AWS Setup¶
Guide for provisioning the minimal AWS infrastructure (manually or via your own IaC) to host Allure reports privately. This page provides narrative context; for step-by-step commands see the Setup section pages.
Note: Automation scripts under scripts/awscli are intended for maintainers only and are not required for end users. You can provision the infrastructure manually or via your own IaC.
Fast path (Infra CLI)
Prefer the Infra CLI shipped with the wheel for a safe, one-command setup that writes .infra_env and allure-host.yml:
allurehost-infra-setup --bucket my-allure-reports --region us-east-1 --yes
source .infra_env && allurehost-infra-validate # optional sanity check
After that you can publish with minimal (or zero) flags:
For a visual, step-by-step guide using the AWS Console (UI), see Manual Setup – CloudFront UI Steps.
Preflight (safe, no changes): validate your AWS CLI, credentials, and region before provisioning.
Verification Example¶
To verify that your AWS environment meets the necessary prerequisites before proceeding, you can run the following command. This will check that your AWS CLI is configured correctly and that you have appropriate permissions.
Expected output:
AWS CLI version: 2.x.x
Credentials: valid
Region: eu-west-1
S3 access: OK
CloudFront access: OK
IAM permissions: OK
All checks passed.
If all checks pass, you are ready to continue with the setup.
Install / Quick Setup (Manual)¶
If you prefer a manual setup, please follow the detailed guide here: Manual Setup – CloudFront UI Steps.
1. Components¶
| Component | Purpose |
|---|---|
| S3 Bucket (private) | Stores static Allure artifacts |
| CloudFront Distribution | Global CDN + HTTPS + OAC access to S3 |
| Origin Access Control (OAC) | Authenticates CloudFront → S3 (no public bucket) |
| IAM Publisher Role/User | Writes new reports & maintains manifest |
You can either use the AWS CLI scripts provided in scripts/awscli or follow the manual commands below.
2. Bucket Creation¶
Minimal AWS CLI:
aws s3api create-bucket --bucket my-allure-reports --region us-east-1 \
--create-bucket-configuration LocationConstraint=us-east-1
Enable Block Public Access (default for new buckets).
3. CloudFront Distribution (High Level)¶
- Origin: S3 bucket (REST endpoint, not website endpoint). Use the REST endpoint (e.g.
my-bucket.s3.eu-west-1.amazonaws.com) — do not append/reportsor any subpath. - Origin Access: Create new OAC (signing behavior: signing) and attach
- Default behavior: GET/HEAD
- Error responses: Map 403 and 404 →
/index.html(HTTP 200) for SPA routing - Cache policy: Accept defaults; fine-tune if needed later
4. Bucket Policy for CloudFront¶
Insert distribution ID after creation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudFrontRead",
"Effect": "Allow",
"Principal": { "Service": "cloudfront.amazonaws.com" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-allure-reports/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/DIST_ID"
}
}
}
]
}
Note: When you create the CloudFront distribution via console or AWS CLI, this policy is often attached automatically. You can verify it via aws s3api get-bucket-policy.
5. IAM Publisher Policy¶
See IAM Examples. Attach to:
- CI execution role (GitHub OIDC, GitLab OIDC, etc.)
- Local dev user (optional; consider read-only otherwise)
6. Lifecycle (Optional)¶
Set lifecycle rule:
- Filter:
reports/ - Expire objects > 30 or 60 days (except maybe
latest/) - Pair your S3 lifecycle rule with the
--ttl-daysoption inpublish-allureto automate expiration tagging.
7. KMS (Optional)¶
If you enforce SSE-KMS on the bucket:
- Set bucket default encryption to the key
- Add minimal KMS grants (Encrypt/Decrypt/GenerateDataKey/ReEncrypt*/DescribeKey)
8. Testing Deployment¶
After first publish, confirm:
Open CloudFront URL: https://<domain>/reports/<project>/<branch>/latest/
9. Common Issues¶
| Symptom | Cause | Resolution |
|---|---|---|
| 403 via CloudFront | OAC not attached / bucket policy missing ARN | Reattach OAC, update policy |
| Objects 404 but in S3 | Cache propagation | Wait or invalidate path |
| Trends missing | No previous history/ or permission failure | Check IAM GetObject on history paths |
10. Infrastructure as Code (External)¶
For reproducible IaC, you can reference the public AllureHosting CDK repository for a working AWS CDK example that provisions the same components. This example can also be adapted for both manual and automated setups, depending on your preference or organizational standards. This project intentionally ships no IaC templates to keep the PyPI package lean and focused.
Focus on correctness first (private bucket + OAC). Tuning (lifecycle, logging, WAF) can follow later.
See also: Setup Overview Diagram