How to configure Longhorn S3 for secure, repeatable access

Your cluster is humming, workloads running fine, until someone asks to restore a snapshot from Longhorn into S3. Suddenly, the clean hum turns into a mess of credentials, endpoints, and half-documented policies. This is the point where most teams start Googling “Longhorn S3 setup” and end up in YAML purgatory. Let’s fix that.

Longhorn gives you block-level snapshots and backups for Kubernetes volumes. Amazon S3 offers durable object storage with simple lifecycle control. Used together, they become a reliable disaster recovery pipeline. The trick is keeping access secure and repeatable so developers aren’t pasting keys or managing buckets by hand.

Here’s the logic that makes the pairing work. Longhorn stores volume snapshots locally. When you enable S3 backup in Longhorn, those snapshots get pushed to an S3 bucket through an endpoint defined in the backup target. Your choice of credentials and permissions determines whether backups sync automatically or fail silently. The aim is to bind Longhorn’s backup process to an identity-aware path that respects IAM roles, eliminates static secrets, and keeps restore time predictable.

To connect Longhorn to S3 efficiently, use temporary credentials from a trusted identity provider. AWS IAM roles with OIDC mapping from a system like Okta or your Kubernetes service account remove the need for shared access keys. This model aligns backups with the same RBAC rules that apply to your cluster workloads. If the pod identity rotates, Longhorn simply reauthenticates through that provider without downtime.

A common pain point is misconfigured region or endpoint URLs. Always verify that the endpoint in Longhorn matches the correct S3 region. Also, confirm the bucket policy allows PutObject and GetObject only from your designated IAM role. Limit ListBucket access to the backup prefix rather than the entire bucket.

Benefits:

• Stronger security posture through short-lived credentials and policy-bound access.
• Lower operational friction when restoring data to new clusters.
• Consistent backups across environments, ideal for hybrid or multi-cloud setups.
• Simplified auditing with traceable IAM role usage.
• Faster recovery time during incidents or testing.

For developer experience, this integration removes most manual steps. Snapshots flow directly to object storage with the right permissions baked in. No waiting for approval tickets or copying keys across systems. Fewer mistakes, fewer retries, happier operators. You gain real velocity because Longhorn S3 becomes a background service instead of a chore.

Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. By connecting Longhorn and S3 through identity-aware automation, hoop.dev ensures your backup workflows stay compliant without slowing anyone down. It proves that secure-by-default doesn’t have to mean difficult.

Quick answer — How do I set up Longhorn S3 backups?

Define an S3 bucket, assign an IAM role with minimal privileges, then point Longhorn’s backup target to that bucket using credentials supplied through your identity provider. Test a backup and restore cycle. If both pass, you’re production ready.

In short, Longhorn S3 is about transforming storage security from manual setup to repeatable infrastructure. Get the identities right, and backups become boring again — exactly how they should be.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.