Skip to main content

Manage access in S3

Last update:

Access to S3 resources is regulated:

When an action request is received in S3, access is first checked against the role model. If the role model allows access, the access policy is checked, if not, access is denied.

For API or FTP access , issue keys.

Role model access

S3 supports the role model:

  • Account Owner — has full access to all projects and management of all S3 resources and other products in the account through the control panel, as well as user management;
  • Account Administrator — has full access to all projects and management of all S3 resources except users;
  • User Administrator — can create users and does not have access to S3 resources;
  • Project Administrator — has full access to manage S3 and other products in the project, except user management;
  • Account Supervisor — can view S3 and other product resources across all projects;
  • Project Observer — can view the resources of S3 and other products in your project;
  • S3 Administrator — has full access to S3 management in the project without access to other products and user management;
  • S3 user — by default does not have access to viewing and managing S3 resources. He/she gets access to management of objects of those buckets, for which access policy is configured, if policy rules allow access to this user.
Account ownerAccount administratorUser AdministratorProject AdministratorAccount SupervisorProject Observer
Viewing the list of bucket list in the control panel(under the project)(under the project)
Reading bacquets in the control panel(under the project)(under the project)
Loading objects into the tank via control panel(under the project)
Changing the baket settings in the control panel(under the project)
Creating users with access to S3 in the control panel
Issuing S3 keys to users in the control panel
Connecting to storage via tools
Configuring the access policy in the control panel(under the project)

Access within the access policy

If the user's role provides access to S3, access to a particular buck depends on the availability and settings of the access policy:

  • if no access policy is created, access will be allowed to all users with access within the role model except for the User S3 role;
  • if an access policy is created, anything not allowed by the policy rules is denied.

See the Access Policy section for more information on how the access policy works.

Keys for API access

Depending on the type of API the user will need:

Issue an S3 key to a user

For your information

For an S3 key (EC2 key) to work, the user must have a role with access to S3.

Control panel users can issue their own S3 keys on their own, but we recommend to create service users and use keys together with them.

Only the Account Owner or User Administrator can issue S3 keys to other users.A service user cannot get an S3 key by himself because he does not have access to the control panel — he must be issued a key by the Account Owner or User Administrator.

A separate key must be created for each project.Multiple keys can be issued for one project.

  1. In the control panel, on the top menu, click Account.

  2. Go to the section with the desired user type:

    • Users — for the users of the control panel;
    • Service users — For service users.

  3. Open the user page → Access tab.

  4. In the S3 keys block, click Add Key.

  5. Enter the name of the key.

  6. Select the project for which the key will work.

  7. Click Generate. Two values will be generated:

    • Access key — Access Key ID, key identifier;
    • Secret key — Secret Access Key, secret key.

  8. Click Copy and save the key — it cannot be viewed after the window is closed.