VaultS3

<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="assets/logo-dark.svg"> <source media="(prefers-color-scheme: light)" srcset="assets/logo-with-text.svg"> <img alt="VaultS3" src="assets/logo-with-text.svg" width="480"> </picture> </p> <p align="center"> <strong>Lightweight S3-compatible object storage. Single binary, &lt;80MB RAM, built-in dashboard.</strong> </p> <p align="center"> <a href="https://github.com/Kodiqa-Solutions/VaultS3/actions"><img src="https://github.com/Kodiqa-Solutions/VaultS3/actions/workflows/ci.yml/badge.svg" alt="CI"></a> <a href="https://hub.docker.com/r/eniz1806/vaults3"><img src="https://img.shields.io/docker/pulls/eniz1806/vaults3?logo=docker&logoColor=white&color=2496ED" alt="Docker Pulls"></a> <a href="https://github.com/Kodiqa-Solutions/VaultS3/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-AGPL_v3-4F46E5" alt="License"></a> <a href="https://golang.org"><img src="https://img.shields.io/badge/Go-1.25+-00ADD8?logo=go&logoColor=white" alt="Go"></a> <a href="https://github.com/Kodiqa-Solutions/VaultS3"><img src="https://img.shields.io/badge/S3_Operations-80+-10B981" alt="S3 Ops"></a> </p> <p align="center"> <a href="#quick-start">Quick Start</a> &middot; <a href="#features">Features</a> &middot; <a href="#supported-s3-operations">S3 API</a> &middot; <a href="#web-dashboard">Dashboard</a> &middot; <a href="#cli-tool">CLI</a> &middot; <a href="#docker">Docker</a> </p>

---

<p align="center"> <img src="assets/demo.gif" alt="VaultS3 Dashboard Demo" width="800"> </p>

---

Why VaultS3?

MinIO needs 512MB+ RAM and locks features like per-bucket rate limiting behind a paid enterprise tier. SeaweedFS requires multiple components with no web UI. Garage lacks versioning, WORM, and notifications entirely.

VaultS3 gives you everything in one binary under 80MB RAM:

| | VaultS3 | MinIO | SeaweedFS | Garage | |---|:---:|:---:|:---:|:---:| | RAM (small deploy) | <80 MB | 512 MB+ | 50-200 MB | 50-150 MB | | Single binary | Yes | Yes | No | Yes | | Web dashboard | Built-in | Built-in | No | No | | Raft clustering | Yes | Yes | Yes | Yes | | Erasure coding | Yes | Yes | Yes | No | | Active-active replication | Yes | Yes | No | No | | FUSE mount | Built-in | No | Buggy | No | | Full-text search | Yes | No | No | No | | Version diff/tags | Yes | No | No | No | | Lambda triggers | Yes | No | No | No | | Virus scanning | Yes | No | No | No | | Backup scheduler | Yes | No | No | No |

make build && ./vaults3
# Server at http://localhost:9000
# Dashboard at http://localhost:9000/dashboard/

Features

• S3-compatible API — Works with any S3 client (AWS CLI, mc, boto3, minio-js)
• Single binary — One file, no runtime dependencies, no Docker required
• Low memory — Targets <80MB RAM (vs MinIO's 300-500MB)
• BoltDB metadata — Embedded key-value store, no external database needed
• S3 Signature V4 — Standard AWS authentication
• AES-256-GCM encryption at rest — SSE-S3 (static key) and SSE-KMS (HashiCorp Vault or local key provider) encryption modes
• Bucket policies — Public-read, private, custom S3-compatible JSON policies
• Quota management — Per-bucket size and object count limits
• Rate limiting — Token bucket rate limiter per client IP and per access key to prevent abuse
• S3 Select — Execute SQL queries on CSV, JSON, and Parquet objects without downloading the full file
• Multipart upload — Full lifecycle (Create, UploadPart, UploadPartCopy, Complete, Abort, ListUploads, ListParts)
• Bucket tagging — S3-compatible tag sets with PUT/GET/DELETE
• Bucket/Object ACL — S3-compatible ACL responses (GET/PUT)
• Multiple access keys — Dynamic key management via BoltDB
• Object tagging — Up to 10 tags per object
• Range requests — Partial content downloads (206 responses)
• Copy object — Same-bucket and cross-bucket copies
• Batch delete — Multi-object delete with XML body
• Virtual-hosted style URLs — bucket.domain/key in addition to path-style
• Bucket default retention — Set default GOVERNANCE or COMPLIANCE retention on a bucket, auto-applied to new objects
• Per-bucket Prometheus metrics — Request counts, bytes in/out, and errors with bucket labels at /metrics
• Prometheus metrics — /metrics endpoint with storage, request, and runtime stats
• Presigned URLs — Pre-authenticated URL generation
• Web dashboard — Built-in React UI at /dashboard/ with home overview page, file browser (sortable columns, pagination, file preview, metadata panel, version history panel with diff viewer/rollback/tagging, multi-select, bulk delete, bulk zip download, breadcrumb navigation), drag-and-drop file and folder upload, copy-to-clipboard buttons, access key management, activity log, storage stats with auto-refresh, read-only settings viewer, IAM management, audit trail viewer (sortable, paginated), search (sortable, paginated), notifications, replication status, lambda triggers, backup management, bucket config (versioning toggle with status indicator, lifecycle editor, CORS editor), keyboard shortcuts (/ search, ? help), toast notifications (success/error/info), dark/light theme, responsive layout
• Health checks — /health (liveness) and /ready (readiness) endpoints for load balancers and Kubernetes
• Graceful shutdown — Drains in-flight requests on SIGTERM/SIGINT with configurable timeout
• TLS support — Optional HTTPS with configurable cert/key paths
• Object versioning — Per-bucket versioning with version IDs, delete markers, version-specific GET/DELETE/HEAD
• Object locking (WORM) — Legal hold and retention (GOVERNANCE/COMPLIANCE) to prevent deletion
• Lifecycle rules — Per-bucket object expiration (auto-delete after N days) with background worker
• Gzip compression — Transparent compress-on-write, decompress-on-read with standard gzip
• Access logging — Structured JSON lines log file of all S3 operations
• Static website hosting — Serve index/error documents from buckets, no auth required
• IAM users, groups & policies — Fine-grained access control with S3-compatible policy evaluation, default deny, wildcard matching
• CORS per bucket — S3-compatible CORS configuration with OPTIONS preflight support
• STS temporary credentials — Short-lived access keys with configurable TTL, auto-cleanup of expired keys
• Audit trail — Persistent audit log with filtering by user, bucket, time range; auto-pruning via lifecycle worker
• IP allowlist/blocklist — Global and per-user CIDR-based IP restrictions with IPv4/IPv6 support
• S3 event notifications — Per-bucket webhook notifications on object mutations with event type and key prefix/suffix filtering, plus Kafka, NATS, Redis, AMQP/RabbitMQ, PostgreSQL, and Elasticsearch backends
• Raft clustering — Multi-node cluster with Hashicorp Raft consensus for strongly consistent distributed metadata, automatic leader election, and node join/leave via HTTP API
• Consistent hashing — xxhash64-based hash ring with virtual nodes for automatic data placement and request routing across cluster nodes via reverse proxy
• Erasure coding — Reed-Solomon encoding (configurable data/parity shards) for disk-failure protection with background healer that auto-reconstructs degraded objects
• High availability — Automatic failure detection (health probes with suspect/down state machine), failover proxy routing to healthy replicas, and background rebalancer for membership changes
• Active-active replication — Bidirectional site-to-site sync with vector clocks for causal ordering, pluggable conflict resolution (last-writer-wins, largest-object, site-preference), and change log for efficient delta sync
• Async replication — One-way async replication to peer VaultS3 instances with BoltDB-backed queue, retry with exponential backoff, and loop prevention
• CLI tool — Standalone vaults3-cli binary for bucket, object, user, and replication management without AWS CLI
• Presigned upload restrictions — Enforce max file size, content type whitelist, and key prefix on presigned PUT URLs
• Full-text search — In-memory search index over object metadata, tags, content type, and key patterns with incremental updates
• Webhook virus scanning — POST uploaded objects to a configurable scan endpoint (ClamAV, VirusTotal, etc.) with quarantine bucket for infected files
• Data tiering — Automatic hot/cold storage migration based on access patterns with transparent reads and manual migration API
• Backup scheduler — Scheduled full/incremental backups to local directory targets with cron-like scheduling and backup history
• Git-like versioning — Visual diff between object versions (text and binary), version tagging with labels, one-click rollback to any version
• FUSE mount — Mount VaultS3 buckets as local filesystem directories with read/write support, lazy loading, and SigV4 authentication. LRU block cache (256KB blocks, configurable size), metadata cache with TTL, kernel attribute caching, and SigV4 derived key caching for fast repeated reads
• OIDC/JWT SSO — Sign in to the dashboard with external identity providers (Google, Keycloak, Auth0) via OpenID Connect. RS256 JWT verification with JWKS auto-discovery and caching. Email domain filtering, auto-create users, OIDC group to policy mapping.
• Lambda compute triggers — Webhook-based function triggers on S3 events. Call external URLs with event payload and optional object body, optionally store the response as a new object. Per-bucket trigger configuration with event type and key prefix/suffix filtering. Worker pool with non-blocking dispatch.
• SVG dashboard charts — Pure SVG bar chart (per-bucket sizes), donut chart (request method distribution), and sparkline (request a