Object Storage Access Key Management
Every storage bucket for each region will be accessible with one master key pair, which has full access to, and control of, all buckets in this region.
When using CDN77 Object Storage with a client application (i.e., Cyberduck), or your own app, one should have finer control over access permissions to a particular bucket.
From the CDN77 Client Panel we allow you to create a new keys that have a Read Only or Read/Write access to a certain bucket. Keep in mind that you are not able to create new buckets using either of those accounts! Only master key pair is able to create or delete buckets.
Read Only - gives you Read permission to list and retrieve most information about the specified Bucket and objects stored in that Bucket.
Below is the list of jobs Read Only access keys have permission to run:
s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketLocation s3:GetBucketPolicy s3:GetBucketTagging s3:GetBucketVersioning s3:GetBucketWebsite s3:GetLifecycleConfiguration s3:GetObjectAcl s3:GetObject s3:GetObjectVersionAcl s3:GetObjectVersion s3:ListBucketMultipartUploads s3:ListBucket s3:ListBucketVersions s3:ListMultipartUploadParts
Read/Write - gives you the permission to list, retrieve, add, delete, and modify most information and objects stored within the specified bucket.
Below is the list of jobs Read/Write access keys have permission to run:
s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketLocation s3:GetBucketPolicy s3:GetBucketTagging s3:GetBucketVersioning s3:GetBucketWebsite s3:GetLifecycleConfiguration s3:GetObjectAcl s3:GetObject s3:GetObjectVersionAcl s3:GetObjectVersion s3:ListBucketMultipartUploads s3:ListBucket s3:ListBucketVersions s3:ListMultipartUploadParts s3:AbortMultipartUpload s3:DeleteBucketWebsite s3:DeleteObject s3:DeleteObjectVersion s3:PutBucketCORS s3:PutBucketTagging s3:PutBucketVersioning s3:PutBucketWebsite s3:PutLifecycleConfiguration s3:PutObject s3:PutObjectAcl s3:PutObjectVersionAcl s3:RestoreObject
There are some jobs not permitted with Read/Write access. Permissions for the following is reserved solely for master keys.
s3:PutBucketAcl s3:PutBucketPolicy s3:DeleteBucketPolicy s3:DeleteBucket
How to Manage Access Keys
1. In the CDN77 Object Storage section of the Origins menu you can find two panels – Object storage and Access keys.
2. The Access keys panel shows every access key for all regions.
Let's walk through the process of creating a new one. Start by clicking on Create new access key
3. A pop-up window appears. Choose a label for your access key to make it easier for you to manage it, then choose the region the access key applies to. It's important to note that an access key is created for a single region and will work solely on buckets in this region.
4. The key has been successfully created, but it doesn't have any permissions assigned to it just yet. To do that, navigate to the Object storage menu, then view the details of the bucket.
5. In the bucket details we can see all available keys for this region and which permission set applies to each. To set the access keys permission we need to click on the Change settings button, select the permission settings for the key(s) and save the changes.
6. After saving, you can verify the changes back in the Access keys panel. The key will show as assigned to the bucket.
Editing permissions can be done either directly in the CDN77 Client Panel or via API. It's important to bear in mind that it can only be done in one or the other. If changes have been made via API, then changing bucket policies will be disabled in the Client Panel for that particular bucket.
For more information, please refer to bucket policy section of our S3 API docs.