Hyphen
Log In

Storage

Automate cloud object storage provisioning and integration with Hyphen Deploy for seamless application deployments.

Hyphen Deploy can automatically provision and connect cloud object storage to your application as part of the deployment pipeline. When Object Storage is configured for a deployment, Hyphen creates the necessary cloud resources and injects credentials into your application — no manual bucket creation or credential management required.

Supported providers:

  • AWS — Amazon S3
  • Google Cloud — Google Cloud Storage (GCS)
  • Azure — Azure Blob Storage

Table of Contents

Prerequisites

  • A connected cloud provider integration (AWS, GCP, or Azure). See AWS, Google Cloud, or Azure.
  • A Cloud Workspace connection for the target project environment.

Enabling Object Storage for a Deployment

In the deployment settings for a project environment, toggle on Enable Object Storage.

Once enabled, two additional fields appear:

  • Object storage provider — A dropdown pre-populated with the cloud integrations connected to your deployment. Select the provider where the bucket or container should live.
  • Bucket name (optional) — Enter an existing bucket name to connect to it, or enter a preferred name for the bucket Hyphen will create. If left blank, Hyphen generates a name automatically from the project and environment alternate IDs using the pattern {projectAlternateId}-{envAlternateId}.

Provisioning

When a deployment run starts, Hyphen automatically:

  1. Verifies the Cloud Workspace connection is ready.
  2. Creates or adopts the storage bucket or container in the target cloud.
  3. Creates a dedicated access identity scoped to that bucket with least-privilege permissions.
  4. Generates credentials and injects them into the application as an environment variable.

AWS (S3)

Resources created:

  • S3 bucket
  • IAM user (hx-S3-{bucketName}) with a scoped bucket policy
  • Access key ID and secret key

Google Cloud (GCS)

Resources created:

  • GCS bucket
  • Service account (named after the bucket)
  • Storage Admin IAM role binding on the bucket
  • Service account key (JSON)

Azure (Blob Storage)

Resources created:

  • Storage account (if one does not already exist)
  • Blob container
  • Service principal in Microsoft Entra ID (objectStorage-{storageAccount}-{container})
  • RBAC role assignment on the container
  • Client secret

Application Access

Credentials are injected into your application as a single environment variable:

Variable Description
HYPHEN_OBJECT_STORAGE_CONFIG Base64-encoded JSON containing provider-specific connection credentials

The decoded payload structure varies by provider:

AWS:

{
  "provider": "aws",
  "region": "us-east-1",
  "bucketName": "my-project-production",
  "accessKeyId": "AKIA...",
  "accessKeySecret": "..."
}

Google Cloud:

{
  "provider": "googleCloud",
  "bucketName": "my-project-production",
  "serviceAccountJson": "{...}"
}

Azure:

{
  "provider": "azure",
  "tenantId": "...",
  "storageAccountName": "myprojectprod",
  "containerName": "my-project-production",
  "accessKeyId": "...",
  "accessKeySecret": "..."
}

Parsing the config in your application

Node.js:

const config = JSON.parse(
  Buffer.from(process.env.HYPHEN_OBJECT_STORAGE_CONFIG, 'base64').toString('utf8')
);
// config.provider, config.bucketName, etc.

Python:

import os, base64, json

config = json.loads(base64.b64decode(os.environ['HYPHEN_OBJECT_STORAGE_CONFIG']).decode('utf-8'))
# config['provider'], config['bucketName'], etc.

Go:

import (
  "encoding/base64"
  "encoding/json"
  "os"
)

raw, _ := base64.StdEncoding.DecodeString(os.Getenv("HYPHEN_OBJECT_STORAGE_CONFIG"))
var config map[string]interface{}
json.Unmarshal(raw, &config)
// config["provider"], config["bucketName"], etc.