A hash at the front of a changelog entry indicates the hash of the container that first contained the change. There will only ever be multiple hashes in a single changelog if the underlying image was rebuilt to fix a security vulnerability.


  • (284bff51176f) Added support for capture groups in the folder mapping with the capture-tenant-regex key.
    • In the folder mapping, the object-regex key has been renamed to explicit-tenant-regex. To maintain compatibility, we will still support the object-regex key until the next major release.


  • (8b6802c737a8) Fixed bug that prevented configuring new features added in v1.1.0 in a deployment.


  • (e65f2c1ab408) Added ability to specify encryption tenant ID in request headers.
  • (e65f2c1ab408) Added configuration option to deny encryption requests with invalid tenant ID.


  • (a8f1ec5b02ae) Initial release.

Versioning Policy

The S3 Proxy Docker container follows normal Semver style versioning. A change in version of the Proxy means that some code change occurred within the image. However, in order to follow best practices and address possible security vulnerabilities within container’s underlying image, we will also periodically update the base image of one or more tagged versions. This will cause the container hash to change, but the tag to remain the same.
The following policy governs version numbering. The primary goal of this policy is to communicate changes when they occur within the Proxy, quickly address and fix vulnerabilities in current/old versions, and to avoid hosting tagged, vulnerable images within our registry.
  • Docker image tags WILL change if there are code changes within the image. This means that there are direct code changes between versions 1.0.1 and 1.0.2.
  • Docker image tags WILL change if we move to a completely different underlying base image, i.e. from alpine to slim or something similar.
  • Docker image tags WILL NOT change if we just update the base image to fix a container vulnerability.
  • Tagged Docker images will never be removed from our public registry, with the exception of pre-release/beta tags (those in the form x.y.z-betaN).
  • Untagged images with or without vulnerabilities will continue to live in GCR for some time period, but they may eventually be removed.