Configure your own buckets (Helm)

For CARTO Self-hosted using Kubernetes and Helm

This documentation only applies to advanced Orchestrated container deployments using Kubernetes and Helm

For every CARTO Self-Hosted installation, we need some configured buckets to store resources that will be used by the platform. These storage buckets are part of the required infrastructure for importing and exporting data, map thumbnails, customization assets (custom logos and markers) and other internal data.

You can create and use your own storage buckets in any of the following supported storage providers:

Pre-requisites

Create 2 buckets in your preferred Cloud provider:
- Import Bucket
- Thumbnails Bucket.

There're no name constraints.

Map thumbnails storage objects (.png files) can be configured to be public (default) or private. In order to change this, set WORKSPACE_THUMBNAILS_PUBLIC="false". Some features, such as branding and custom markers, won't work unless the bucket is public. However, there's a workaround to avoid making the whole bucket public, which requires allowing public objects, allowing ACLs (or non-uniform permissions) and disabling server-side encryption.

Create the data export bucket. This bucket has to be created in different storage providers depending on your data warehouse:
- BigQuery: Google Cloud Storage
- Snowflake: AWS S3
- Redshift: AWS S3
- Amazon RDS: AWS S3

For buckets created in AWS S3:

ACLs should be allowed.
If server-side encryption is enabled, the user must be granted with permissions over the KMS key following the AWS documentation.

CORS configuration: Thumbnails and Import buckets require having the following CORS headers configured.
- Allowed origins: *
- Allowed methods: GET, PUT, POST
- Allowed headers (common): Content-Type, Content-MD5, Content-Disposition, Cache-Control
- GCS (extra): x-goog-content-length-range, x-goog-meta-filename
- Azure (extra): Access-Control-Request-Headers, X-MS-Blob-Type
- Max age: 3600

CORS is configured at bucket level in GCS and S3, and at storage account level in Azure.

How do I setup CORS configuration? Check the provider docs: GCS, AWS S3, Azure Blob Storage.

Generate credentials with Read/Write permissions to access those buckets, our supported authentication methods are:
- GCS: Service Account Key
- AWS: Access Key ID and Secret Access Key
- Azure Blob: Access Key

Setup

Import and Thumbnails buckets

In order to use Google Cloud Storage custom buckets you need to:

Add the following lines to your customizations.yaml and replace the <values> with your own settings:

appConfigValues:
  storageProvider: "gcp"
  workspaceImportsBucket: <import_bucket_name>
  workspaceImportsPublic: <false|true>
  workspaceThumbnailsBucket: <thumbnails_bucket_name>
  workspaceThumbnailsPublic: <false|true>
  thumbnailsBucketExternalURL: <public or authenticated external bucket URL>
  googleCloudStorageProjectId: <gcp_project_id>

Note that thumbnailsBucketExternalURL could be https://storage.googleapis.com/<thumbnails_bucket_name>/ for public access or https://storage.cloud.google.com/<thumbnails_bucket_name>/ for authenticated access.

Select a Service Account that will be used by the application to interact with the buckets. There are two options:
1. Using a custom Service Account, that will be used not only for the buckets, but for the services deployed by CARTO as well. If you are using Workload Identity, that's your option.
2. Using a dedicated Service Account only for the buckets
Grant the selected Service Account with the role roles/iam.serviceAccountTokenCreator in the GCP project where it was created.

⚠️ We don't recommend granting this role at project IAM level, but instead at the Service Account permissions level (IAM > Service Accounts > your_service_account > Permissions).

Grant the selected Service Account with the role roles/storage.admin to the buckets created.
[OPTIONAL] Pass your GCP credentials as secrets: This is only required if you are going to use a dedicated Service Account only for the buckets
- Option 1: Automatically create the secret:
  appSecrets: googleCloudStorageServiceAccountKey: value: | <REDACTED>
appSecrets.googleCloudStorageServiceAccountKey.value should be in plain text, preserving the multiline and correctly tabulated.
- Option 2: Using existing secret: Create a secret running the command below, after replacing the <PATH_TO_YOUR_SECRET.json> value with the path to the file of the Service Account:
  kubectl create secret generic \ [-n my-namespace] \ mycarto-google-storage-service-account \ --from-file=key=<PATH_TO_YOUR_SECRET.json>
  Add the following lines to your customizations.yaml, without replacing any value:
  appSecrets: googleCloudStorageServiceAccountKey: existingSecret: name: mycarto-google-storage-service-account key: key

In order to use AWS S3 custom buckets you need to:

Create an IAM user and generate a programmatic key ID and secret.
Grant this user with read/write access permissions over the buckets. If server-side encryption is enabled, the user must be granted with permissions over the KMS key used.
Add the following lines to your customizations.yaml and replace the <values> with your own settings:

appConfigValues:
  storageProvider: "s3"
  workspaceImportsBucket: <import_bucket_name>
  workspaceImportsPublic: <false|true>
  workspaceThumbnailsBucket: <thumbnails_bucket_name>
  workspaceThumbnailsPublic: <false|true>
  thumbnailsBucketExternalURL: <external bucket URL>
  awsS3Region: <s3_buckets_region>

Note that thumbnailsBucketExternalURL should be https://<thumbnails_bucket_name>.s3.amazonaws.com/

Pass your AWS credentials as secrets by using one of the options below:
- Option1: Automatically create a secret
  Add the following lines to your customizations.yaml replacing it with your access key values:
  appSecrets: awsAccessKeyId: value: "<REDACTED>" awsAccessKeySecret: value: "<REDACTED>"
  appSecrets.awsAccessKeyId.value and appSecrets.awsAccessKeySecret.value should be in plain text
- Option 2: Using an existing secret
  Create a secret running the command below, after replacing the <REDACTED> values with your key values:
  kubectl create secret generic \ [-n my-namespace] \ mycarto-custom-s3-secret \ --from-literal=awsAccessKeyId=<REDACTED> \ --from-literal=awsSecretAccessKey=<REDACTED>
  Use the same namespace where you are installing the helm chart
  Add the following lines to your customizations.yaml, without replacing any value:
  appSecrets: awsAccessKeyId: existingSecret: name: mycarto-custom-s3-secret key: awsAccessKeyId awsAccessKeySecret: existingSecret: name: mycarto-custom-s3-secret key: awsSecretAccessKey

In order to use Azure Storage buckets you need to:

Generate an Access Key, from the storage account's Security properties.
Add the following lines to your customizations.yaml and replace the <values> with your own settings:

appConfigValues:
  storageProvider: "azure-blob"
  azureStorageAccount: <storage_account_name>
  workspaceImportsBucket: <import_bucket_name>
  workspaceImportsPublic: <false|true>
  workspaceThumbnailsBucket: <thumbnails_bucket_name>
  thumbnailsBucketExternalURL: <external bucket URL>
  workspaceThumbnailsPublic: <false|true>

Note that thumbnailsBucketExternalURL should be https://<azure_resource_group>.blob.core.windows.net/<thumbnails_bucket_name>/

Pass your credentials as secrets by using one of the options below:
- Option 1: Automatically create the secret: Add the following lines to your customizations.yaml replacing it with your access key value:
  appSecrets: azureStorageAccessKey: value: "<REDACTED>"
  appSecrets.azureStorageAccessKey.value should be in plain text
- Option 2: Using existing secret: Create a secret running the command below, after replacing the <REDACTED> values with your key values:
  kubectl create secret generic \ [-n my-namespace] \ mycarto-custom-azure-secret \ --from-literal=azureStorageAccessKey=<REDACTED>
  Use the same namespace where you are installing the helm chart
  Add the following lines to your customizations.yaml, without replacing any value:
  appSecrets: awsAccessKeyId: existingSecret: name: mycarto-custom-azure-secret key: azureStorageAccessKey

Data export bucket

Configure data export bucket for BigQuery

To enable exporting data from BigQuery on CARTO Self-Hosted platform these are the required steps:

Grant read/write permissions to the service account used by your CARTO Self-Hosted installation on the GCS bucket created in the pre-requisites.
Define the name the bucket that will be used for exporting data in your customizations.yaml file:

appConfigValues:
    workspaceExportsBucket: <YOUR_EXPORTS_BUCKET>

Configure data exports in Snowflake and Redshift

Snowflake and Redshift require an AWS S3 bucket to export data from CARTO platform. These are the needed steps for allowing exporting data from CARTO Self-Hosted in these providers:

Create an IAM user and generate a programmatic key ID and secret. If server-side encryption is enabled, the user must be granted with permissions over the KMS key used.

If you've already configured the Import and Thumbnails buckets using AWS S3, you can use the same user you already created for these buckets.

Create an AWS IAM role with the following settings:

Trusted entity type: Custom trust policy.
Custom trust policy: Make sure to replace <your_aws_user_arn>.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "AWS": "<your_aws_user_arn>"
          },
          "Action": [
              "sts:AssumeRole",
              "sts:TagSession"
          ]
      }
  ]
}

Add permissions: Create a new permissions' policy, replacing <your_aws_s3_bucket_name>.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": "s3:ListBucket",
           "Resource": "arn:aws:s3:::<your_aws_s3_bucket_name>"
       },
       {
           "Effect": "Allow",
           "Action": "s3:*Object",
           "Resource": "arn:aws:s3:::<your_aws_s3_bucket_name>/*"
       }
   ]
}

Update your customizations.yaml file with the following values:

appConfigValues:
    awsExportBucket: <BUCKET_NAME>
    awsExportBucketRegion: <REGION>
    exportAwsRoleArn: <ROLE_ARN>

Pass your AWS credentials as secrets:

Option 1: Automatically create the secret:

appSecrets:
  exportAwsSecretAccessKey:
    value: <REDACTED>
  exportAwsAccessKeyId:
    value: <REDACTED>

appSecrets.exportAwsSecretAccessKey.value and appSecrets.exportAwsAccessKeyId.value be in plain text, preserving the multiline and correctly tabulated.

Option 2: Using existing secret: Create a secret running the command below:

kubectl create secret generic \
  [-n my-namespace] \
  mycarto-export-aws-access-key \
  --from-literal=key-id=<ACCESS_KEY_ID>
  --from-literal=key-secret=<ACCESS_KEY_SECRET>

Add the following lines to your customizations.yaml, without replacing any value:

appSecrets:
  exportAwsSecretAccessKey:
    existingSecret:
      name: mycarto-export-aws-access-key
      key: key-id
  exportAwsAccessKeyId:
    existingSecret:
      name: mycarto-export-aws-access-key-id
      key: key-secret

Configure data exports in Amazon RDS for PostgreSQL

The bucket to export data from Amazon RDS for PostgreSQL can be configured from the CARTO platform UI. Once your Self-Hosted installation is finished, you can check in the following documentation how to configure your S3 bucket integration for Amazon RDS for PostgreSQL.

PreviousGuides (Helm)NextConfigure an external in-memory cache (Helm)

Last updated 3 months ago

Was this helpful?