Environment
# backend/.env
BLOB_TYPE=s3
BLOB_BUCKET=screenjson-ingest
BLOB_REGION=us-west-2
AWS_ACCESS_KEY_ID=…
AWS_SECRET_ACCESS_KEY=…IAM permissions
Minimum permissions on the ingest bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:DeleteObject"],
"Resource": [
"arn:aws:s3:::screenjson-ingest",
"arn:aws:s3:::screenjson-ingest/*"
]
},
{
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::screenjson-output/*"
}
]
}Drop to ingest
Anything placed into s3://screenjson-ingest/ is picked up by a worker.
Organise by folder if you want different pipelines on different folders —
pipeline selection is a per-prefix rule in config/tasks.yml.
Deliver
Greenlight writes results to the configured output bucket with the same key structure as the ingest, swapping the extension for the produced format.
With KMS encryption at rest
S3 server-side encryption works transparently. For SSE-KMS on write, set:
BLOB_SSE=aws:kms
BLOB_KMS_KEY_ID=arn:aws:kms:us-west-2:111111111111:key/…