Disabling anonymous direct S3 access to the NixOS cache

If you are not maintaining software which uses AWS S3 directly to access the NixOS cache contents, you can stop reading now. This does not impact any access through the cache CDN, e.g. https://cache.nixos.org/ and does not impact Nix/NixOS end-users.

The NixOS cache is hosted on Amazon S3 and its contents are publicly readable to anyone. However, any access to the cache currently results in costs to the NixOS Foundation. We’ve recently noticed that this might be representing a non-trivial portion of the infrastructure costs. As a countermeasure, we will be implementing the following change:

  • Accessing the nix-cache S3 bucket directly will require authentication. The contents are still worldwide readable and can be accessed without special authorization, but you’ll need an AWS account and requests will need to be properly signed with your credentials.
  • Additionally, we will be enabling the Requester Pays option on the S3 Bucket. This means that the costs induced for direct access to the nix-cache S3 bucket will be charged to the AWS user who sent the request, not the NixOS Foundation. This requires specific opt-in configuration so it shouldn’t take anyone by surprise.

This change will take effect on: 2023-11-04.

Summary of actions required:

  • If you use https://nix-cache.s3.amazonaws.com/ or https://nix-cache.s3.us-east-1.amazonaws.com/ directly: use https://cache.nixos.org/ instead. You can also use signed HTTP requests with the x-amz-request-payer flag set.
  • If you use s3://nix-cache via a programmatic client or the S3 CLI, make sure that your client has AWS credentials, and configure it to use x-amz-request-payer (docs).
  • If you are in neither of these cases: you should not be impacted.
  • If you switch to x-amz-request-payer: estimate the costs and ensure you’ll be able to pay the bill that will now be charged to you!

– your friendly NixOS infrastructure team


One reason someone might be doing this is because they’re running in AWS themselves, and so the CDN is actually further away.

As per the last point, if this is you and you’re in the same region and are sure that it’s better going directly, then the actual cost (both today and after) should be immaterial. This is just an incentive to make sure.


This change has now been rolled out.