Skip to main content
Amazon S3 (Simple Storage Service) is a secure and scalable object storage service from AWS. This integration allows you to forward your deployment and audit logs from env zero directly to an S3 bucket for long-term storage, analysis, or compliance purposes.

โ€‹
Prerequisites

Before you begin, make sure you have:
  1. Enabled OIDC in your env zero organization.
  2. Configured an Identity provider as explained in Set up an AWS OIDC authentication Guide.

โ€‹
Setup

To allow env zero to send logs to S3, you need an IAM policy with the necessary permissions. This policy will be attached to an IAM Role you use for OIDC authentication.
The policy allows env zero to create and write to your S3 bucket.
Log Transporter Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>"
        }
    ]
}
Log Directory StructureLogs will be stored in your bucket with the following directory structure and file name format:<bucketPath>/<logType>/<year>/<month>/<day>/<HH:mm:ss>_<5_random_chars>.log
  • <bucketPath>: Your custom path (Optional)
  • <logType>: Will be either env0-deployments or env0-audits accordingly

โ€‹
Self Configuration of CloudWatch Transporter

There are two ways to configure the integrations:

  1. โ€‹
    In the env zero app

In the organizationโ€™s integrations page, click on Amazon S3 and fill the formโ€™s fields:
Log forwarding integration configuration form showing setup fields

  1. โ€‹
    Using environment variables

    In the env zero platform you will need to configure the following environment variables in any scope to forward the deployment logs. These are the relevant environment variables:
    Environment variable nameDescriptionMandatory
    ENV0_S3_LOG_ROLE_ARNThe ARN of the IAM role associated with your OIDC provider.Yes
    ENV0_S3_LOG_BUCKET_NAMEThe name of the S3 bucket where logs will be stored.Yes
    ENV0_S3_LOG_AWS_REGIONThe AWS region where your S3 bucket is located.Yes
    ENV0_S3_LOG_BUCKET_PATHAn optional path (prefix) within the bucket to store the logs.No
    ENV0_S3_LOG_SESSION_DURATIONThe OIDC token session duration in seconds. Defaults to 3600 (1 hour) if not set.No
env zero sets a default bucket path according to the log type:

  1. โ€‹
    Audit Logs:

    • bucket path - env0-audits

  2. โ€‹
    Deployment Logs:

    • bucket path - env0-deployments
โŒ˜I