Skip to main content
Manage access to object storage
Last update:

Manage access to object storage

Access to object storage resources is regulated:

When receiving a request for an action in the object store, access is first checked by role model. If the role model allows access, the access policy is checked, if not, access is denied.

For access via API or FTP hand over the keys..

Role model access

Object storage supports role model:

  • Account owner — has full access to all the projects and manage all object storage resources and other products in the account through the control panel, as well as user management;
  • Account Administrator — has full access to all projects and management of all object store resources except users;
  • User Administrator — can create users and does not have access to object storage resources;
  • Project Administrator — has full access to manage the object store and other products in the project, except for user management;
  • Account Watcher — can view object store resources and other products in all projects;
  • Project viewer — can view object store resources and other products in your project;
  • Object Storage Administrator — has full access to object storage management in the project without access to other products and user management;
  • Object storage user — by default does not have access to viewing and managing object storage resources. It has access to managing objects of those containers, for which it is set up access policy If the policy rules allow access to this user.
Account ownerAccount administratorUser AdministratorProject AdministratorAccount SupervisorProject viewer
Viewing the list of containers in the control panel(under the project)(as part of the project)
Reading containers in the control panel(under the project)(as part of the project)
Loading objects into the container through the control panel(as part of the project)
Changing container settings in the control panel(as part of the project)
User Creation with access to object storage in the control panel
Issuance of S3 keys to users in the control panel
Connecting to storage via instruments
Configuring the access policy in the control panel(under the project)

Access within the access policy

If the user role provides access to object storage, access to a particular container depends on the availability and settings of the access policy:

  • If no access policy is created, access will be allowed to all users with access within the role model except for the Object Storage User role;
  • if an access policy is created, anything not allowed by the policy rules is denied.

For more information on how the access policy works, see Access Policy.

Keys for API access

You can only issue keys for access to the storage via API service users.

Depending on the type of API the user will need:

Issue an S3 key to the service user

S3 keys (EC2 keys) can only be issued to service users с a role with access to object storage.

For your information

Only the Account Owner or User Administrator can issue an S3 key to a service user. The service user cannot get the S3 key by himself, because he does not have access to the control panel.

A separate key must be created for each project. Multiple keys can be issued for one project.

  1. In control panels go to Access controlUser management.

  2. Open the tab Service users.

  3. Open the service user page → tab *Access.

  4. In the block S3 keys click Add key.

  5. Enter the name of the key.

  6. Select project for which the key will work.

  7. Click Generate. Two values will be generated:

    • Access key — Access Key ID, key identifier;
    • Secret key — Secret Access Key, secret key.

  8. Click Copy and save the key — it cannot be viewed after closing the window.