S3-Backed Storage For Datasette-Files

Issue 84 Edition 2026-03-25 4 min read

Not accepted General

Sources: 1 • Confidence: Medium • Updated: 2026-04-13 03:53

Key takeaways

A release titled "datasette-files-s3 0.1a1" has been announced.
datasette-files-s3 includes a mechanism to periodically fetch S3 configuration from a URL.
Periodic S3 configuration fetching enables use of time-limited IAM credentials restricted to a specific prefix within a bucket.
datasette-files-s3 is a backend for datasette-files that stores and retrieves files using an S3 bucket.

A release titled "datasette-files-s3 0.1a1" has been announced.
datasette-files-s3 is a backend for datasette-files that stores and retrieves files using an S3 bucket.

datasette-files-s3 includes a mechanism to periodically fetch S3 configuration from a URL.
Periodic S3 configuration fetching enables use of time-limited IAM credentials restricted to a specific prefix within a bucket.

What is the exact behavior and cadence of the periodic S3 configuration fetching (interval controls, caching, failure modes, backoff, and whether changes take effect immediately)?
What authentication/credential formats are supported by the S3 configuration (e.g., session tokens for short-lived credentials), and how are secrets protected in transit and at rest for the configuration URL?
What are the access-control guarantees around prefix restriction (how object keys are constructed, whether path traversal/key injection is prevented, and how multi-tenant isolation is handled if applicable)?
What are the consistency, durability, and error-handling semantics for uploads/downloads (retries, partial uploads, idempotency, and cleanup of failed writes)?
What is the maturity level and compatibility surface of the announced release (alpha stability expectations, upgrade path, and required versions of datasette-files/Datasette)?

S3 backend for datasette-files may increase suitability of Datasette deployments for cloud or container environments where local storage is limited, potentially expanding usage in teams that already standardize on S3 for object storage.
Periodic S3 configuration fetching from a URL suggests a workflow for rotating short-lived, prefix-scoped IAM credentials, implying emphasis on least-privilege operational patterns that could appeal to security-conscious adopters.

Documentation or release notes specify configurable fetch interval, caching, and failure behavior, and demonstrate smooth rotation of time-limited credentials without service interruption.
Evidence that S3 configuration supports session tokens and secure transport for the configuration URL, plus guidance on secret handling, indicating readiness for production credential rotation.
Clear safeguards for prefix restriction and object key construction, including protections against key injection and guidance for multi-tenant isolation when using shared buckets.

Alpha release remains unstable or incompatible with common Datasette or datasette-files versions, with unclear upgrade path, limiting real-world adoption.
Periodic configuration fetching is rigid or unreliable, with poor backoff or failure handling, causing credential rotation to break uploads or downloads.
Prefix restriction is weak or easily bypassed through object key manipulation, undermining least-privilege claims and discouraging use in constrained-access deployments.