Manage access to object storage
Access to object storage resources is regulated:
- role model — Defines access within the account and project;
- access policy — defines access within a container.
When receiving a request for an action in the object store, access is first checked by role model. If the role model allows access, the access policy is checked, if not, access is denied.
For API or FTP access , issue keys.
Role model access
Object storage supports the role model:
- Account owner — has full access to all projects and management of all object storage resources and other products in the account through the control panel, as well as user management;
- Account Administrator — has full access to all projects and management of all object store resources except users;
- User Administrator — can create users and does not have access to object storage resources;
- Project Administrator — has full access to manage the object store and other products in the project, except for user management;
- Account Watcher — can view object store resources and other products in all projects;
- Project Observer — can view object store resources and other products in your project;
- Object Storage Administrator ��— has full access to object storage management in the project without access to other products and user management;
- Object storage user — by default does not have access to viewing and managing object storage resources. It has access to managing objects of those containers for which the access policy is configured, if the policy rules allow access to this user.
Control panel users
Service users
Access within the access policy
If the user role provides access to object storage, access to a particular container depends on the availability and settings of the access policy:
- if no access policy is created, access will be allowed to all users with access within the role model, except for the Object Storage User role;
- if an access policy is created, anything not allowed by the policy rules is denied.
See the Access Policy section for more information on how the access policy works.
Keys for API access
Depending on the type of API the user will need:
- IAM token for the project (X-Auth-Token) used for access via Selectel Storage API и Swift API. Can only be issued to to service users;
- S3 key (EC2 key), used to sign requests S3 API and access via FTP. It consists of a pair of values — Access Key ID and Secret Key. It can be issued to service users and control panel users.
Issue an S3 key to a user
For S3 key (EC2 key) to work, the user must have a role with access to the object store.
Control panel users can issue their own S3 keys on their own, but we recommend to create service users and use keys together with them.
Only the Account Owner or User Administrator can issue S3 keys to other users.A service user cannot get an S3 key by himself because he does not have access to the control panel — he must be issued a key by the Account Owner or User Administrator.
A separate key must be created for each project.Multiple keys can be issued for one project.
-
In the control panel, on the top menu, click Account.
-
Go to the section with the desired user type:
- Users — for the users of the control panel;
- Service users — For service users.
-
Open the user page → Access tab.
-
In the S3 keys block, click Add Key.
-
Enter the name of the key.
-
Select the project for which the key will work.
-
Click Generate. Two values will be generated:
- Access key — Access Key ID, key identifier;
- Secret key — Secret Access Key, secret key.
-
Click Copy and save the key — it cannot be viewed after the window is closed.