Amazon S3

Amazon Simple Storage Service (Amazon S3) provides cloud object storage for a variety of use cases. You can use S3 with Flink for reading and writing data as well in conjunction with the streaming state backends.

You can use S3 objects like regular files by specifying paths in the following format:

  1. s3://<your-bucket>/<endpoint>

The endpoint can either be a single file or a directory, for example:

  1. // Read from S3 bucket
  2. env.readTextFile("s3://<bucket>/<endpoint>");
  3. // Write to S3 bucket
  4. stream.writeAsText("s3://<bucket>/<endpoint>");
  5. // Use S3 as checkpoint storage
  6. Configuration config = new Configuration();
  7. config.set(CheckpointingOptions.CHECKPOINT_STORAGE, "filesystem");
  8. config.set(CheckpointingOptions.CHECKPOINTS_DIRECTORY, "s3://<your-bucket>/<endpoint>");
  9. env.configure(config);

Note that these examples are not exhaustive and you can use S3 in other places as well, including your high availability setup or the EmbeddedRocksDBStateBackend; everywhere that Flink expects a FileSystem URI (unless otherwise stated).

For most use cases, you may use one of our flink-s3-fs-hadoop and flink-s3-fs-presto S3 filesystem plugins which are self-contained and easy to set up. For some cases, however, e.g., for using S3 as YARN’s resource storage dir, it may be necessary to set up a specific Hadoop S3 filesystem implementation.

Hadoop/Presto S3 File Systems plugins

You don’t have to configure this manually if you are running Flink on EMR.

Flink provides two file systems to talk to Amazon S3, flink-s3-fs-presto and flink-s3-fs-hadoop. Both implementations are self-contained with no dependency footprint, so there is no need to add Hadoop to the classpath to use them.

Both flink-s3-fs-hadoop and flink-s3-fs-presto register default FileSystem wrappers for URIs with the s3:// scheme, flink-s3-fs-hadoop also registers for s3a:// and flink-s3-fs-presto also registers for s3p://, so you can use this to use both at the same time. For example, the job uses the FileSystem which only supports Hadoop, but uses Presto for checkpointing. In this case, you should explicitly use s3a:// as a scheme for the sink (Hadoop) and s3p:// for checkpointing (Presto).

To use flink-s3-fs-hadoop or flink-s3-fs-presto, copy the respective JAR file from the opt directory to the plugins directory of your Flink distribution before starting Flink, e.g.

  1. mkdir ./plugins/s3-fs-presto
  2. cp ./opt/flink-s3-fs-presto-1.20.0.jar ./plugins/s3-fs-presto/

Configure Access Credentials

After setting up the S3 FileSystem wrapper, you need to make sure that Flink is allowed to access your S3 buckets.

The recommended way of setting up credentials on AWS is via Identity and Access Management (IAM). You can use IAM features to securely give Flink instances the credentials that they need to access S3 buckets. Details about how to do this are beyond the scope of this documentation. Please refer to the AWS user guide. What you are looking for are IAM Roles.

If you set this up correctly, you can manage access to S3 within AWS and don’t need to distribute any access keys to Flink.

Access Keys (Discouraged)

Access to S3 can be granted via your access and secret key pair. Please note that this is discouraged since the introduction of IAM roles.

You need to configure both s3.access-key and s3.secret-key in Flink’s Flink configuration file:

  1. s3.access-key: your-access-key
  2. s3.secret-key: your-secret-key

You can limit this configuration to JobManagers by using Flink configuration file.

  1. # flink-s3-fs-hadoop
  2. fs.s3a.aws.credentials.provider: org.apache.flink.fs.s3.common.token.DynamicTemporaryAWSCredentialsProvider
  3. # flink-s3-fs-presto
  4. presto.s3.credential-provider: org.apache.flink.fs.s3.common.token.DynamicTemporaryAWSCredentialsProvider

Configure Non-S3 Endpoint

The S3 Filesystems also support using S3 compliant object stores such as IBM’s Cloud Object Storage and MinIO. To do so, configure your endpoint in Flink configuration file.

  1. s3.endpoint: your-endpoint-hostname

Configure Path Style Access

Some S3 compliant object stores might not have virtual host style addressing enabled by default, for example when using Standalone MinIO for testing purpose. In such cases, you will have to provide the property to enable path style access in Flink configuration file.

  1. s3.path.style.access: true

Entropy injection for S3 file systems

The bundled S3 file systems (flink-s3-fs-presto and flink-s3-fs-hadoop) support entropy injection. Entropy injection is a technique to improve the scalability of AWS S3 buckets through adding some random characters near the beginning of the key.

If entropy injection is activated, a configured substring in the path is replaced with random characters. For example, path s3://my-bucket/_entropy_/checkpoints/dashboard-job/ would be replaced by something like s3://my-bucket/gf36ikvg/checkpoints/dashboard-job/. This only happens when the file creation passes the option to inject entropy! Otherwise, the file path removes the entropy key substring entirely. See FileSystem.create(Path, WriteOption) for details.

The Flink runtime currently passes the option to inject entropy only to checkpoint data files. All other files, including checkpoint metadata and external URI, do not inject entropy to keep checkpoint URIs predictable.

To enable entropy injection, configure the entropy key and the entropy length parameters.

  1. s3.entropy.key: _entropy_
  2. s3.entropy.length: 4 (default)

The s3.entropy.key defines the string in paths that is replaced by the random characters. Paths that do not contain the entropy key are left unchanged. If a file system operation does not pass the “inject entropy” write option, the entropy key substring is simply removed. The s3.entropy.length defines the number of random alphanumeric characters used for entropy.