convex-backend PR 198: feat(aws_s3): Add S3 compatibility environment variables for non-AWS services (#40557)

## Summary
- Add environment variables to disable AWS-specific S3 headers for compatibility with non-AWS S3 services like MinIO and Rook Ceph RGW
- `AWS_S3_DISABLE_SSE=true` disables server-side encryption headers (`x-amz-server-side-encryption`)
- `AWS_S3_DISABLE_CHECKSUMS=true` disables checksum algorithm headers (`x-amz-checksum-algorithm`)

## Problem
The current Convex backend hard-codes AWS-specific headers in S3 multipart upload operations:
- `ServerSideEncryption::Aes256`
- `ChecksumAlgorithm::Crc32`

These headers cause compatibility issues with S3-compatible services that don't support AWS-specific features, leading to multipart upload failures.

## Solution
- Added two new environment variables in `aws_utils` crate for S3 compatibility configuration
- Modified `aws_s3` storage implementation to conditionally add AWS headers based on environment variables
- Maintains backward compatibility (headers are added by default when variables are not set)

## Files Changed
- `crates/aws_utils/src/lib.rs`: Added environment variable configuration and accessor functions
- `crates/aws_s3/src/storage.rs`: Updated multipart upload methods to conditionally add headers

## Testing
- Code compiles successfully with all dependencies
- Backward compatibility maintained (default behavior unchanged)
- Ready for testing with MinIO and other S3-compatible services

## Benefits
- Enables self-hosted Convex to work with a wider range of S3-compatible storage backends
- Improves compatibility with MinIO, Rook Ceph RGW, and other S3 implementations
- Maintains full backward compatibility with existing AWS S3 deployments

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Jason Overmier <jason.r.overmier@gmail.com>
GitOrigin-RevId: f854dba3a108deb6e9d407c50f6e8181e91bb70a

Author: 2 people

crates/aws_s3/src/storage.rs

@@ -9,6 +9,7 @@ use async_trait::async_trait;
 use aws_config::retry::RetryConfig;
 use aws_sdk_s3::{
     operation::{
+        create_multipart_upload::builders::CreateMultipartUploadFluentBuilder,
         head_object::{
             HeadObjectError,
             HeadObjectOutput,
@@ -26,6 +27,8 @@ use aws_sdk_s3::{
     Client,
 };
 use aws_utils::{
+    are_checksums_disabled,
+    is_sse_disabled,
     must_s3_config_from_env,
     s3::S3Client,
 };
@@ -150,6 +153,28 @@ impl<RT: Runtime> S3Storage<RT> {
         let bucket_name = s3_bucket_name(&use_case)?;
         S3Storage::new_with_prefix(bucket_name, key_prefix, runtime).await
     }
+
+    /// Helper method to configure multipart upload builder with optional AWS
+    /// headers for S3 compatibility with non-AWS services
+    fn configure_multipart_upload_builder(
+        &self,
+        mut upload_builder: CreateMultipartUploadFluentBuilder,
+    ) -> CreateMultipartUploadFluentBuilder {
+        // Add server-side encryption if not disabled for S3 compatibility
+        if !is_sse_disabled() {
+            upload_builder = upload_builder.server_side_encryption(ServerSideEncryption::Aes256);
+        }
+
+        // Add checksum algorithm if not disabled for S3 compatibility
+        if !are_checksums_disabled() {
+            // Because we're using multipart uploads, we're really specifying the part
+            // checksum algorithm here, so it needs to match what we use for
+            // each part.
+            upload_builder = upload_builder.checksum_algorithm(ChecksumAlgorithm::Crc32);
+        }
+
+        upload_builder
+    }
 }
 
 async fn s3_client() -> Result<Client, anyhow::Error> {
@@ -215,15 +240,15 @@ impl<RT: Runtime> Storage for S3Storage<RT> {
     async fn start_upload(&self) -> anyhow::Result<Box<BufferedUpload>> {
         let key: ObjectKey = self.runtime.new_uuid_v4().to_string().try_into()?;
         let s3_key = S3Key(self.key_prefix.clone() + &key);
-        let output = self
+        let upload_builder = self
             .client
             .create_multipart_upload()
             .bucket(self.bucket.clone())
-            .key(&s3_key.0)
-            .server_side_encryption(ServerSideEncryption::Aes256)
-            // Because we're using multipart uploads, we're really specifying the part checksum
-            // algorithm here, so it needs to match what we use for each part.
-            .checksum_algorithm(ChecksumAlgorithm::Crc32)
+            .key(&s3_key.0);
+
+        let upload_builder = self.configure_multipart_upload_builder(upload_builder);
+
+        let output = upload_builder
             .send()
             .await
             .context("Failed to create multipart upload")?;
@@ -253,15 +278,15 @@ impl<RT: Runtime> Storage for S3Storage<RT> {
     async fn start_client_driven_upload(&self) -> anyhow::Result<ClientDrivenUploadToken> {
         let key: ObjectKey = self.runtime.new_uuid_v4().to_string().try_into()?;
         let s3_key = S3Key(self.key_prefix.clone() + &key);
-        let output = self
+        let upload_builder = self
             .client
             .create_multipart_upload()
             .bucket(self.bucket.clone())
-            .key(&s3_key.0)
-            .server_side_encryption(ServerSideEncryption::Aes256)
-            // Because we're using multipart uploads, we're really specifying the part checksum
-            // algorithm here, so it needs to match what we use for each part.
-            .checksum_algorithm(ChecksumAlgorithm::Crc32)
+            .key(&s3_key.0);
+
+        let upload_builder = self.configure_multipart_upload_builder(upload_builder);
+
+        let output = upload_builder
             .send()
             .await
             .context("Failed to create multipart upload")?;
@@ -552,15 +577,20 @@ impl<RT: Runtime> S3Upload<RT> {
         let part_number = self.next_part_number()?;
         crate::metrics::log_aws_s3_part_upload_size_bytes(data.len());
 
-        let builder = self
+        let mut builder = self
             .client
             .upload_part()
-            .checksum_algorithm(ChecksumAlgorithm::Crc32)
             .body(ByteStream::from(data))
             .bucket(self.bucket.clone())
             .key(&self.s3_key.0)
             .part_number(Into::<u16>::into(part_number) as i32)
             .upload_id(self.upload_id.to_string());
+
+        // Add checksum algorithm if not disabled for S3 compatibility
+        if !are_checksums_disabled() {
+            builder = builder.checksum_algorithm(ChecksumAlgorithm::Crc32);
+        }
+
         Ok(UploadPart {
             part_number,
             builder,

crates/aws_utils/src/lib.rs

@@ -33,6 +33,20 @@ static AWS_S3_FORCE_PATH_STYLE: LazyLock<bool> = LazyLock::new(|| {
         .unwrap_or_default()
 });
 
+static AWS_S3_DISABLE_SSE: LazyLock<bool> = LazyLock::new(|| {
+    env::var("AWS_S3_DISABLE_SSE")
+        .ok()
+        .and_then(|s| s.parse().ok())
+        .unwrap_or_default()
+});
+
+static AWS_S3_DISABLE_CHECKSUMS: LazyLock<bool> = LazyLock::new(|| {
+    env::var("AWS_S3_DISABLE_CHECKSUMS")
+        .ok()
+        .and_then(|s| s.parse().ok())
+        .unwrap_or_default()
+});
+
 /// Similar aws_config::from_env but returns an error if credentials or
 /// region is are not. It also doesn't spew out log lines every time
 /// credentials are accessed.
@@ -62,3 +76,13 @@ pub async fn must_s3_config_from_env() -> anyhow::Result<S3ConfigBuilder> {
     s3_config_builder = s3_config_builder.force_path_style(*AWS_S3_FORCE_PATH_STYLE);
     Ok(s3_config_builder)
 }
+
+/// Returns true if server-side encryption headers should be disabled
+pub fn is_sse_disabled() -> bool {
+    *AWS_S3_DISABLE_SSE
+}
+
+/// Returns true if checksum headers should be disabled
+pub fn are_checksums_disabled() -> bool {
+    *AWS_S3_DISABLE_CHECKSUMS
+}

self-hosted/docker/docker-compose.yml

@@ -28,6 +28,8 @@ services:
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
       - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-}
       - AWS_S3_FORCE_PATH_STYLE=${AWS_S3_FORCE_PATH_STYLE:-}
+      - AWS_S3_DISABLE_SSE=${AWS_S3_DISABLE_SSE:-}
+      - AWS_S3_DISABLE_CHECKSUMS=${AWS_S3_DISABLE_CHECKSUMS:-}
       - S3_STORAGE_EXPORTS_BUCKET=${S3_STORAGE_EXPORTS_BUCKET:-}
       - S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET=${S3_STORAGE_SNAPSHOT_IMPORTS_BUCKET:-}
       - S3_STORAGE_MODULES_BUCKET=${S3_STORAGE_MODULES_BUCKET:-}