chainloop-dev · migmartri · Oct 17, 2023 · Oct 16, 2023 · Oct 16, 2023 · Oct 17, 2023
@@ -54,7 +54,7 @@ jobs:
 
   # Attest the uploaded artifacts listed in .chainloop.yaml
   chainloop:
-    uses: chainloop-dev/labs/.github/workflows/chainloop.yml@a75dff2ef342a1e5c5e1ec5c42fb99f3d1bc03cb
+    uses: chainloop-dev/labs/.github/workflows/chainloop.yml@main
     needs: deploy
     secrets:
       api_token: ${{ secrets.CHAINLOOP_WF_RELEASE }}

diff --git a/docs/guides/deployment/k8s/k8s.mdx b/docs/guides/deployment/k8s/k8s.mdx
@@ -165,6 +165,19 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
 
 ## How to guides
 
+### CAS upload speeds are slow, what can I do?
+
+Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. [#375](https://github.com/chainloop-dev/chainloop/issues/375)
+
+To improve upload speeds, you need to increase [http2 flow control buffer](https://httpwg.org/specs/rfc7540.html#DisableFlowControl). This can be done in NGINX by setting the following annotation in the ingress resource.
+
+```
+# Improve upload speed by adding client buffering used by http2 control-flows
+nginx.ingress.kubernetes.io/client-body-buffer-size: "3M"
+```
+
+Note: For other reverse proxies, you'll need to find the equivalent configuration. 
+
 ### Generate a ECDSA key-pair
 
 An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS
@@ -376,17 +389,21 @@ chainloop config save \
 
 ### Secrets Backend
 
-| Name                                                | Description                                                              | Value       |
-| --------------------------------------------------- | ------------------------------------------------------------------------ | ----------- |
-| `secretsBackend.backend`                            | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager") | `vault`     |
-| `secretsBackend.secretPrefix`                       | Prefix that will be pre-pended to all secrets in the storage backend     | `chainloop` |
-| `secretsBackend.vault.address`                      | Vault address                                                            |             |
-| `secretsBackend.vault.token`                        | Vault authentication token                                               |             |
-| `secretsBackend.awsSecretManager.accessKey`         | AWS Access KEY ID                                                        |             |
-| `secretsBackend.awsSecretManager.secretKey`         | AWS Secret Key                                                           |             |
-| `secretsBackend.awsSecretManager.region`            | AWS Secret Manager Region                                                |             |
-| `secretsBackend.gcpSecretManager.projectId`         | GCP Project ID                                                           |             |
-| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key                                                             |             |
+| Name                                                | Description                                                                               | Value       |
+| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ----------- |
+| `secretsBackend.backend`                            | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | `vault`     |
+| `secretsBackend.secretPrefix`                       | Prefix that will be pre-pended to all secrets in the storage backend                      | `chainloop` |
+| `secretsBackend.vault.address`                      | Vault address                                                                             |             |
+| `secretsBackend.vault.token`                        | Vault authentication token                                                                |             |
+| `secretsBackend.awsSecretManager.accessKey`         | AWS Access KEY ID                                                                         |             |
+| `secretsBackend.awsSecretManager.secretKey`         | AWS Secret Key                                                                            |             |
+| `secretsBackend.awsSecretManager.region`            | AWS Secret Manager Region                                                                 |             |
+| `secretsBackend.gcpSecretManager.projectId`         | GCP Project ID                                                                            |             |
+| `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key                                                                              |             |
+| `secretsBackend.azureKeyVault.tenantID`             | Active Directory Tenant ID                                                                |             |
+| `secretsBackend.azureKeyVault.clientID`             | Registered application / service principal client ID                                      |             |
+| `secretsBackend.azureKeyVault.clientSecret`         | Service principal client secret                                                           |             |
+| `secretsBackend.azureKeyVault.vaultURI`             | Azure Key Vault URL                                                                       |             |
 
 ### Authentication
 

diff --git a/docs/reference/operator/cas-backend/aws-1.png b/docs/reference/operator/cas-backend/aws-1.png
diff --git a/docs/reference/operator/cas-backend/aws-2.png b/docs/reference/operator/cas-backend/aws-2.png
diff --git a/docs/reference/operator/cas-backend/cas-backend.mdx b/docs/reference/operator/cas-backend/cas-backend.mdx
@@ -138,6 +138,76 @@ chainloop cas-backend update oci --id [BACKEND_ID] --username [NEW_USERNAME] --p
 chainloop cas-backend update oci --id [BACKEND_ID] --default=true
 ```
 
+### AWS S3
+
+Chainloop also supports storing artifacts in [AWS S3 Blob Storage](https://aws.amazon.com/s3/).
+
+#### Pre-requisites
+
+To connect your AWS account to Chainloop you'll need:
+
+- **S3 Bucket Name**
+- **Bucket Region**
+- **AccessKeyID**
+- **SecretAccessKey**
+
+**Create an S3 bucket**
+
+Create an S3 bucket and take note of the bucket name and region
+
+![](./aws-1.png)
+
+**Create an IAM user with access to that bucket**
+
+Next we are going to create a policy that has write/read permissions to the bucket. 
+
+You can use the snippet below by just replacing `[bucketName]` with the actual name of the bucket you created in the step before.
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:ListBucket"
+			],
+			"Resource": "arn:aws:s3:::[bucketName]"
+		},
+		{
+			"Effect": "Allow",
+			"Action": [
+				"s3:GetObject",
+				"s3:PutObject"
+			],
+			"Resource": "arn:aws:s3:::[bucketName]/*"
+		}
+	]
+}
+```
+
+Then create an user, attach the policy to it and click on "create access Key"
+
+![](./aws-2.png)
+
+Then select third-party service and copy the access key ID and secret access key
+
+We are now ready to connect our AWS account to Chainloop
+
+```bash
+ $ chainloop cas-backend add aws-s3 \
+    --access-key-id [accessKeyID] \
+    --secret-access-key [secretAccessKey] \
+    --region [region] \
+    --bucket [bucketName]
+```
+
+#### Rotate credentials
+
+```bash
+chainloop cas-backend update aws-s3 --id [BACKEND_ID] --access-key-id [new-accessKeyID] --secret-access-key [new-secretAccessKey] --region [new-region]
+```
+
 ### Azure Blob Storage
 
 Chainloop also supports storing artifacts in [Azure Blob Storage](https://azure.microsoft.com/en-us/products/storage/blobs).