Skip to content

The Nautilus ceph storage cluster can be accessed via S3 protocol. It uses our own storage, which is free for our users and is not related to Amazon or any commercial cloud.

Ceph filesystems data use

Credit: Ceph data usage

S3 ceph grafana dashboard


You should request your credentials (key and secret) in Matrix chat. Go there and let admins know you'd like to access S3, and which pool works best for you.

S3 regions settings

Use the appropriate endpoint URL for your S3 client or library.

Pool Inside endpoint Outside endpoint
West pool (default) http://rook-ceph-rgw-nautiluss3.rook
Central pool http://rook-ceph-rgw-centrals3.rook-central
East pool http://rook-ceph-rgw-easts3.rook-east
HaoSu pool http://rook-ceph-rgw-haosu.rook-haosu
Tide pool http://rook-ceph-rgw-tide.rook-tide

Note that the inside endpoint is http (without SSL) and the outside endpoint is https (with SSL). You can use the outside endpoint within the kubernetes cluster but it will end up going through a load balancer. By using the inside endpoint it is possible for multiple parallel requests from one or many machines to hit multiple separate OSD's and therefore achieve very large training set bandwith.

Using Rclone

The easiest way to access S3 is Rclone.

Use these options:

Storage: Amazon S3 Compliant Storage Providers

S3 provider: Ceph Object Storage

AWS Access Key ID, AWS Secret Access Key: ask in Matrix chat

Endpoint: use the regions section

Using s3cmd

S3cmd is an open-source tool for accessing S3.

To configure, create the ~/.s3cfg file with contents if you're accessing from outside of the cluster:

access_key = <your_key>
host_base =
host_bucket =
secret_key = <your_secret>
use_https = True

or this if accessing from inside:

access_key = <your_key>
host_base = http://rook-ceph-rgw-nautiluss3.rook
host_bucket = http://rook-ceph-rgw-nautiluss3.rook
secret_key = <your_secret>
use_https = False

Run s3cmd ls to see the available buckets.

Uploading files

Upload files with the s3cmd put FILE

$ s3cmd put <FILE> s3://<BUCKET>/<DIR>

Or, to upload a file to be public, use the -P for public file:

$ s3cmd put -P <FILE> s3://<BUCKET>/<DIR>
Public URL of the object is:

Using AWS S3 tool


First add your credentials to ~/.aws/credentials.

If you are familiar with the AWS CLI you can create an additional profile preserving your AWS credentials by adding it to ~/.aws/credentials:


[profile prp]

If you don't use AWS then you can just add credentials to [default] and skip the [profile] selection.

We recommend to use awscli-plugin-endpoint to write endpoint url in .aws/config, instead of typing endpoint in the CLI repeatedly. Install the plugin with:

pip install awscli-plugin-endpoint

There are a few steps on the awscli-plugin-endpoint to install this plugin. If you do not wish to add this plugin, add --endpoint-url to all commands below.

Your .aws/config file should look like:

[profile prp]

s3api =
    endpoint_url =

endpoint = awscli_plugin_endpoint


The AWS CLI (command line interface) has two modes of operation for S3, aws s3 are used for basic file manipulations (copy, list, delete, move, etc), and aws s3api for creating/deleting buckets, manipulating permissions, etc.

You can specify the endpoint on the command line (example: aws --endpoint s3 ls s3://bucket-name/path) or via the s3 endpoint plugin (which is sometimes hard to install).

  1. Create a bucket:

    aws s3api create-bucket --bucket BUCKETNAME --profile prp 
  2. List objects in the bucket:

    aws s3api list-buckets --profile prp
    aws s3 ls --profile prp
  3. Upload a file:

    aws s3 cp ~/hello.txt s3://BUCKETNAME/path --profile prp
  4. Upload a file and make it publicly accessible:

    aws s3 cp ~/hello.txt s3://BUCKETNAME/path --profile prp --acl public-read

    You can how access this file via a browser as

  5. Download a file:

    aws s3 cp s3://BUCKETNAME/path/hello.txt hello.txt 

Give multiple users full access to the bucket

When multiple users need to access a bucket you can set those permissions with the bucket policy. You set the bucket policy using the aws s3api command:

aws s3api put-bucket-policy --bucket BUCKETNAME --policy file://policy.json

Create policy.json with the following text (replace USER# and BUCKETNAME with your own users and bucket name), this policy will give all users full control over the bucket, other more granular bucket policies are certainly supported as well:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": [
      "Action": "s3:*",
      "Resource": [

More detailed policy.json examples at:

Using Cyberduck

Cyberduck is a free S3 client for Mac and Windows. It can be used to upload and download files to/from S3 buckets. To use Cyberduck with Ceph S3 endpoints you need to leverage "deprecated" path style requests. The simplest way to do this is to install the appropriate profile into Cyberduck referenced in the Cyberduck profiles documentation, S3 (Deprecated path style requests).cyberduckprofile.

Once you add the profile, you can connect to the S3 endpoint by entering the endpoint hostname in the "Server" field. If you enter it as a URL instead of a hostname, it will likely trigger the selection of a different and undesired connection profile. For example, to connect to the S3 endpoint the for the PRP project's western region, you would enter in the "Server" field. You can then enter your access key and secret key in the "Access Key ID" and "Secret Access Key" fields, respectively.

S3 Cookbook

S3 from tensorflow
with's3://bucket/myfile.mat', 'rb') as f:
   # yield your samples from the f file in your tensorflow dataset as usual
Note that smart_open supports both local and S3 files, so when you're testing this on a local file, it'll work as well as when you run it on the cluster and pass it in a file located on S3. See this [TFRecord][2] presentation for details.
Using S3 in GitLab CIsummary> In GitLab project go to `Settings`->`CI/CD`, open the `Variables` tab, and add the variables holding your S3 credentials: `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY`. Choose `protect variable` and `mask variable`. Your `.gitlab-ci.yml` file can look like:
  image: ubuntu
    - apt-get update && apt-get install -y curl unzip
    - curl | bash
  stage: build
    - rclone config create nautilus-s3 s3 endpoint provider Ceph access_key_id $ACCESS_KEY_ID secret_access_key $SECRET_ACCESS_KEY
    - rclone ls "nautilus-s3:"
Creating a new bucket in S3 - Create a new bucket (change profile to match what is in `~/.aws/credentials`, and endpoint to the appropriate endpoint (Ceph/S3/West is used in this example):
aws --endpoint s3api create-bucket --bucket my-bucket-name --profile prp