Skip to main content

S3 API compatibility

TAG implements the commonly used S3 REST API operations, acting as a caching proxy between S3 clients and Tigris object storage. Compatibility is validated against 214 tests from the ceph/s3-tests suite.

Path-Style Addressing Only

TAG supports path-style addressing only (http://host:port/bucket/key). Virtual-hosted style (http://bucket.host:port/key) is not supported. Configure your S3 client accordingly.

Supported operations

Service

OperationNotes
ListBucketsForwarded to Tigris

Bucket

OperationNotes
CreateBucketForwarded to Tigris
DeleteBucketForwarded to Tigris
HeadBucketForwarded to Tigris
ListObjects (V1/V2)Forwarded to Tigris
ListMultipartUploadsForwarded to Tigris
GetBucketLocationReturns configured region
GetBucketACLForwarded to Tigris
GetBucketPolicyForwarded to Tigris
GetBucketCORSForwarded to Tigris
GetBucketTaggingForwarded to Tigris
GetBucketLifecycleForwarded to Tigris
DeleteObjectsBulk delete; invalidates cache entries

Object

OperationNotes
GetObjectCache-first; supports Range and conditional headers
HeadObjectServed from cached metadata when available
PutObjectInvalidates cache before forwarding
DeleteObjectInvalidates cache before forwarding
CopyObjectInvalidates destination cache before forwarding
GetObjectTaggingForwarded to Tigris
PutObjectTaggingForwarded to Tigris
DeleteObjectTaggingForwarded to Tigris
GetObjectACLForwarded to Tigris
PutObjectACLForwarded to Tigris

Multipart upload

OperationNotes
InitiateMultipartUploadForwarded to Tigris
UploadPartForwarded to Tigris
UploadPartCopyForwarded to Tigris
CompleteMultipartUploadIdempotent — successful completions cached
AbortMultipartUploadForwarded to Tigris
ListPartsForwarded to Tigris

AWS chunked transfer encoding

TAG supports AWS chunked transfer encoding (streaming SigV4), used by warp and many AWS SDKs for large uploads.

In transparent proxy mode (default), chunked uploads are forwarded as-is since the original signatures remain valid.

In signing mode, TAG decodes the chunked body on-the-fly — stripping chunk framing and per-chunk signatures — and forwards the raw payload as UNSIGNED-PAYLOAD. This is a streaming operation with no buffering of the full object.

Caching behavior

For details on X-Cache response headers, request coalescing, range request optimization, write-through invalidation, and client cache-control headers, see Cache Control.

Authentication

All requests must be signed with AWS Signature Version 4 (SigV4). Presigned URL authentication (X-Amz-Algorithm query parameter) is also supported. See Security and Access Control for the full authentication flow.

Not supported

The following S3 features are not implemented by TAG. These requests are forwarded to Tigris as-is, where Tigris itself may or may not support them:

  • Object versioning (version-specific GET/DELETE)
  • Server-side encryption (SSE-C, SSE-S3, SSE-KMS)
  • Object Lock / WORM retention
  • POST object (browser-based HTML form uploads)
  • Public Access Block configuration
  • Bucket ownership controls
  • Virtual-hosted style addressing
  • Website hosting configuration
  • Replication configuration
  • Inventory, analytics, and metrics configuration
  • Storage class transitions (Glacier, Intelligent Tiering)

S3 compatibility test coverage

TAG's compatibility is validated using a curated subset of tests from ceph/s3-tests:

CategoryTestsCoverage
Header validation48Content-Type, MD5, Content-Length, dates, authorization
Core list operations55Prefix, delimiter, max-keys, marker, continuation
Object operations34Read, write, metadata, ETags, ranges, conditionals
Bucket operations33Create, delete, list, naming rules
Multipart uploads20Initiate, upload, complete, abort, copy parts
Copy operations9Same-bucket, cross-bucket, metadata handling
Tagging15Object and bucket tag CRUD
Total214

The test suite is executed as part of TAG's CI pipeline on every release to ensure that there is no regressions in S3 API compatibility.

Last updated on by Taha Khan