BucketLens — self-hosting

team deployment — internal server

# server requirements
python 3.8+
nginx or caddy
aws credentials or IAM role on the server

clone and install

git clone https://github.com/vishukamble/bucketlens /opt/bucketlens
cd /opt/bucketlens && pip install flask boto3

systemd service

/etc/systemd/system/bucketlens.service

[Unit]
Description=BucketLens S3 Browser
After=network.target

[Service]
Type=simple
User=bucketlens
WorkingDirectory=/opt/bucketlens
Environment=BucketLens_PORT=8080
Environment=AWS_PROFILE=default
ExecStart=/usr/bin/python3 app.py
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

sudo systemctl enable bucketlens
sudo systemctl start bucketlens

nginx reverse proxy

server {
    listen 80;
    server_name bucketlens.internal;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        client_max_body_size 500M;
    }
}

minimal IAM policy

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "BucketLensAccess",
    "Effect": "Allow",
    "Action": [
      "s3:ListAllMyBuckets",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject"
    ],
    "Resource": [
      "arn:aws:s3:::your-bucket-name",
      "arn:aws:s3:::your-bucket-name/*"
    ]
  }]
}

Replace your-bucket-name. Never use Resource: * in production.

auth — interim options

Team auth is on the roadmap. Until then:

htpasswd -c /etc/nginx/.htpasswd yourusername

# in nginx location block:
auth_basic "BucketLens";
auth_basic_user_file /etc/nginx/.htpasswd;

Tailscale or WireGuard is cleaner —
VPN-only access with zero nginx config.

self-hosting BucketLens