Add S3 blob storage with cashier billing to ic-gateway by shilingwang · Pull Request #193 · dfinity/ic-gateway

shilingwang · 2026-04-17T13:22:57Z

#NODE-1941

Summary

Adds a full blob storage API to ic-gateway, enabling upload/download of content-addressed blobs backed by a single AWS S3 bucket with per-owner billing through the cashier canister.
Introduces new /v1/ HTTP endpoints for blob metadata, chunk operations, and owner data management, gated behind --s3-endpoint and --cashier-canister-id CLI flags.
Integrates billing (budget checks, usage reporting) via a CashierConnector that caches budgets locally and flushes usage counters periodically, wired into ic-gateway's existing TaskManager and HealthManager.

New modules

src/s3/ — S3 client abstraction (BucketLike trait, AWSBucket impl, RamFakeBucket for dev), config
src/cashier/ — CashierClient (4 canister calls: whoami, pricelist, budget, usage reporting), CashierConnector (local billing cache + periodic flush)
src/storage/ — Shared types (blob metadata, hash tree, chunk constants), S3 key paths, IC egress certificate auth
src/routing/storage/ — Axum handlers + router for all /v1/ endpoints

HTTP endpoints (under /v1/)

HEAD /v1/blob — Blob metadata headers (size, content type)
GET /v1/blob — Download blob with Range header support
GET /v1/blob-tree — Raw blob metadata JSON
PUT /v1/blob-tree — Upload blob metadata (with IC egress cert auth)
GET /v1/chunk — Download a single chunk
PUT /v1/chunk — Upload a single chunk (SHA-256 verified)
DELETE /v1/owner — Delete all data for an owner (host-gated)

Design decisions

Single S3 bucket: One bucket configured via CLI, no multi-bucket routing. Simpler than the multi-instance model in object-storage.
Billing gated: Storage routes are only mounted when both --s3-endpoint and --cashier-canister-id are provided. Without either, ic-gateway serves only normal IC traffic.
Budget caching: Per-owner budgets cached for 30s to avoid hitting the cashier canister on every request. Usage counters flushed every 10s.
IC egress auth: PUT /blob-tree verifies an OwnerEgressSignature certificate from the request body. Bypassable with --fake-ingress-auth for local dev.

frankdavid

Are there any plans for testing?

frankdavid · 2026-04-22T16:59:13Z

+                    data.len()
+                };
+
+                yield bytes::Bytes::copy_from_slice(&data[s..e]);


if s == 0 and e == data..len(), skip copying. Alternatively you can create Bytes from data and then use Bytes::slice which is O(1).

frankdavid · 2026-04-23T13:41:51Z

+    async fn consume_budget(&self, owner: &Principal, cost: i64) -> Result<(), BillingError> {
+        {
+            let mut budgets = self.budgets.write().await;
+            if let Some(cached) = budgets.get_mut(owner) {


maybe turning around the structure would be easier to read:

if not in cache or too old { refresh cache... } try_debit()

frankdavid · 2026-04-23T13:46:25Z

+    if divisor == 0 {
+        return 0;
+    }
+    (quantity as i64 * cost) / divisor


Can it ever overflow?

frankdavid · 2026-04-23T13:53:40Z

+        let bucket_c = state.bucket.clone();
+
+        let stream: async_stream::__private::AsyncStream<Result<bytes::Bytes, std::io::Error>, _> = async_stream::try_stream! {
+            for hash in &chunk_hashes {


The chunks are downloaded sequentially, is this on purpose?

shilingwang added 7 commits April 17, 2026 15:08

add s3 connection with billing to ic-gateway

608d9a6

remove the whoami part

f134ffe

use cors middleware

9130d35

move header constant to router

0073d2c

refactor storage/handlers.rs

7e4873c

refactor storage to be similar like ic

bb89666

refactor to put all storage related code under routing/storage

589733e

shilingwang marked this pull request as ready for review April 17, 2026 14:53

shilingwang requested a review from a team as a code owner April 17, 2026 14:53