Manage S3 access

Last update: June 04 2026

Access to S3 resources is regulated by:

• projects — define access within an isolated resource group;
• role model — defines access for different users within the account and project;
• Bucket Policy — defines access within a bucket.

When an action request is received in S3, the user's access is first checked against the role model. If the role model grants access to the user, the bucket policy is checked; if not, access is denied.

For access via API or FTP, issue keys.

Access within the role model

Learn more about access within the role model in the Access management in Selectel products guide.

member

A user with full access to all services. Does not have access to manage: users, service users, user groups, and federations.

Access scopes	account; project
Who can be assigned	users; service users; user groups
Available operations in S3	In the Account access scope: managing S3 in all projects: viewing the list of buckets in all projects; viewing bucket contents in all projects; managing objects in buckets (uploading, deleting, etc.) in all projects; changing bucket settings in all projects; configuring bucket policies in all projects; bypassing temporary Governance mode lock (Object Lock); managing projects, their limits, and quotas; billing management
	In the Project access scope: managing S3 in the selected project: viewing the list of buckets; viewing bucket contents; managing objects in a bucket (uploading, deleting, etc.); changing bucket settings; bypassing temporary Governance mode lock (Object Lock)

billing

A user with access to billing management and no access to service management.

Access scopes	Account
Who can be assigned	users; service users; user groups
Available operations in S3	billing management; viewing S3 consumption

iam.admin

A user with access to manage users, with no access to services and billing. Cannot manage their own account: change permissions, manage notifications, or delete the user. The first user with the iam.admin role is created by the Account Owner.

Access scopes	Account
Who can be assigned	users; service users; user groups
Available operations in S3	managing users, service users, user groups, and federations; issuing S3 keys to users

iam.viewer

A user with access to view everything managed by iam.admin.

Access scopes	Account
Who can be assigned	users; service users; user groups
Available operations in S3	viewing users, service users, user groups, and federations; viewing S3 keys of users

reader

A user with access to view everything managed by member within the same access scope.

Access scopes	account; project
Who can be assigned	users; service users; user groups
Available operations in S3	In the Account access scope: viewing the list of buckets in all projects; viewing bucket contents in all projects; viewing settings of all projects, their limits, and quotas; viewing billing data (balance, bank cards, report documents, partner program, etc.)
	In the Project access scope: viewing the list of buckets of the selected project; viewing bucket contents in the selected project

s3.admin

A user with full access to manage S3 within a project. Does not have access to S3 in other projects or to other products in their project.

Access scopes	Project
Who can be assigned	Service users
Available operations in S3	viewing the list of buckets in a project; viewing bucket contents; managing objects in a bucket (uploading, modifying, deleting, etc.); changing bucket settings; configuring the bucket policy

s3.user

A user with access to an S3 bucket if a bucket policy is configured that allows the user access to the bucket. The level of access is determined by the bucket policy settings. Does not have access to S3 in other projects or to other products in their project.

Differs from a user with the s3.bucket.user role only in that they have access to view the list of buckets in the project.

Access scopes	Project
Who can be assigned	Service users
Available operations in S3	viewing the list of buckets in a project; operations in the bucket that are allowed by the bucket policy

s3.bucket.user

A user with access to an S3 bucket if a bucket policy is configured that allows the user access to the bucket. The level of access is determined by the bucket policy settings. Does not have access to S3 in other projects or to other products in their project.

Differs from a user with the s3.user role only in that they do not have access to view the list of buckets in the project.

Access scopes	Project
Who can be assigned	Service users
Available operations in S3	Operations in the bucket that are allowed by the bucket policy

object_storage:admin

For your information

The object_storage:admin role will soon be removed and cannot be assigned to new users. Existing users with the object_storage:admin role will continue to function.

An obsolete version of the s3.admin role. Has identical permissions.

object_storage_user

For your information

The object_storage_user role will soon be removed and cannot be assigned to new users. Existing users with the object_storage_user role will continue to function.

An obsolete version of the s3.user role. Has identical permissions.

Access within the bucket policy

If the user's role provides access to S3, access to a specific bucket depends on the existence and settings of the bucket policy:

• if no bucket policy is created, access will be allowed to all users with access within the role model, except for the object_storage_user and s3.bucket.user;
• if a bucket policy is created, anything not allowed by the policy rules is denied.

Learn more about how the bucket policy works in the Bucket policy section.

Keys for API access

Depending on the API type, the user will need:

• IAM token for a project (X-Auth-Token), used for access via the Object Storage API and Swift API. Can only be issued to service users;
• S3 key (EC2 key), used for signing S3 API requests and for FTP access. Consists of a pair of values: Access Key ID and Secret Key. Can be issued to service users and users.

Issue an S3 key to a user

For your information

An S3 key (EC2 key) must be issued to a user who is allowed access to S3 within the role model. If the user's role does not allow access to S3, the S3 key is useless.

Users with access to the control panel can issue S3 keys for themselves, but we recommend creating service users and issuing S3 keys to them.

Only the Account Owner or a user with the iam.admin role can issue S3 keys to other users. A service user cannot get an S3 key independently because they do not have access to the control panel — the Account Owner or iam.admin.

You must create a separate key for each project. You can issue multiple keys for one project.

1. In the control panel, click IAM.

2. Go to the section for the required user type:

   • Users — for users with access to the control panel;
   • Service users — for service users.

3. Open the user page → in the Access tab.

4. In the S3 keys block, click Add key.

5. Enter a key name.

6. Select a project for which the key will work.

7. Click Generate. Two values will be generated:

   • Access key — Access Key ID, a key identifier;
   • Secret key — Secret Access Key, a secret key.

8. Click Copy and save the key — you will not be able to view it after closing the window.