NodeOps
UK

Bring your own storage (BYOS3)

You mount your own S3-compatible bucket into a sandbox as a filesystem path. The bucket stays in your account, your cloud, and your region. The sandbox reads and writes through it; you never copy data into CreateOS storage.

This is the building block for data residency: pick where the bucket lives, and that is where your data lives.

Works with any S3-compatible store

A disk is registered with an endpoint, bucket, region, and credentials, so anything that speaks the S3 API works:

ProviderNotes
AWS S3endpoint: https://s3.amazonaws.com, set your region.
Cloudflare R2region defaults to auto.
TigrisS3-compatible endpoint; set region per your bucket.
MinIO (self-hosted)Set use_path_style: true.

Credentials are encrypted at rest (AES-256-GCM), are write-only, and are never returned in any API response.

Why this gives you data residency

  • Your bucket, your region. Create the bucket in the jurisdiction you need (e.g. an EU region for GDPR). Sandbox data written to that mount stays there.
  • Your provider, your controls. Bucket policies, versioning, encryption keys, and audit logging stay under your account, not ours.
  • Detach is clean. Detaching a disk only drops the in-VM mount. Bucket contents are never touched by CreateOS.

How to mount a bucket

1. Register the bucket as a disk

Bash
1curl -X POST https://api.sb.createos.sh/v1/disks \
2 -H "X-Api-Key: $CREATEOS_API_KEY" \
3 -H "Content-Type: application/json" \
4 -d '{
5 "name": "eu-data",
6 "kind": "s3",
7 "config": {
8 "bucket": "my-eu-bucket",
9 "endpoint": "https://s3.eu-central-1.amazonaws.com",
10 "region": "eu-central-1"
11 },
12 "credentials": {
13 "access_key": "AKIA…",
14 "secret_key": "wJalrX…"
15 }
16 }'

The API probes the bucket at registration time to catch typos early. For MinIO and most self-hosted S3 stores, add "use_path_style": true to config.

2. Attach it to a sandbox

Attach at create time, or live to a running sandbox:

Bash
1curl -X POST https://api.sb.createos.sh/v1/sandboxes/$SANDBOX_ID/disks \
2 -H "X-Api-Key: $CREATEOS_API_KEY" \
3 -H "Content-Type: application/json" \
4 -d '{"disk_id": "eu-data", "mount_path": "/mnt/data"}'

The in-VM agent mounts it within ~1 second. Files written under /mnt/data land in your bucket. Use sub_path to mount only a prefix (e.g. "sub_path": "team-a/").

3. Detach when done

Bash
1curl -X DELETE \
2 "https://api.sb.createos.sh/v1/sandboxes/$SANDBOX_ID/disks/$DISK_ID?mount_path=/mnt/data" \
3 -H "X-Api-Key: $CREATEOS_API_KEY"

Only the mount is dropped; the bucket and its contents remain.

Full reference

See the Disks API for every endpoint, field, and error, and Disks, networks & templates for the SDK equivalents.

100,000+ Builders. One Platform.

Get product updates, builder stories, and early access to features that help you ship faster.

NodeOps is the agentic operating system for production AI. CreateOS is its flagship product.