- In high trace environments, inputs, outputs, errors, manifests, extras, and events may balloon the size of your databases.
- If using LangSmith Managed ClickHouse, you may want sensitive information in blob storage that resides in your environment. To alleviate this, LangSmith supports storing run inputs, outputs, errors, manifests, extras, events, and attachments in an external blob storage system.
Requirements
Azure blob storage is available in Helm chart versions 0.8.9 and greater. Deleting trace projects is supported in Azure starting in Helm chart version 0.10.43.Native GCS blob storage engine support (using
engine: "GCS") is available in Helm chart versions 0.13.29 and greater. For earlier versions, GCS is supported via the S3-compatible API by setting engine: "S3" with HMAC credentials.- Access to a valid blob storage service
-
A bucket/directory in your blob storage to store the data. We highly recommend creating a separate bucket/directory for LangSmith data.
- If you are using TTLs, you will need to set up a lifecycle policy to delete old data. For more information, see configuring TTLs. These policies should mirror the TTLs you have set in your LangSmith configuration, or you may experience data loss. See TTL configuration for blob storage for how to set up the lifecycle rules.
-
Credentials to permit LangSmith Services to access the bucket/directory
- You will need to provide your LangSmith instance with the necessary credentials to access the bucket/directory. Read the authentication section below for more information.
-
If using S3 or GCS, an API URL for your blob storage service
- This will be the URL that LangSmith uses to access your blob storage system
- For Amazon S3, this will be the URL of the S3 endpoint. Something like:
https://s3.amazonaws.comorhttps://s3.us-west-1.amazonaws.comif using a regional endpoint. - For Google Cloud Storage, this will be the URL of the GCS endpoint. Something like:
https://storage.googleapis.com
Authentication
- AWS
- GCP
- Azure
Amazon S3
To authenticate to Amazon S3, you will need to create an IAM policy granting the following permissions on your bucket.-
IAM Roles for Service Accounts (IRSA) (Recommended): You can create an IAM role for your LangSmith instance and attach the policy to that role. This is the recommended way to authenticate with Amazon S3 in production.
- You will need to create an IAM role with the policy attached.
- You will need to allow LangSmith service accounts to assume the role. The
langsmith-queue,langsmith-backend,langsmith-platform-backend, andlangsmith-ingest-queueservice accounts will need to be able to assume the role. - You will need to provide the role ARN to LangSmith. You can do this by adding the
eks.amazonaws.com/role-arn: "<role_arn>"annotation to thequeue,backend,platform-backend, andingest-queueservices in your Helm Chart installation.
-
Access Key and Secret Key: You can provide LangSmith with an access key and secret key. This is the simplest way to authenticate with Amazon S3. However, it is not recommended for production use as it is less secure.
- You will need to create a user with the policy attached. Then you can provision an access key and secret key for that user.
-
VPC Endpoint Access: You can enable access to your S3 bucket via a VPC endpoint, which allows traffic to flow securely from your VPC to your S3 bucket.
- You’ll need to provision a VPC endpoint and configure it to allow access to your S3 bucket.
- You can refer to our public Terraform modules for guidance and an example of configuring this.
KMS encryption header support
Starting with LangSmith Helm chart version 0.11.24, you can pass a KMS encryption key header and enforce a specific KMS key for writes by providing its ARN. To enable this, set the following values in your Helm chart:CH search
By default, LangSmith will still store tokens for search in ClickHouse. If you are using LangSmith Managed Clickhouse, you may want to disable this feature to avoid sending potentially sensitive information to ClickHouse. You can do this in your blob storage configuration.Configuration
After creating your bucket and obtaining the necessary credentials, you can configure LangSmith to use your blob storage system.Helm
If using an access key and secret, you can also provide an existing Kubernetes secret that contains the authentication information. This is recommended over providing the access key and secret key directly in your config. See the generated secret template for the expected secret keys.
TTL configuration
If using the TTL feature with LangSmith, you’ll also have to configure TTL rules for your blob storage. Trace information stored on blob storage is stored on a particular prefix path, which determines the TTL for the data. When a trace’s retention is extended, its corresponding blob storage path changes to ensure that it matches the new extended retention. The following TTL prefixes are used:ttl_s/: Short term (base) TTL, configured for 14 days.ttl_l/: Long term (extended) TTL, configured for 400 days by default.
Custom workspace-level retention prefixes
If you use workspace-level extended retention, LangSmith writes blob data to prefixes of the formttl_XXd/, where XX is the number of days configured for that workspace. For example, if a workspace is configured with 90-day extended retention, blob data for that workspace is written to the ttl_90d/ prefix.
You must create a lifecycle rule for each custom retention period configured across your workspaces. Common examples:
ttl_90d/— 90-day retentionttl_180d/— 180-day retentionttl_365d/— 365-day retention
ttl_s and ttl_l rules:
- AWS
- GCP
- Azure
- AWS
- GCP
- Azure
Amazon S3 lifecycle rules
If using S3 for your blob storage, you will need to setup a filter lifecycle configuration that matches the prefixes above. You can find information for this in the Amazon Documentation.As an example, if you are using Terraform to manage your S3 bucket, you would setup something like this:Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

