Manage access in S3
Access to S3 resources is regulated:
- projects — define access within an isolated group of resources;
- role model — defines access different users within an account and project;
- access policy — defines the access within the bucket.
When an action request is received in S3, the user's access is first checked against the role model.If the role model allows access to the user, the access policy is checked, if not, access is denied.
For API or FTP access , issue keys.
Role model access
For more information about role model access, see the Access Control in Selectel Products manual.
member
User with full access to all services.Unavailable access control: users, service users, user groups and federations.
billing
User with access to billing management and without access to service management.
iam_admin
User with access to user management and without access to services and billing.Cannot manage his account: change permissions, manage notifications, delete user.The first user with the iam_admin
role is created by the Account Owner.
reader
A user with access to view everything he controls member
in the same access area.
object_storage:admin
User with full access to S3 management within the project.Does not have access to S3 in other projects or other products in their project.
object_storage_user
A user with access to the S3 bucket if an access policy is configured in the bucket that allows access to the bucket for this user.The level of access is determined by the settings of the access policy.Does not have access to S3 in other projects and other products in his project.
Access within the access policy
If the user's role provides access to S3, access to a particular buck depends on the availability and settings of the access policy:
- if no access policy is created, access will be allowed to all users with access within the role model except for the role
object_storage_user
; - if an access policy is created, anything not allowed by the policy rules is denied.
See the Access Policy section for more information on how the access policy works.
Keys for API access
Depending on the type of API the user will need:
- IAM token for the project (X-Auth-Token), used for access via Object Storage API и Swift API. Can only be issued to to service users;
- S3 key (EC2 key), used to sign requests S3 API and access via FTP. It consists of a pair of values — Access Key ID and Secret Key. Can be issued to service users и users.
Issue an S3 key to a user
An S3 key (EC2 key) must be issued to a user who is allowed access to S3 within the role model.If the user's role does not allow access to S3, the S3 key is useless.
Users with access to the control panel can issue themselves S3 keys but we recommend to create service users and issue S3 keys to them.
S3 keys can only be issued to other users by the Account Owner or a user with the role iam_admin
. Service user can't get S3-key by himself, because he doesn't have access to the control panel — he must be issued a key by Account Owner or iam_admin
.
A separate key must be created for each project.Multiple keys can be issued for one project.
-
In the control panel, on the top menu, click Account.
-
Go to the section with the desired user type:
- Users — for users with access to the control panel;
- Service users — for service users.
-
Open the user page → Access tab.
-
In the S3 keys block, click Add Key.
-
Enter the name of the key.
-
Select the project for which the key will work.
-
Click Generate. Two values will be generated:
- Access key — Access Key ID, key identifier;
- Secret key — Secret Access Key, secret key.
-
Click Copy and save the key — it cannot be viewed after the window is closed.