Add Alibaba Cloud storage artifact-store

[safoinme]

Describe changes

I implemented/fixed _ to achieve _.

Pre-requisites

Please ensure you have done the following:

• I have read the CONTRIBUTING.md document.
• I have added tests to cover my changes.
• I have based my new branch on develop and the open PR is targeting develop. If your branch wasn't based on develop read Contribution guide on rebasing branch to develop.
• IMPORTANT: I made sure that my changes are reflected properly in the following resources:
  • ZenML Docs
  • Dashboard: Needs to be communicated to the frontend team.
  • Templates: Might need adjustments (that are not reflected in the template tests) in case of non-breaking changes and deprecations.
  • Projects: Depending on the version dependencies, different projects might get affected.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Other (add details above)

[htahir1]

Too much vibe!

[github-actions]

Documentation Link Check Results

❌ Absolute links check failed
There are broken absolute links in the documentation. See workflow logs for details
✅ Relative links check passed
_{Last checked: 2025-12-05 11:52:57 UTC}

[htahir1]

@claude /full-review

[claude]

Claude finished @htahir1's task —— View job

---

Full Review Complete ✅

I've completed a comprehensive review of the PR adding Alibaba Cloud OSS and MinIO artifact store documentation. Here are my findings:

---

Summary

This PR adds documentation for using Alibaba Cloud OSS and MinIO with ZenML's S3 artifact store integration. While the approach is sound and the documentation structure follows ZenML patterns, there are several critical issues that need to be addressed, particularly around incorrect authentication information and content organization.

---

Critical Issues

1. Incorrect Authentication Method in Alibaba OSS Documentation ⚠️ BLOCKER

File: docs/book/component-guide/artifact-stores/alibaba-oss.md:47-60

The documentation shows using --aws_access_key_id and --aws_secret_access_key in the secret creation and artifact store registration, which is misleading:

zenml secret create alibaba_secret \
    --aws_access_key_id='<YOUR_ALIBABA_ACCESS_KEY_ID>' \
    --aws_secret_access_key='<YOUR_ALIBABA_SECRET_ACCESS_KEY>'

Problems:

• The parameter names suggest AWS credentials, but these are Alibaba Cloud credentials
• There's no AWS Service Connector support for Alibaba Cloud OSS (as noted in review comments)
• The documentation should clarify that while the parameter names contain "aws" (for S3 compatibility), users need to provide their Alibaba Cloud access credentials

Recommendation: Add a note explaining why the parameter names reference "aws" but that users should provide their Alibaba Cloud OSS credentials. Consider showing both the secret creation method AND direct credential configuration for clarity.

💬 Inline comment added with specific suggestion

---

2. Missing Critical Configuration Information ⚠️ BLOCKER

File: docs/book/component-guide/artifact-stores/alibaba-oss.md:9-17

The warning about required config_kwargs is buried at the top but should be much more prominent. The current warning box placement is good, but the configuration example in line 59 doesn't show these required kwargs being used together with the secret.

Problem: Users following the ZenML Secret tab example will miss the critical config_kwargs requirement because the example command at line 55-60 shows:

zenml artifact-store register alibaba_store -f s3 \
    --path='s3://your-bucket-name' \
    --authentication_secret=alibaba_secret \
    --client_kwargs='{"endpoint_url": "https://oss-<region>.aliyuncs.com"}' \
    --config_kwargs='{"signature_version": "s3", "s3": {"addressing_style": "virtual"}}'

This is actually correct! But the warning at the top should explicitly reference that you'll see this in the configuration section.

Recommendation:

• Keep the warning at the top
• In the warning, add: "See the configuration example below to see how to set these parameters during registration."
• Consider adding a troubleshooting note about what happens if you forget these kwargs

💬 Inline comment added with enhanced warning text

---

3. Missing Link in Documentation ⚠️ HIGH PRIORITY

File: docs/book/component-guide/artifact-stores/alibaba-oss.md:7

The reference to "Alibaba Cloud" should link to the Alibaba Cloud homepage for user convenience.

Current:

you can use ZenML's S3 Artifact Store integration to connect to [Alibaba Cloud](https://www.alibabacloud.com) OSS.

The link IS present, so if the review comment says "link?" it might be asking for an additional link elsewhere or the link might have been added after the review.

---

4. Service Connector Confusion ⚠️ HIGH PRIORITY

File: docs/book/component-guide/artifact-stores/alibaba-oss.md:41-62

The documentation only shows a "ZenML Secret" tab but the structure implies there should be multiple authentication methods like the S3 docs show:

• Implicit Authentication tab
• AWS Service Connector tab (NOT applicable for Alibaba)
• ZenML Secret tab

Problem: Following the S3 documentation pattern would confuse users since Alibaba OSS doesn't support AWS Service Connectors.

Recommendation:

• Keep only the "ZenML Secret" tab (correct decision)
• Add a note at the beginning of the authentication section explicitly stating: "Note: Unlike AWS S3, Alibaba Cloud OSS does not support ZenML Service Connectors. Use ZenML Secrets for authentication."
• Alternatively, add an "Implicit Authentication" tab if that's supported

💬 Inline comment added with specific note suggestion

---

5. MinIO Documentation - Wrong Reference ⚠️ MEDIUM PRIORITY

File: docs/book/component-guide/artifact-stores/minio.md:61

The hint box references "S3 Artifact Store documentation" for "advanced configuration" but the link at line 74 goes to s3.md. The S3 docs do have an "Advanced Configuration" section, so this link works.

However, the review comment mentions "same problems with references to aws?" - this likely refers to the authentication parameters also using aws_access_key_id and aws_secret_access_key in the MinIO secret:

zenml secret create minio_secret \
    --aws_access_key_id='<YOUR_MINIO_ACCESS_KEY>' \
    --aws_secret_access_key='<YOUR_MINIO_SECRET_KEY>'

Recommendation: Add a note similar to Alibaba OSS explaining that while the parameter names reference "aws" (for S3 API compatibility), users should provide their MinIO access credentials.

💬 Inline comment added with clarification note

---

Additional Issues

6. Broken Absolute Links (CI Failure)

The CI reports broken absolute links. These need to be identified and fixed. Common issues:

• External links that are down
• Malformed URLs
• Links to moved content

Action Required: Check the CI logs to see which specific links are broken.

---

7. Inconsistent Content Depth

Comparing to the S3 and GCP documentation:

S3 docs include:

• Detailed "When would you want to use it?" with 4 specific use cases
• Multiple authentication methods with detailed warnings
• Advanced configuration section with technical details
• Links to deployment wizards and Terraform modules

Alibaba OSS docs include:

• Basic "When would you want to use it?" with 3 use cases ✓
• Only one authentication method (appropriate) ✓
• ❌ Missing deployment alternatives (not applicable, so OK)
• ❌ No advanced configuration section (should reference S3 docs more clearly)

Recommendation: Add a section or note pointing users to the S3 documentation's "Advanced Configuration" section for additional client_kwargs, config_kwargs, and s3_additional_kwargs options.

---

8. MinIO Deployment Information Could Be Enhanced

File: docs/book/component-guide/artifact-stores/minio.md:26-30

The deployment examples are good but could include:

• Security considerations (default credentials, network exposure)
• Production vs development usage
• Link to MinIO's official deployment guides

💬 Inline comment added with security warning suggestion

---

Positive Aspects ✅

1. Good structure - Follows ZenML documentation patterns consistently
2. Clear warning boxes - The warning about Alibaba OSS config requirements is well-placed
3. Appropriate authentication approaches - Correctly doesn't try to force Service Connector support where it doesn't exist
4. Good cross-references - Links to S3 documentation for additional details
5. Table of contents updated - Properly integrated into the navigation structure
6. README.md table updated - Correctly added to the flavor comparison table

---

Action Items for Author

Must Fix (Blockers):

1. ✅ Add clarification notes about "aws" parameter names in BOTH Alibaba OSS and MinIO docs explaining these are for S3 API compatibility
2. ✅ Add explicit note that Alibaba OSS does NOT support Service Connectors
3. ✅ Fix broken absolute links identified in CI

Should Fix (High Priority):

4. ✅ Enhance the warning box in Alibaba OSS to better direct users to the configuration example
5. ✅ Add "Advanced Configuration" section or clear pointer to S3 docs for additional configuration options

Nice to Have:

6. ✅ Enhance MinIO deployment section with security notes
7. ✅ Add troubleshooting tips for common Alibaba OSS connection issues

---

Files Reviewed

• ✅ docs/book/component-guide/artifact-stores/alibaba-oss.md (78 lines added)
• ✅ docs/book/component-guide/artifact-stores/minio.md (76 lines added)
• ✅ docs/book/component-guide/artifact-stores/README.md (2 lines modified)
• ✅ docs/book/component-guide/toc.md (2 lines modified)

---

Conclusion

This PR adds valuable documentation for users who want to use Alibaba Cloud OSS or MinIO with ZenML. The fundamental approach is correct, but the authentication sections need clarification to avoid confusing users about AWS vs. Alibaba/MinIO credentials. The "too much vibe" comment from @htahir1 suggests the tone might need to be more technical and less conversational in places.

Once the authentication clarifications are added and the CI link issues are resolved, this will be a solid addition to the ZenML documentation.

I've added 5 inline comments on the specific files with concrete suggestions for improvements. Please review and address these comments.

---

[htahir1]

i still dont get why this is called "aws" when its alibaba....

[safoinme]

because it uses s3 integration and that what the integration looks for as a key and secret for the given authentication_secret

[claude]

Clarification needed: While the parameter names contain aws_ (for S3 API compatibility), users should provide their Alibaba Cloud OSS access credentials here, not AWS credentials. Consider adding a note like:

> **Note:** The parameter names use `aws_` prefixes because Alibaba Cloud OSS uses an S3-compatible API. However, you should provide your Alibaba Cloud OSS Access Key ID and Secret Access Key, which you can obtain from the Alibaba Cloud console.

[claude]

Missing authentication context: Unlike AWS S3, Alibaba Cloud OSS does not support ZenML Service Connectors. Consider adding a note before the tabs section:

{% hint style="info" %}
Alibaba Cloud OSS does not support ZenML Service Connectors. Use ZenML Secrets to securely store and reference your Alibaba Cloud credentials.
{% endhint %}

[claude]

Enhance warning: Consider updating this warning to explicitly reference that the configuration example below shows how to set these parameters:

{% hint style="warning" %}
**Important:** When using Alibaba Cloud OSS, you must set the following `config_kwargs`:

\`\`\`json
{"signature_version": "s3", "s3": {"addressing_style": "virtual"}}
\`\`\`

This is required for proper compatibility with Alibaba Cloud OSS's S3 API implementation. You'll see how to include these parameters in the configuration example below.
{% endhint %}

[claude]

Clarification needed: Similar to Alibaba OSS, the parameter names contain aws_ (for S3 API compatibility), but users should provide their MinIO access credentials. Add a note:

> **Note:** The parameter names use `aws_` prefixes because MinIO implements the S3-compatible API. Provide your MinIO Access Key and Secret Key here (default is `minioadmin`/`minioadmin` for local development, but should be changed for production).

[claude]

Enhancement suggestion: Consider adding security considerations for production deployments:

You'll also need a running MinIO instance. MinIO can be deployed in various ways:

* **Docker**: `docker run -p 9000:9000 -p 9001:9001 minio/minio server /data --console-address ":9001"`
* **Kubernetes**: Using the [MinIO Operator](https://min.io/docs/minio/kubernetes/upstream/)
* **Binary**: Download from [MinIO's website](https://min.io/download)

{% hint style="warning" %}
**Security Note:** The default MinIO credentials are `minioadmin`/`minioadmin`. Always change these credentials in production environments and ensure MinIO is not exposed to the public internet without proper authentication and TLS.
{% endhint %}

[htahir1]

@claude /full-review

[htahir1]

@safoinme didnt u want to add backwards comaptibility here on the args as we discussed?

[claude]

Claude finished @htahir1's task —— View job

---

Full PR Review Complete ✅

I've completed a comprehensive review of the PR adding Alibaba Cloud OSS and MinIO artifact store documentation.

---

Summary

This PR adds documentation for using Alibaba Cloud OSS and MinIO with ZenML's S3 artifact store integration. The documentation follows ZenML's structure and patterns well, but needs refinement in several areas to address @htahir1's "Too much vibe!" feedback and technical accuracy concerns.

Overall Assessment: The fundamental approach is sound and the integration into the documentation structure is correct. However, changes are requested to address critical clarity issues around authentication and tone.

---

Critical Issues (Must Fix Before Merge)

1. Misleading Authentication Parameter Names ⚠️ BLOCKER

Both files use --aws_access_key_id and --aws_secret_access_key without explaining these are for S3 API compatibility.

The parameter names suggest AWS credentials, but users need to provide:

• Alibaba Cloud OSS credentials (from Alibaba Cloud console)
• MinIO credentials (default minioadmin/minioadmin for dev)

Action: Add clarification notes before the secret creation in both docs explaining the aws_ prefix is for S3 API compatibility.

💬 Posted inline comments with specific text suggestions on:

• alibaba-oss.md:50
• minio.md:45

---

2. "Too Much Vibe" - Tone Too Casual ⚠️ HIGH PRIORITY

The "When would you want to use it?" sections are too conversational and lack technical specificity. Compare to S3/GCP docs which use more precise technical language.

Examples of casual language:

• "You're already using..." → Should be "Your infrastructure is already deployed on..."
• "You want to leverage..." → Should be "You need S3-compatible object storage with..."
• "You want to avoid vendor lock-in..." → Should be "You want to eliminate cloud vendor dependencies..."

Action: Make the tone more technical and specific in both docs.

💬 Posted inline comments with revised technical language on:

• alibaba-oss.md:25
• minio.md:16

---

3. Missing Service Connector Context ⚠️ HIGH PRIORITY

Alibaba OSS docs only show "ZenML Secret" authentication without explaining why there's no "AWS Service Connector" tab (unlike the S3 docs). This will confuse users familiar with S3 documentation.

Action: Add a note explaining that Alibaba Cloud OSS does not support ZenML Service Connectors.

💬 Posted inline comment with specific text on alibaba-oss.md:42

---

4. Missing Security Warnings for MinIO ⚠️ HIGH PRIORITY

The MinIO deployment section shows Docker/Kubernetes commands but doesn't mention:

• Default credentials (minioadmin/minioadmin) must be changed in production
• TLS/HTTPS should be used for production
• MinIO shouldn't be exposed to public internet without proper security

Action: Add security considerations after the deployment section.

💬 Posted inline comment with full security warning text on minio.md:30

---

5. CI Failure - Broken Absolute Links ⚠️ BLOCKER

CI reports broken absolute links. Need to verify:

• https://www.alibabacloud.com/product/object-storage-service
• https://www.alibabacloud.com
• https://www.alibabacloud.com/help/en/oss/user-guide/regions-and-endpoints
• MinIO links

Action: Check CI logs at https://github.com/zenml-io/zenml/actions/runs/19962098211 to identify which specific links are broken and fix them.

---

Medium Priority Issues (Should Fix)

6. Config Requirements Warning Could Be Enhanced

The Alibaba OSS warning at the top about required config_kwargs is good, but could reference that these will be shown in the configuration example below.

7. Missing Advanced Configuration Reference

Both docs could benefit from a section referencing the S3 docs' "Advanced Configuration" section for additional client_kwargs, config_kwargs, and s3_additional_kwargs options.

8. MinIO SSL/TLS Hint Could Be More Specific

The current hint about self-signed certificates could include a specific example of disabling SSL verification (with caveats).

---

What's Done Well ✅

1. Proper structure - Follows ZenML documentation patterns consistently
2. ToC integration - Correctly added to toc.md (lines 35-36)
3. README table - Properly added to flavor comparison (lines 39-40)
4. Warning placement - Alibaba OSS config_kwargs warning is well-positioned
5. Authentication approach - Correctly doesn't document non-existent Service Connector support
6. Cross-references - Good links to S3 documentation
7. MinIO deployment - Good coverage of Docker, Kubernetes, binary options

---

Detailed Technical Analysis

Documentation Structure Comparison:

Aspect	S3 Docs	GCP Docs	Alibaba Docs	MinIO Docs	Assessment
Structure	Complete	Complete	✅ Good	✅ Good	Follows pattern
Tone	Technical	Technical	⚠️ Too casual	⚠️ Too casual	Needs adjustment
Authentication	3 methods	3 methods	1 method	1 method	Appropriate
Security notes	✅ Extensive	✅ Good	✅ Basic	❌ Missing	MinIO needs more
Advanced config	✅ Detailed	✅ Referenced	⚠️ Only referenced	⚠️ Only referenced	Could enhance

Files Reviewed:

• ✅ docs/book/component-guide/artifact-stores/alibaba-oss.md (78 lines)
• ✅ docs/book/component-guide/artifact-stores/minio.md (76 lines)
• ✅ docs/book/component-guide/artifact-stores/README.md (+2 lines)
• ✅ docs/book/component-guide/artifact-stores/toc.md (+2 lines)

---

Action Items for Author

Must fix (blockers):

1. ✅ Add clarification notes about aws_ parameter naming in both docs (inline comments posted)
2. ✅ Make tone more technical in "When to use it?" sections (inline comments posted)
3. ✅ Add note about why Service Connectors aren't supported (inline comment posted)
4. ✅ Add security warnings to MinIO deployment section (inline comment posted)
5. ⚠️ Fix broken absolute links causing CI failure (check CI logs)

Should fix:
6. Enhance config_kwargs warning to reference configuration example
7. Add "Advanced Configuration" section or pointer
8. Improve MinIO SSL/TLS hint with specific example

---

Conclusion

This PR adds valuable documentation that will help users integrate Alibaba Cloud OSS and MinIO with ZenML. The structure is solid and the technical approach is correct (especially the decision not to document non-existent Service Connector support).

However, the documentation needs refinement primarily around:

1. Authentication clarity - Users must understand the aws_ parameter naming
2. Technical tone - Needs to be more precise and less conversational
3. Security guidance - MinIO needs production deployment warnings

I've posted 6 inline comments with specific, actionable suggestions that include the exact text to add. These address the critical issues identified by @htahir1's review.

Once these changes are made, this will be a solid addition to ZenML's artifact store documentation.

---

[claude]

CRITICAL: Add clarification about parameter naming before the secret creation. Users will be confused why they're using aws_ parameters for Alibaba Cloud credentials.

Suggested addition before line 47:

{% hint style="info" %}
**About the parameter names:** The secret parameters use `aws_` prefixes (`aws_access_key_id` and `aws_secret_access_key`) because Alibaba Cloud OSS implements the S3-compatible API. However, you should provide your **Alibaba Cloud OSS access credentials** here, not AWS credentials. You can obtain these from the Alibaba Cloud console under AccessKey Management.
{% endhint %}

[claude]

Add context: Explain why there's no "AWS Service Connector" tab (unlike the S3 docs). Add this note before the tabs:

{% hint style="warning" %}
**Note:** Alibaba Cloud OSS does not support ZenML Service Connectors. Unlike AWS S3, which can be authenticated via AWS Service Connectors, Alibaba Cloud requires using ZenML Secrets to store and reference your credentials.
{% endhint %}

[claude]

Tone issue ("too much vibe"): This section is too casual. Make it more technical and specific:

You should use the Alibaba Cloud OSS Artifact Store when:

* Your infrastructure is already deployed on Alibaba Cloud and you want to maintain data locality
* You require artifact storage in specific geographic regions served by Alibaba Cloud (China, Asia-Pacific, Europe, Middle East)
* You need S3-compatible object storage with Alibaba Cloud's pricing model and service level agreements
* Compliance requirements mandate data residency in Alibaba Cloud regions

[claude]

CRITICAL: Add clarification about parameter naming. Same issue as Alibaba OSS - users need to understand these are MinIO credentials, not AWS credentials.

Add before line 42:

{% hint style="info" %}
**About the parameter names:** The secret parameters use `aws_` prefixes because MinIO implements the S3-compatible API. Provide your **MinIO Access Key and Secret Key** here. For local development, the default credentials are `minioadmin`/`minioadmin`, but these must be changed for production deployments.
{% endhint %}

[claude]

HIGH PRIORITY: Add security warnings for production deployments. Add after this line:

{% hint style="warning" %}
**Security Considerations:** 
- The default MinIO credentials are `minioadmin`/`minioadmin` - **always change these in production**
- Use TLS/HTTPS for production deployments to encrypt data in transit
- Configure MinIO access policies to follow the principle of least privilege
- Do not expose MinIO directly to the public internet without proper authentication and network security
- For production use, refer to [MinIO's security best practices](https://min.io/docs/minio/linux/operations/concepts/security-best-practices.html)
{% endhint %}

[claude]

Tone issue ("too much vibe"): Make this more technical and specific:

You should use the MinIO Artifact Store when:

* You require self-hosted object storage for data sovereignty or compliance requirements
* Your MLOps infrastructure runs on-premises or in a private cloud environment
* You need S3-compatible storage co-located with your Kubernetes-based ZenML deployment
* You want to eliminate cloud vendor dependencies while maintaining S3 API compatibility
* You're developing locally and need a lightweight S3-compatible storage backend for testing