datasette-files-s3 0.1a1: Secure S3 File Storage with Temporary Credentials

datasette-files-s3: Secure S3 File Access with Time-Limited IAM Credentials (2026)

datasette-files-s3 0.1a1 introduces a groundbreaking security upgrade: a dynamic credentials broker that fetches short-lived AWS IAM credentials from a remote endpoint. This innovation eliminates the need for static access keys, dramatically reducing the risk of credential leaks in cloud environments. Built by Simon Willison’s team, this release enhances the Datasette ecosystem for secure, scalable file handling.

How the Credentials Broker Works

The credentials broker periodically pulls S3 configuration — including temporary access keys, secret keys, and bucket prefixes — from a secure URL. This enables seamless integration with AWS STS, HashiCorp Vault, or other identity providers that issue ephemeral tokens.

Instead of hardcoding keys into config files or environment variables, organizations now use centralized token services to dynamically assign permissions. This mirrors enterprise-grade DevSecOps standards and supports deployments on AWS Lambda, Google Cloud Run, and Kubernetes clusters.

Why Time-Limited IAM Keys Improve Security

Reduced attack surface: Even if a token is intercepted, it expires within minutes or hours.
Prefix-level restrictions: Users can only access specific S3 directories (e.g., /user123/reports/), enforcing least privilege.
Audit-ready: Every access request is tied to a temporary credential with a traceable origin.
No key rotation needed: Credentials auto-renew via the broker, eliminating manual upkeep.

Real-World Use Case: Academic Research Portal

A university uses Datasette to share sensitive student datasets via a public-facing dashboard. With datasette-files-s3, they configure the credentials broker to pull temporary keys from AWS STS, restricted to a /research/ folder. Even if the web server is compromised, attackers can’t access other buckets — preserving data integrity and compliance with FERPA.

How to Configure the Credentials Endpoint

Setting up the broker is straightforward:

datasette-files-s3 --credentials-url https://your-vault.example.com/s3-credentials

The endpoint should return a JSON payload like:

{
  "access_key_id": "ASIA...",
  "secret_access_key": "...",
  "session_token": "...",
  "bucket": "your-bucket",
  "prefix": "restricted-path/"
}

For detailed setup, see the official datasette-files-s3 documentation.

Compatibility with Modern Cloud Architectures

datasette-files-s3 0.1a1 works seamlessly with:

AWS STS (Security Token Service)
HashiCorp Vault with AWS auth backend
Kubernetes Secrets Store CSI Driver
Serverless platforms like AWS Lambda and Cloudflare Workers

This makes it ideal for zero-trust architectures and regulated industries requiring audit trails and temporary access.

Though labeled alpha (0.1a1), early adopters in open-source and academic communities report high reliability. The lightweight design ensures even non-cloud-native teams can implement enterprise-grade security with minimal overhead.

With datasette-files-s3, Datasette users now have a simple, powerful tool to secure file storage without sacrificing usability. In 2026, temporary credentials aren’t optional — they’re essential.

AI-Powered Content

Sources: AWS STS Documentation • datasette-files-s3 Docs • HashiCorp Vault