Documentation — BringBucket

Overview

What BringBucket is and how the BYOC model works.

BringBucket is a file management dashboard that connects to your own S3-compatible cloud storage. Instead of storing your files on our servers, we act as a secure UI layer on top of buckets you already own — at AWS, Cloudflare, MinIO, Supabase, and more.

Your data, your cloud

Files never touch BringBucket servers. They live in the bucket you connected.

Encrypted credentials

Access keys are encrypted with AES-256-GCM before being stored in our database.

Any S3-compatible provider

Works with AWS S3, Cloudflare R2, MinIO, Supabase Storage, and more.

BringBucket requires you to have an existing cloud storage account. We do not provide storage ourselves — we provide the interface to manage yours.

Getting Started

From sign-up to managing your first file in under 5 minutes.

Create your account

Visit bringbucket.com and click Get Started. Sign up with your Google account — no password or credit card required.

Go to Onboarding

After signing in for the first time you are automatically taken to the Connect Your Storage onboarding flow. You can also reach it later from Dashboard → Add Bucket.

Select your cloud provider

Choose the provider where your bucket lives: AWS S3, Cloudflare R2, MinIO, or Supabase Storage. MinIO and Supabase require a Pro plan.

Enter your credentials

Fill in the connection form with your bucket name, region, endpoint URL, access key ID, and secret access key. See the Connecting Providers section for provider-specific instructions.

Verify the connection

Click Verify Connection. BringBucket performs a lightweight read-check on your bucket to confirm the credentials are valid before saving.

Start managing files

Once verified, you are redirected to the file manager. You can upload files, create folders, and share links immediately.

You can connect multiple buckets — one per provider on the free plan, unlimited on Pro. Switch between them using the bucket selector in the left sidebar of the dashboard.

Connecting Providers

Step-by-step credential guides for each supported provider.

All providers use the same S3-compatible API. The differences are in where to find your credentials and what endpoint URL to use.

AWS S3

Log in to the AWS Management Console and open the S3 service. Create a new bucket or use an existing one. Note the bucket name and the region (e.g. us-east-1).

Open IAM → Users and create a new user. On the permissions step, attach the following inline policy (replace YOUR_BUCKET_NAME):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
      "s3:ListBucket"
    ],
    "Resource": [
      "arn:aws:s3:::YOUR_BUCKET_NAME",
      "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    ]
  }]
}

Under the new IAM user, go to Security credentials → Access keys and create an access key. Copy both the Access Key ID and the Secret Access Key.
In BringBucket, select AWS S3 and fill in:

Bucket Namemy-bucket-name

Regionus-east-1

Endpointhttps://s3.us-east-1.amazonaws.comoptional

Access Key IDAKIAIOSFODNN7EXAMPLE

Secret Access KeywJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Never share your AWS Secret Access Key. If it is compromised, rotate it immediately in IAM and update the credentials in BringBucket.

Cloudflare R2

Log in to the Cloudflare dashboard. Open R2 Object Storage from the left sidebar, then click Create bucket.
On the R2 overview page, copy your Account ID shown in the top right. Your endpoint will be:https://<account-id>.r2.cloudflarestorage.com
Go to Manage R2 API tokens (link on the R2 overview). Create a new token with Object Read & Write permissions, scoped to your bucket. Copy the Access Key ID and Secret Access Key.

Bucket Namemy-r2-bucket

Regionautoalways 'auto' for R2

Endpointhttps://abc123.r2.cloudflarestorage.com

Access Key IDyour-r2-access-key-id

Secret Access Keyyour-r2-secret-access-key

Cloudflare R2 charges zero egress fees. It is the most cost-effective option if you share or download files frequently.

MinIO (Self-hosted)

MinIO is a self-hosted S3-compatible server. You need a running MinIO instance accessible over the internet (or your private network if BringBucket is self-deployed).

Open the MinIO Console (usually at http://localhost:9001) and log in as admin.
Go to Buckets → Create Bucket. Give it a name.
Go to Identity → Users → Create User. Assign the readwrite policy (or a custom policy).
Under the user, create a Service Account to get an access key and secret.

Bucket Namemy-minio-bucket

Regionus-east-1any value works

Endpointhttps://minio.yourdomain.com

Access Key IDminio-service-account-key

Secret Access Keyminio-service-account-secret

MinIO requires a Pro plan. Your MinIO server must be reachable over HTTPS. Self-signed certificates are not supported.

Supabase Storage

Open your project in the Supabase dashboard. Go to Storage → Buckets and create a bucket. Set it to private for full access control.
Go to Settings → API. Copy your Project URL and the service_role secret (under Project API keys).
Your S3 endpoint is derived from your project URL — replace https://<ref>.supabase.co with https://<ref>.supabase.co/storage/v1/s3.

Bucket Namemy-supabase-bucket

Regionauto

Endpointhttps://abcdefgh.supabase.co/storage/v1/s3

Access Key IDyour-supabase-project-ref

Secret Access Keyyour-service-role-secret

Supabase Storage requires a Pro plan.

File Manager

Uploading, organizing, previewing, and deleting files.

Uploading files

Click the Upload button in the toolbar, or drag and drop files directly onto the file list area. Multiple files can be selected at once. Progress is shown per-file in a toast notification.

Creating folders

Click + New Folder in the toolbar. Folders are virtual prefixes in your S3 bucket — they do not consume storage on their own.

Navigating

Click any folder to open it. The breadcrumb trail at the top shows your current path. Click any segment to jump back to that level.

Selecting a file

Click any file row to open the File Details panel on the right. From there you can preview (for images), download, rename, share, or delete the file.

Searching

Use the search bar at the top of the file list to filter files by name within the current folder. Search is case-insensitive and matches partial names.

Renaming a file or folder

Select the file, then click Rename in the Details panel. For S3 providers, renaming copies the object to the new key and deletes the old one — this is a standard S3 operation.

Deleting

Select the file, then click Delete in the Details panel. A confirmation dialog appears. Deletions are permanent and cannot be undone from BringBucket.

Deleting a folder deletes all objects under that prefix. There is no recycle bin. Make sure your S3 bucket has versioning enabled if you need recovery.

Generate a shareable link for any file in your bucket.

Creating a share link

Select any file in the file manager, then click Share in the File Details panel. BringBucket generates a short, public link:

https://app.bringbucket.com/share/[token]

How it works

When a visitor opens the share link, BringBucket uses your stored credentials to generate a time-limited pre-signed URL directly from your S3 bucket. The file is served from your cloud provider — not from BringBucket's servers.

Copying the link

After clicking Share, the link is automatically copied to your clipboard and shown in a toast. You can also re-open the share dialog from the Details panel at any time.

Password protection and custom expiry times for share links are on the roadmap. Today, links remain active until you delete the share record from the Details panel.

Security Model

How BringBucket handles your credentials and protects your data.

Credential storage

Your access key ID and secret access key are encrypted with AES-256-GCM using a server-side key before being written to our database. The encryption key is never stored alongside the credentials.

No file access

BringBucket never stores your files. All uploads and downloads are streamed directly between your browser and your S3 bucket. Our server acts as a credential broker, not a data store.

Transport security

All communication between the browser, BringBucket servers, and your cloud provider is encrypted over TLS 1.2+. We enforce HTTPS on all endpoints and reject plain HTTP connections.

Least-privilege recommendation

We recommend creating a dedicated IAM user or service account with only the permissions BringBucket needs: list, get, put, and delete on a single bucket. Avoid using root or admin credentials.

Revoking access

To revoke BringBucket's access to your bucket, delete or disable the IAM user / API token in your cloud provider's console. You can also delete the bucket connection from BringBucket's dashboard, which removes the encrypted credentials from our database.

Rotate your access keys periodically (every 90 days is a reasonable baseline). After rotating, update the credentials in Dashboard → Settings → Connections.

Have a security concern?

Please email us at security@bringbucket.com or open a ticket on the Support page.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] }] }

BringBucket User Guide

Overview

Getting Started

Connecting Providers

AWS S3

Cloudflare R2

MinIO (Self-hosted)

Supabase Storage

File Manager

Security Model

BringBucket User Guide

Overview

Getting Started

Connecting Providers

AWS S3

Cloudflare R2

MinIO (Self-hosted)

Supabase Storage

File Manager

Security Model

BringBucket User Guide

Overview

Getting Started

Connecting Providers

AWS S3

Cloudflare R2

MinIO (Self-hosted)

Supabase Storage

File Manager

Sharing & Links

Security Model

BringBucket User Guide

Overview

Getting Started

Connecting Providers

AWS S3

Cloudflare R2

MinIO (Self-hosted)

Supabase Storage

File Manager

Sharing & Links

Security Model