On-premise setup

On on-premise instances, UI Bakery Storage needs an external object storage backend. UI Bakery creates storage buckets automatically when users create buckets from the Storage tab, and then uses signed URLs for browser uploads and reads.

UI Bakery Storage supports two backend types:

• Azure Blob Storage

• S3-compatible storage

Set the storage provider before users start creating UI Bakery Storage buckets. Existing buckets keep the provider that was used when they were created; changing the provider later does not migrate existing buckets.

Azure Blob Storage

Azure Blob Storage is the default backend for UI Bakery Storage.

1. Create an Azure storage account

Open the Azure portal and go to Storage accounts -> Create.

UI Bakery Storage only needs a storage account. It creates containers automatically when users create buckets, so you do not need to create containers manually in advance.

Use the following settings:

• Preferred storage type: Blob storage or Azure Data Lake Storage (ADLS) Gen2

• Performance: Standard

• Redundancy: Locally-redundant storage (LRS) is the simplest default for most on-premise installations

• Enable hierarchical namespace: Disabled

• Access tier: Hot

• Allow anonymous access to blobs or containers: Disabled

• Enable storage account key access: Enabled

• Require secure transfer for REST API operations: Enabled

If you need a different redundancy option for compliance or disaster recovery, you can use it. UI Bakery Storage does not depend on a specific redundancy mode.

After the account is created, open Security + networking -> Access keys and copy one of the connection strings. You will use it in the UI Bakery environment variables.

2. Configure CORS for Blob service

UI Bakery uploads files from the browser directly to Azure by using signed URLs. Because of that, the Blob service must allow cross-origin requests from your UI Bakery domain.

Open your storage account in Azure and go to Resource sharing (CORS). Under Blob service, add a rule with these values:

• Allowed origins: your UI Bakery URL, for example https://uibakery.example.com

• Allowed methods: GET, HEAD, PUT, OPTIONS

• Allowed headers: content-type,x-ms-blob-type,baggage,sentry-trace,x-ms-*

• Exposed headers: *

• Max age: 3600

If you use more than one domain, add all of them to the CORS rule. For example, if users open UI Bakery from separate internal and external URLs, both origins should be allowed.

3. Configure environment variables

Add the Azure connection string to your on-premise .env file:

UI_BAKERY_STORAGE_PROVIDER=AZURE_BLOB is optional because Azure is the default provider. Set it explicitly if you want the configuration to be self-documenting.

If UI_BAKERY_ENABLED_FEATURE_FLAGS already contains other flags, keep them and add storageToolEnabled to the comma-separated list.

After updating the environment file, restart the on-premise services so the backend picks up the new variables.

S3-compatible storage

Use this option when your on-premise instance should store UI Bakery Storage data in an S3-compatible service, for example AWS S3, MinIO, Ceph, Cloudflare R2, or another object storage provider that supports the S3 API.

UI Bakery creates one physical bucket for each UI Bakery Storage bucket. The generated bucket name uses the uib-... prefix, so make sure your storage policy allows the UI Bakery backend to create and delete buckets with that naming pattern.

1. Prepare S3-compatible access

Create or choose S3 credentials for UI Bakery. The credentials must be able to:

• Create buckets

• Check bucket existence

• List objects

• Put objects

• Get objects

• Delete objects

• Delete buckets

If your provider requires a fixed region, use that region in the UI Bakery configuration. If it does not, use the provider's recommended default, commonly us-east-1.

2. Configure CORS

UI Bakery uploads files from the browser directly to the S3-compatible backend by using signed URLs. Configure CORS on your S3-compatible service to allow requests from your UI Bakery domain.

Use the equivalent of this rule:

Replace https://uibakery.example.com with your UI Bakery URL. If users access UI Bakery from multiple internal or external URLs, add every URL to the allowed origins list.

Some S3-compatible providers support * for exposed headers. If yours does, you can use it instead of ETag.

3. Configure environment variables

Add the S3-compatible storage settings to your on-premise .env file:

Configuration details:

• UI_BAKERY_STORAGE_S3_ENDPOINT is the S3 API endpoint. If you omit the scheme, UI Bakery treats it as HTTPS. For local or non-TLS endpoints, include http:// explicitly.

• UI_BAKERY_STORAGE_S3_REGION is required by the S3 client.

• UI_BAKERY_STORAGE_S3_ACCESS_KEY and UI_BAKERY_STORAGE_S3_SECRET_KEY are used by the backend and datasource runtime.

• UI_BAKERY_STORAGE_S3_PATH_STYLE defaults to true. Keep it enabled for most S3-compatible providers and local MinIO setups. Set it to false only if your provider supports virtual-hosted-style bucket URLs.

• UI_BAKERY_STORAGE_S3_PRESIGN_VALIDITY controls how long backend-generated upload and read URLs stay valid. The default is 15m.

If UI_BAKERY_ENABLED_FEATURE_FLAGS already contains other flags, keep them and add storageToolEnabled to the comma-separated list.

After updating the environment file, restart the on-premise services so the backend picks up the new variables.

4. Verify the setup

After the restart:

1. Open UI Bakery and go to the Storage tab.

2. Create a new bucket.

3. Upload a test file.

4. Open the uploaded file from UI Bakery to verify that signed read URLs work.

5. Delete the test bucket if you do not need it.

If bucket creation fails, check that the endpoint, region, credentials, and bucket-creation permissions are correct. If file upload fails in the browser, check the CORS rule for the exact UI Bakery origin and allowed headers.