S3 Replication

How replication works

After each ledger write, Imara queues the entry for async replication. The queue is drained by a background worker that writes one JSON object per entry to your configured bucket. Objects are keyed by {tenant_id}/{timestamp}-{hash}.json.

stratus.toml configuration

Enable replication by adding an [audit_replication] block to your stratus.toml.

[audit_replication]
enabled    = true
bucket     = "stratus-audit-prod"
region     = "us-east-1"
prefix     = "ledger/"          # optional key prefix

# Credentials — prefer IAM roles in production
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

# Override endpoint for non-AWS providers
endpoint   = ""                 # leave empty for AWS S3

Provider-specific examples

Cloudflare R2

R2 is S3-compatible. Set the endpoint to your account's R2 URL.

[audit_replication]
enabled  = true
bucket   = "stratus-audit"
region   = "auto"
endpoint = "https://<ACCOUNT_ID>.r2.cloudflarestorage.com"
access_key = "<R2_ACCESS_KEY>"
secret_key = "<R2_SECRET_KEY>"

Google Cloud Storage

GCS exposes an XML API compatible with S3. Enable interoperability in the GCS console first.

[audit_replication]
enabled  = true
bucket   = "stratus-audit-eu"
region   = "europe-west1"
endpoint = "https://storage.googleapis.com"
access_key = "<HMAC_ACCESS_ID>"
secret_key = "<HMAC_SECRET>"

MinIO (self-hosted)

[audit_replication]
enabled  = true
bucket   = "stratus-audit"
region   = "us-east-1"         # MinIO requires a region string
endpoint = "http://localhost:9000"
access_key = "minioadmin"
secret_key = "minioadmin"

SQLite metadata index

Alongside raw object replication, Imara maintains a SQLite metadata index that powers the regulator portal's fleet search and per-tenant summaries. Enable it with the [metadata] block.

[metadata]
enabled  = true
db_path  = "./data/stratus-meta.db"   # SQLite file path