The @nx/powerpack-s3-cache
plugin enables you to use an Amazon S3 bucket instead of Nx Cloud to host your remote cache.
This plugin will enable the remote cache for your Nx workspace, but does not provide any of the other features of Nx Cloud. If you want to leverage distributed task execution, re-running flaky tasks or automatically splitting tasks, you'll need to connect to Nx Cloud and use Nx Replay instead.
Using your own Amazon S3 bucket to host the remote cache opens you up to the possibility of cache poisoning. To avoid this, use Nx Replay.
In order to use @nx/powerpack-s3-cache
, you need to have an active Powerpack license. If you don't have a license or it has expired, your cache will no longer be shared and each machine will use its local cache.
Set Up @nx/powerpack-s3-cache
1. Install the Package
- Activate Powerpack if you haven't already
- Install the package
โฏ
nx add @nx/powerpack-s3-cache
2. Authenticate with AWS
There are four different ways to authenticate with AWS. They will be attempted in this order:
- Environment variables
- INI config files
- Single sign-on
nx.json
settings
Environment Variables
AWS provides environment variables that can be used to authenticate:
Environment Variable | Description |
---|---|
AWS_ACCESS_KEY_ID | The access key for your AWS account. |
AWS_SECRET_ACCESS_KEY | The secret key for your AWS account. |
AWS_SESSION_TOKEN | The session key for your AWS account. This is only needed when you are using temporary credentials. |
AWS_CREDENTIAL_EXPIRATION | The expiration time of the credentials contained in the environment variables described above. This value must be in a format compatible with the ISO-8601 standard and is only needed when you are using temporary credentials. |
Both the AWS_ACCESS_KEY_ID
and the AWS_SECRET_ACCESS_KEY
environment variables are required to use the environment variable authentication method.
Here's an example of using OICD in GitHub Actions to set the environment variables in CI:
1name: CI
2...
3permissions:
4 id-token: write
5 ...
6
7jobs:
8 main:
9 env:
10 NX_POWERPACK_LICENSE: ${{ secrets.NX_POWERPACK_LICENSE }}
11 runs-on: ubuntu-latest
12 steps:
13 ...
14
15 - name: 'Configure AWS Credentials'
16 uses: aws-actions/configure-aws-credentials@v4.0.2
17 with:
18 role-to-assume: arn:aws:iam::123456789123:role/GhAIBucketUserRole
19 aws-region: us-east-1
20
21 ...
22
23 - run: pnpm exec nx affected -t lint test build
24
INI Config Files
AWS can read your authentication credentials from shared INI config files. The files are located at ~/.aws/credentials
and ~/.aws/config
. Both files are expected to be INI formatted with section names corresponding to profiles. Sections in the credentials file are treated as profile names, whereas profile sections in the config file must have the format of [profile profile-name]
, except for the default profile. Profiles that appear in both files will not be merged, and the version that appears in the credentials file will be given precedence over the profile found in the config file.
Single Sign-On
Nx can read the active access token created after running aws sso login
then request temporary AWS credentials. You can create the AwsCredentialIdentityProvider
functions using the inline SSO parameters (ssoStartUrl
, ssoAccountId
, ssoRegion
, ssoRoleName
) or load them from AWS SDKs and Tools shared configuration and credentials files. Profiles in the credentials
file are given precedence over profiles in the config
file.
Credentials in nx.json
File
Storing your credentials in the nx.json
file is the least secure of the 4 authentication options, since anyone with read access to your code base will have access to your AWS credentials.
1{
2 "s3": {
3 "ssoProfile": "default",
4 "accessKeyId": "MYACCESSKEYID",
5 "secretAccessKey": "MYSECRETACCESSKEY"
6 }
7}
8
Property | Description |
---|---|
ssoProfile | The name of the profile to use from your AWS CLI SSO Configuration (optional) |
endpoint | The AWS endpoint URL (optional) |
accessKeyId | AWS Access Key ID (optional) |
secretAccessKey | AWS secret access key (optional) |
3. Configure S3 Cache
Regardless of how you manage your AWS authentication, you need to configure your Nx cache in the nx.json
file. The bucket
that you specify needs to already exist - Nx doesn't create it for you.
1{
2 "s3": {
3 "region": "us-east-1",
4 "bucket": "my-bucket",
5 "encryptionKey": "create-your-own-key"
6 }
7}
8
Property | Description |
---|---|
region | The id of the AWS region to use |
bucket | The name of the S3 bucket to use |
encryptionKey | Nx encryption key used to encrypt and decrypt artifacts from the cache (optional) |
S3 Compatible Providers
To use @nx/powerpack-s3-cache
with S3 compatible providers (MinIO, LocalStack, DigitalOcean Spaces, Cloudflare, etc..), endpoint
will need to be provided. Some providers also need to have forcePathStyle
set to true in the configuration.
Below is an example on how to connect to MinIO:
1{
2 "s3": {
3 "region": "us-east-1",
4 "bucket": "my-bucket",
5 "endpoint": "https://play.min.io",
6 "forcePathStyle": true,
7 "accessKeyId": "abc1234",
8 "secretAccessKey": "4321cba"
9 }
10}
11
Property | Description |
---|---|
region | The id of the S3 compatible storage region to use |
bucket | The name of the S3 compatible storage bucket to use |
forcePathStyle | Changes the way artifacts are uploaded. Usually used for S3 compatible providers (MinIO, LocalStack, etc) |
endpoint | The custom endpoint to upload artifacts to. If endpoint is not defined, the default AWS endpoint is used |
accessKeyId | AWS Access Key ID (optional if AWS_ACCESS_KEY_ID is set in the environment) |
secretAccessKey | AWS secret access key (optional if AWS_SECRET_ACCESS_KEY is set in the environment) |
Accessing the remote cache locally
By default the remote cache will try to write and read from the remote cache while running locally. This means that permissions must be set for users who are expected to access the remote cache.
Nx will only show warnings when the remote cache is not writable. You can disable these warnings by setting disableRemoteWritesLocally
to true in the nx.json
file.
1{
2 "s3": {
3 "region": "us-east-1",
4 "bucket": "my-bucket",
5 "disableRemoteWritesLocally": true
6 }
7}
8