Set up Amazon S3

Create an S3 bucket for LFS Harbor to store objects in, and generate least-privilege IAM credentials.

Create a bucket

Pick a region close to your development machine to minimise latency when pushing and pulling large files. Use the Standard storage class — S3 Infrequent Access and Glacier tiers have lower storage costs but charge a per-GB retrieval fee that adds up quickly for regularly-accessed LFS objects.

1. Open S3 and click Create bucket.
2. Enter a globally unique bucket name.
3. Under Block Public Access settings, leave Block all public access enabled (default).
4. Leave versioning, encryption, and all other settings at their defaults. Click Create bucket.

Create an IAM user

Create a dedicated IAM user for LFS Harbor. Don't reuse an existing user — a dedicated one makes it easy to rotate keys or revoke access without affecting anything else.

1. Open IAM → Users and click Create user.
2. Set the username to lfsharbor-storage. Leave Provide user access to the AWS Management Console unchecked — this user only needs programmatic access.
3. On the Set permissions step, skip for now — you'll attach a policy in the next step.
4. Click through to Create user.

Attach a least-privilege policy

LFS Harbor needs to read, write, and delete objects, and list the bucket to check object existence. Grant exactly those four permissions, scoped to your bucket only.

1. Open IAM → Policies and click Create policy. Switch to the JSON editor and paste:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    }
  ]
}

2. Replace BUCKET_NAME with your bucket name. Click Next, name the policy LFSHarborStoragePolicy, and click Create policy.
3. Go back to IAM → Users → lfsharbor-storage, open the Permissions tab, and click Add permissions → Attach policies directly. Search for LFSHarborStoragePolicy and select it.
4. Click Next → Add permissions

Generate access keys

Generate a programmatic access key for the IAM user. LFS Harbor uses the key ID and secret to authenticate with S3.

1. Open the lfsharbor-storage user in IAM → Users and go to the Security credentials tab.
2. Under Access keys, click Create access key. Select Application running outside AWS as the use case.
3. Copy the Access key ID and Secret access key. The secret is only shown once.

Keep these credentials secret. Don't commit them to version control. If they're ever exposed, delete the access key immediately in IAM → Users → lfsharbor-storage → Security credentials and generate a new one.

Add the credentials to LFS Harbor

Connect your S3 bucket to LFS Harbor through the dashboard.

1. Go to the LFS Harbor dashboard.
2. Click on your repository.
3. Edit the object store configuration.
4. Choose S3 as the storage provider.
5. Enter your bucket name and region.
6. Enter the access key ID and secret access key.

Set up LFS Harbor as your Git LFS server

Choose the guide that fits your situation:

Add Git LFS to a repository — for repos that don't use Git LFS yet.
Migrate from another provider — for repos already using a different Git LFS server.