Customize S3 after upgrade

A major S3 update was released on 09/29/2023. If you had buckets created before the S3 update, transfer them to the project to continue working with the storage in the control panel.

The most significant changes in the operation of the repository:

new authorization to all storage APIs and new endpoints for access;
new public domain of baket (domain of the form <uuid>.selstorage.ru). This domain will replace the personal account domain (domain of the form * ****.selcdn.ru), which will be disabled later. We will inform you about the disabling in advance;
S3 move to projects;
new access control model: full support for the role model and the emergence of access policies for bucket access.

Previously created users, API method calls, etc. will continue to work for a while — we will notify you about the shutdown in advance. We recommend to change storage settings now and use updated settings for new bugs.

Transfer the bucket to the project

Without migration to the project, you will not be able to work with the repository in the control panel.

Storage can be moved once and in its entirety (to one project). You cannot distribute old bucket to different projects. New bucket can be created in different projects.

If you already have a project, you can move the buckeyes to it or create a new one.

Into an existing project
To the new project

In the control panel, in the top menu, click Products and select S3. The first time you navigate to the section after 29.09.2023, the page to transfer the bins will open.
Specify Use an existing project.
Select the project to which you want to transfer the bucket list and click Transfer.

Customize S3

Configure storage access for users.
Configure the bucket access policy.
If you are using API or FTP, update the access keys and URLs.
If you are using a CDN, change the CDN resource.
Make sure that you've replaced the domains with new ones.
Delete old users of the repository.

1. Configure storage access for users

S3 now supports user types and roles:

access to storage via the control panel will be available to control panel users whose role allows access to the entire account or project to which the bucket has been migrated;
access to API is performed through service users instead of storage users (created in S3 → **Users **). The old users will continue to work and will be disabled later. It is no longer possible to create new users of this kind.

Add new users can be added under Access Control → User Management.

For users with the S3 User role, access is determined solely by the access policy — if it is not configured, the user will not have access to the vault. For more information about how different roles work in the storage, see the Managing Access in S3 manual.

2. Configure the access policy for the buckets

You can create an access policy for the bucket can be created through the control panel. To create an access policy through the API, use the AWS S3 documentation.

When configuring the policy, consider accesses within the role model, see the Manage Access in S3 instructions for more details.

For more information on how access policies work, see Access Pol icies.

3. Update access keys and URLs

S3 API
Swift API
FTP

Read more about authorization in the S3 API documentation.

Give the S3 key to the service user. You can also issue a key via the IAM API.
In the requests, replace the URL and use the key to authenticate with the new scheme:
- AWS_ACCESS_KEY_ID — field value Access key from S3 key;
- AWS_SECRET_KEY — field value Secret key from S3 key;
- URL — s3.<pool>.storage.selcloud.ru where <pool> — pool where pool is the pool where S3 is located (e.g, ru-1).

Read more about authorization in the Swift API documentation.

Use the service user login and password for authorization.
In the queries, replace the URL and the data:
- OS_USERNAME — login of the service user. You can view the login in the control panel: in the top menu, click Account → section Service users;
- OS_PASSWORD — is the password of the service user. If you have forgotten the password, change it;
- OS_AUTH_URL — https://cloud.api.selcloud.ru/identity/v3;
- OS_TENANT_ID — ID of the project can be viewed in control panel under S3 open the projects menu (name of the current project) → in the line of the required project press ;
- URL — swift.<pool>.storage.selectel.org/v1/<project_id>, where:
  - <pool> — pool in which S3 is located (e.g, ru-1);
  - <project_id> — ID Project.

Give the S3 key to the service user. You can also issue a key via the IAM API.
Replace the URL with ftp.<pool>.storage.selcloud.ru, where <pool> is the pool where S3 is located.

4. Modify the CDN resource

If you are using S3 as a CDN content source, change the CDN resource. For more information about connecting storage to a CDN, see Connect CDN to S3.

In the Control Panel, on the top menu, click Products and select CDN.
Go to the CDN Resources section.
Open the CDN resource page → General tab.
Click Edit Source.
Replace the domain with a public domain of the form <uuid>.selstorage.ru.
In the Host header override field, specify the public domain of the bucket.

5. Check domains

Make sure you use the new domains everywhere. Old domains will continue to work for a while and will be disabled later. We will notify you about the disconnection in advance.

Read more about domains in the Domains in S3 instruction.

What it's used for	Old domain	New domain
Public access	`*****.selcdn.ru`	`<uuid>.selstorage.ru`
Swift API	`api.selcdn.ru`	`swift.<pool>.storage.selcloud.ru`
S3 API	`s3.storage.selcloud.ru/<bucket_name>` (Path-Style) `<bucket_name>.s3.storage.selcloud.ru` (Virtual Hosted)	`s3.<pool>.storage.selcloud.ru/<bucket_name>` (Path-Style) `<bucket_name>.s3.<pool>.storage.selcloud.ru` (Virtual Hosted)
FTP	`ftp.selcdn.ru`	`ftp.<pool>.storage.selcloud.ru`
Domain for DNS records	`*****.selcdn.ru`	`access.<pool>.storage.selcloud.ru`

6. Delete old users of the repository

In the control panel, on the top menu, click Products and select S3.
Go to the Users section.
In the user card, click → Delete.