits
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>"
}
]
}
Log Directory Structure
Logs will be stored in your bucket with the following directory structure and file name format:
<bucketPath>/<logType>/<year>/<month>/<day>/<HH:mm:ss>_<5_random_chars>.log
<bucketPath>
: Your custom path ( Optional ).
<logType
>: Will be eitherenv0-deployments
orenv0-audits
accordingly.
Self Configuration of CloudWatch Transporter
There are two ways to configure the integrations:
-
In the env0 app
In the organization's integrations page, click on Amazon S3 and fill the form's fields:
-
Using environment variables
In the env0 platform you will need to configure the following environment variables in any scope to forward the deployment logs. These are the relevant environment variables:
Environment variable name Description Mandatory ENV0_S3_LOG_ROLE_ARN
The ARN of the IAM role associated with your OIDC provider. Yes ENV0_S3_LOG_BUCKET_NAME
The name of the S3 bucket where logs will be stored. Yes ENV0_S3_LOG_AWS_REGION
The AWS region where your S3 bucket is located. Yes ENV0_S3_LOG_BUCKET_PATH
An optional path (prefix) within the bucket to store the logs. No ENV0_S3_LOG_SESSION_DURATION
The OIDC token session duration in seconds. Defaults to 3600 (1 hour) if not set. No
env0 sets a default bucket path according to the log type:
Updated 21 days ago