Access keys for Object Storage
To start integrating Object Storage with your own applications, you need to create an access key. The access key provides access to buckets (and objects stored within those buckets). You can create many access keys, allowing you to create a unique one for each application or user. When an application or user no longer requires access, you can revoke that access key without affecting any other application.
When an access key is generated, a corresponding secret key is also created. This secret key is used in tandem with the access key to authenticate connections. The secret key should not be shared.
Types of access keys
By default, an access key is unlimited and has full access to all buckets on an account within the specified regions. When creating an access key, you can choose to enable Limited Access and set more granular permissions for each bucket.
| Type | Description |
|---|---|
| Unlimited access key | Unlimited access keys are the default and provide access to all API's within the selected regions.. |
| Limited access key | Limited access keys can be scoped using per-bucket permissions, which restrict the access key to a specific set of buckets and operations. Create these for users or applications that only need to perform certain kinds of actions.. |
When determining which access key type to use, keep the following in mind:
- All access keys can create new buckets and list existing buckets. If a limited access key is used to create a bucket, it will not be able to perform any other actions on that bucket.
- Once created, you cannot switch the access key type or modify per-bucket permissions on the access key.
- To apply bucket policies, you must use an unlimited access key. Limited access keys cannot do this, even if they have Read/Write permission to the desired bucket.
Limited access key permissions
The following permissions can be applied to your buckets within each region that is enabled on the access key.
-
None: Restricts all access to the specified bucket. This access key will still be able to view the bucket in the list of all buckets, but will otherwise be unable to access any objects stored within it.
-
Read (
read_only): Access keys with Read permissions are able to list and retrieve all information about the specified bucket and objects stored in that bucket. This includes bucket metadata, object names, object metadata and contents (including for non-current versions if bucket is versioned), multipart upload information. Copy operations can also use these buckets as a source. -
Read/Write (
read_write): Access keys with Read/Write permissions can list, retrieve, add, delete, and modify most information and objects stored within the specified bucket. This includes everything that a read-only key can do in addition to modifying bucket metadata (with some exceptions), creating or overwriting objects, deleting objects, canceling multipart uploads, modifying object metadata. Copy operations can also use these buckets as destinations.
Supported S3 operations (by permissions)
| S3 operation | Read | Read/Write | Unlimited |
|---|---|---|---|
| AbortMultipartUpload | ✓ | ✓ | |
| CompleteMultipartUpload | ✓ | ✓ | |
| CopyObject (source) | ✓ | ✓ | ✓ |
| CopyObject (destination) | ✓ | ✓ | |
| CreateMultipartUpload | ✓ | ✓ | |
| DeleteBucketCors | ✓* | ✓* | |
| DeleteBucketLifecycle | ✓ | ✓ | |
| DeleteBucketPolicy | ✓ | ||
| DeleteBucketWebsite | ✓* | ✓* | |
| DeleteObject | ✓ | ✓ | |
| DeleteObjects | ✓ | ✓ | |
| DeleteObjectTagging | ✓ | ✓ | |
| GetBucketAcl | ✓ | ✓ | ✓ |
| GetBucketCors | ✓* | ✓* | ✓* |
| GetBucketLifecycle | ✓ | ✓ | ✓ |
| GetBucketLifecycleConfiguration | ✓ | ✓ | ✓ |
| GetBucketLocation | ✓ | ✓ | ✓ |
| GetBucketPolicy | ✓ | ✓ | ✓ |
| GetBucketVersioning | ✓ | ✓ | ✓ |
| GetBucketWebsite | ✓* | ✓* | ✓* |
| GetObject | ✓ | ✓ | ✓ |
| GetObjectAcl | ✓* | ✓* | ✓* |
| GetObjectLegalHold | ✓ | ✓ | ✓ |
| GetObjectLockConfiguration | ✓ | ✓ | ✓ |
| GetObjectRetention | ✓ | ✓ | ✓ |
| GetObjectTagging | ✓ | ✓ | ✓ |
| HeadBucket | ✓ | ✓ | ✓ |
| HeadObject | ✓ | ✓ | ✓ |
| ListBuckets | ✓ | ✓ | ✓ |
| ListMultipartUploads | ✓ | ✓ | ✓ |
| ListObjects | ✓ | ✓ | ✓ |
| ListObjectsV2 | ✓ | ✓ | ✓ |
| ListObjectVersions | ✓ | ✓ | ✓ |
| ListParts | ✓ | ✓ | ✓ |
| PutBucketAcl | ✓ | ||
| PutBucketCors | ✓* | ✓* | |
| PutBucketLifecycle | ✓ | ✓ | |
| PutBucketLifecycleConfiguration | ✓ | ✓ | |
| PutBucketPolicy | ✓ | ||
| PutBucketVersioning | ✓ | ✓ | |
| PutBucketWebsite | ✓* | ✓* | |
| PutObject | ✓ | ✓ | |
| PutObjectAcl | ✓* | ✓* | |
| PutObjectLegalHold | ✓ | ||
| PutObjectRetention | ✓ | ||
| PutObjectTagging | ✓ | ✓ | |
| UploadPart | ✓ | ✓ | |
| UploadPartCopy (source) | ✓ | ✓ | ✓ |
| UploadPartCopy (destination) | ✓ | ✓ |
*Only supported on E0 and E1 endpoint types. Not currently supported on E2 and E3.
Access key limits and quotas
The specific limits and quota values can be viewed in the Product limits and quotas table.
Manage access keys
View access keys
-
Log in to Cloud Manager.
-
Select the Object Storage link in the sidebar and navigate to the Access Keys tab.
This page displays a list of all the access keys added to your Object Storage account. It also shows the Amazon S3 endpoint hostname. The Amazon S3 endpoint hostname is different for each region and is displayed when the you create an access key.
From here, you can create a new access key. You can also click the ellipsis to:
- Edit the access key labels and the regions list.
- View the permissions.
- Revoke access (which deletes the access key).
Create an access key
To use Object Storage with any compatible client or command-line tool, you'll need to generate an access key. This can be done directly in Cloud Manager.
-
Navigate to the Access Keys page in Cloud Manager (see View access keys).
-
Click the Create Access Key button, which displays the Create Access Key panel.
-
Enter a label for the access key. This label is how you reference the access key in Cloud Manager and any Amazon S3-compatible client.
-
Select at least one Region. You can select multiple regions for your access key.
-
Toggle the Limited Access switch if you wish to only provide access to certain buckets. This lets you limit the permissions for the new access key on a per-bucket level. See Access key permissions for more details.
- Click the Create Access Key button to create the access key. A dialog box appears that displays the new access key and its secret key. While the access key is always visible within Cloud Manager, its corresponding secrete key is only visible once and cannot be retrieved again after this window is closed. Store this secret key somewhere secure, such as a password manager.
You now have the credentials needed to connect to Object Storage.
Revoke access key
Revoking an access key removes it from your account and no longer provides access to applications that may have used it. You may wish to do this when decommissioning an application, ending a project with a third party developer, or any other situation where an access key is no longer needed.
-
Navigate to the Access Keys page in Cloud Manager (see View access keys).
-
Locate the access key you wish to remove and select Revoke from the ellipsis button.
- A confirmation dialog appears. Click the Revoke button to immediately revoke the access key.
Updated 13 days ago