Access Key Management

Every storage bucket for each region will be accessible with one master key pair, which has full access to, and control of, all buckets in this region.

When using CDN77 Object Storage with a client application (i.e., Cyberduck), or your app, one should have finer control over access permissions to a particular bucket.

From the CDN77 Client Panel, we allow you to create new keys that have Read Only or Read/Write access to a certain bucket. Keep in mind that you are not able to create new buckets using either of those accounts! Only the master key pair can create or delete buckets.

Listing Buckets with Access Keys

Because our access keys feature works on bucket-level permissions, you won't be able to see the assigned buckets when you do a ListBuckets call.

When you want to interact with the bucket using Access keys you need to be connecting directly to that bucket -> ${bucket}.${region}.cdn77-storage.com or ${region}.cdn77-storage.com/${bucket}

ACL and Access Keys

By default our storage allows all users to set ACL on objects which include the Access Keys. This however may lead to issues when Access Key uploads a file that a master key is not for example able to read metadata of that object because it was uploaded with default ACL.

In order to mitigate this issue we suggest configuring bucket-owner-full-control as a default ACL.

Read Only - gives you Read permission to list and retrieve most information about the specified Bucket and objects stored in that Bucket.

Below is the list of jobs Read Only access keys have permission to run:

s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObjectAcl
s3:GetObject
s3:GetObjectVersionAcl
s3:GetObjectVersion
s3:ListBucketMultipartUploads
s3:ListBucket
s3:ListBucketVersions
s3:ListMultipartUploadParts

Read/Write - gives you the permission to list, retrieve, add, delete, and modify most information and objects stored within the specified bucket.

Below is the list of jobs Read/Write access keys have permission to run:

s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:GetLifecycleConfiguration
s3:GetObjectAcl
s3:GetObject
s3:GetObjectVersionAcl
s3:GetObjectVersion
s3:ListBucketMultipartUploads
s3:ListBucket
s3:ListBucketVersions
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
s3:DeleteBucketWebsite
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutBucketCORS
s3:PutBucketTagging
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:PutLifecycleConfiguration
s3:PutObject
s3:PutObjectAcl
s3:PutObjectVersionAcl
s3:RestoreObject

s3:PutBucketAcl
s3:PutBucketPolicy
s3:DeleteBucketPolicy
s3:DeleteBucket

How to Manage Access Keys

1. In the CDN77 Object Storage section of the Origins menu you can find two panels – Object storage and Access keys.

2. The Access keys panel shows every access key for all regions.

Let's walk through the process of creating a new one. Start by clicking on Create new access key

3. A pop-up window appears. Choose a label for your access key to make it easier for you to manage it, then choose the region the access key applies to. It's important to note that an access key is created for a single region and will work solely on buckets in this region.

4. The key has been successfully created, but it doesn't have any permissions assigned to it just yet. To do that, navigate to the Object storage menu, then view the details of the bucket.

5. In the bucket details we can see all available keys for this region and which permission set applies to each. To set the access keys permission we need to click on the Change settings button, select the permission settings for the key(s) and save the changes.

6. After saving, you can verify the changes back in the Access keys panel. The key will show as assigned to the bucket.

Editing Permissions

Editing permissions can be done either directly in the CDN77 Client Panel or via API. It's important to bear in mind that it can only be done in one or the other. If changes have been made via API, then changing bucket policies will be disabled in the Client Panel for that particular bucket.

For more information, please refer to bucket policy section of our S3 API docs.