Configuration
The proxy configuration defines three things:
- Buckets — Virtual buckets that map client-visible names to backend object stores
- Roles — Trust policies for OIDC token exchange via
AssumeRoleWithWebIdentity - Credentials — Long-lived access keys for service accounts and internal tools
Config Format
The server runtime uses TOML:
toml
[[buckets]]
name = "public-data"
backend_type = "s3"
anonymous_access = true
[buckets.backend_options]
endpoint = "https://s3.us-east-1.amazonaws.com"
bucket_name = "my-public-assets"
region = "us-east-1"The CF Workers runtime uses JSON (as an environment variable or wrangler.toml object):
json
{
"buckets": [{
"name": "public-data",
"backend_type": "s3",
"anonymous_access": true,
"backend_options": {
"endpoint": "https://s3.us-east-1.amazonaws.com",
"bucket_name": "my-public-assets",
"region": "us-east-1"
}
}]
}Config Providers
The proxy can load configuration from multiple backends. See Config Providers for details.
| Provider | Feature Flag | Use Case |
|---|---|---|
| Static File | (always available) | Simple deployments, baked-in config |
| HTTP API | config-http | Centralized config service |
| DynamoDB | config-dynamodb | AWS-native infrastructure |
| PostgreSQL | config-postgres | Database-backed config |
All providers can be wrapped with a cache for performance.
Full Example
See the annotated config example for a complete configuration file with all options documented.