Manage access to object storage

Last update: March 04 2024

Manage access to object storage

Access to object storage resources is regulated:

• role model — defines access within an account and project;
• access-policy — defines access within the container.

When an action request is received in the object store, role model access is first checked. If the role model allows access, the access policy is checked, if not, access is denied.

For API or FTP access, issue keys.

Role model access⁠

The object store supports role model:

• Account owner — has full access to all cloud platform projects and management of all object storage resources and other products in the account through the control panel, as well as user management;
• Account Administrator — has full access to all cloud platform projects and management of all object storage resources except users;
• User Administrator — can create users and does not have access to object storage resources;
• Project Administrator — has full access to manage the object store and other products in the project, except for user management;
• Account Watcher — can view object store resources and other products in all projects;
• Project Observer — can view object store resources and other products in your project;
• Object Storage Administrator — has full access to object storage management in the project without access to other products and user management;
• Object storage user — by default does not have access to viewing and managing object storage resources. It has access to manage objects of those containers for which [access policy](#access-within-bucket-policy](#access-within-bucket-policy) is configured, if the policy rules allow access to this user. Container list view, FTP connection are not available to the user.

Access within access policy⁠

If the user role provides access to object storage, access to a particular container depends on the availability and settings of the access policy:

• if no access policy is created, access will be allowed to all users with role-model access except the Object Store User role;
• if an access policy is created, anything not allowed by the policy rules is denied.

See Access Policy for details on how the access policy works.

Keys for access via API⁠

Only service users can be issued keys to access storage via API.

If the role model and access policy allow a user to access object storage, depending on the API, the user will need:

• Keystone token, used for access via Selectel Storage API and Swift API. See the Authorization API documentation instructions for more details;
• S3-key (EC2 key), used to sign S3 API and over FTP requests. Consists of a pair of values — Access Key ID and Secret Key.

Issue S3 key⁠

You can only issue S3 keys (EC2 keys) to service users with role with object store access.

For your information

Only the Account Owner or User Administrator can issue an S3 key to a service user. It is not possible for the service user to obtain an S3 key on his own.

You must create a separate key for each project. Multiple keys can be issued per project.

1. In control panel, in the upper right corner, open the menu (account number) and select Profile & Settings.

2. Go to User Management → Service Users tab.

3. Open the service user page.

4. In the S3 Keys block, click Add Key.

5. Enter the name of the key.

6. Select project for which the key will work.

7. Click Generate. Two values will be generated:

   • Access key — Access Key ID, key identifier;
   • Secret key — Secret Access Key, secret key.

8. Click Copy and save the key — it cannot be viewed after the window is closed.