Transforming S3 into local storage: Mountpoint solutions for Domino data science workflows

Overview and goals

The challenge: Data science teams working with large datasets in Domino typically rely on EFS-backed datasets, which provide shared file system access but can become expensive at scale and may have performance limitations for certain workloads. While EFS offers the familiar file system interface, organizations often have vast amounts of data already stored in S3 that teams want to access directly without costly data movement.

The FUSE dilemma: FUSE (Filesystem in Userspace) enables mounting object storage like S3 as a traditional file system, providing the intuitive file/folder browsing experience that data scientists expect — similar to a shared network drive. However, FUSE implementations typically require elevated privileges (access to /dev/fuse) and run in userspace, which creates significant security concerns in containerized environments like Domino, where unprivileged execution is preferred.

The solution: AWS Mountpoint for Amazon S3 (which is indeed built on FUSE technology) addresses these security concerns by implementing FUSE at the Kubernetes node level through a CSI driver, rather than within individual containers. This approach provides:

• Cost-effective storage by directly accessing S3 without EFS overhead for large datasets
• Familiar file system interface with standard file/folder browsing capabilities
• Enhanced security through node-level FUSE implementation and controlled workspace access
• Seamless integration with existing S3 data lakes and storage policies
• Scalable access to virtually unlimited S3 storage capacity

When should you consider running mountpoint S3 on Domino?

Large dataset economics: When your teams work with datasets where EFS costs become prohibitive, or when you have existing large datasets in S3 that teams need to access directly. S3 storage is significantly more cost-effective than EFS for infrequently accessed or archival data.

Shared drive experience for S3 data: When data scientists need intuitive file/folder browsing of S3 buckets — the familiar "network drive" experience where they can navigate directories, preview files, and work with data using standard file operations rather than AWS CLI or API calls.

Security-conscious environments: When you need FUSE-like functionality but cannot accept the security risks of traditional FUSE implementations that require container-level privileges. The CSI driver approach isolates FUSE operations at the node level.

Multi-region or hybrid access: When teams need to access the same S3 data from multiple Domino environments or when integrating with external systems that also consume the same S3 buckets.

Warning signs you need this:

• EFS costs are growing disproportionately to usage
• Teams are manually copying large datasets from S3 to EFS for projects
• Data scientists request "Windows file share" or "network drive" access to S3 data
• You're maintaining duplicate datasets in both S3 and EFS
• Security teams have blocked traditional FUSE solutions due to privilege requirements

When NOT to use:

• For small, frequently accessed datasets where EFS performance is optimal
• When your security policies cannot accommodate any FUSE-based solutions
• For write-heavy workloads where EFS's POSIX compliance is critical
• When teams only need programmatic S3 access via SDKs

The mountpoint solution essentially transforms S3 from an API-driven object store into a browsable, shared file system while maintaining security boundaries and cost advantages.

How can you achieve secure, familiar file system access to shared S3 data in Domino workflows?

FUSE (Filesystem in Userspace) can be a very convenient way to extend file system functionality. Since FUSE requires some level of privilege to operate (e.g., access to /dev/fuse), it can expose additional attack surfaces if not tightly controlled. In containerized environments, this can complicate security policies, especially in secure platforms like Domino.

FUSE is popular among life science customers, and many Domino users would like to use the file browsing experience inside Domino.

The AWS mountpoint for the Amazon S3 CSI driver accomplishes the user requirements while addressing the security concerns.

The AWS mountpoint for the Amazon S3 CSI driver will configure the fuse file system at the compute node level. Domino external device volumes (EDV) can be used to provide controlled access from the workspaces to the underlying FUSE file system.

Prerequisites

Setting up mountpoint for the Amazon S3 CSI driver requires access to the AWS account for configuration changes as well as Kubernetes access and Domino administrator access.

High-level implementation steps

1. AWS IAM setup: Configure IAM policies and service accounts to provide least-privilege S3 access. The blueprint includes tested policy templates for common S3 operations (ListBucket, GetObject, PutObject, DeleteObject) and eksctl commands for seamless EKS integration.

2. CSI driver deployment: Deploy the AWS Mountpoint S3 CSI driver using Helm with properly configured service account annotations and role ARNs. The driver operates at the Kubernetes node level, maintaining security isolation while enabling FUSE functionality.

3. Storage provisioning: Create Persistent Volumes (PV) and Persistent Volume Claims (PVC) with S3-specific configurations including mount options for proper uid/gid mapping, region settings, and access permissions optimized for Domino workloads.

4. Domino EDV integration: Configure the provisioned storage as Domino external data volume (EDV), enabling controlled access from workspaces while maintaining security boundaries and providing the familiar file browser experience.

Key configuration considerations

• Unique volumeHandle required for each S3 bucket
• Proper namespace configuration (domino-compute for PVCs)
• Mount options tuned for multi-user access (allow-other, uid/gid mapping)
• Regional S3 bucket alignment for optimal performance

Complete implementation details, including full YAML configurations, IAM policies, and troubleshooting guidance, are available in the AWS Mountpoint S3 CSI Driver repository.

Validation

Create a workspace with the Domino external data volume mounted. Browse the EDV and access the S3 bucket.

Observe the file system mounts.

Limitations

Although the mountpoint S3 solution offers lots of benefits to the data science users on Domino, it is also limited by the features available compared to a real file system.