Provides a bucket logging resource for Spaces, DigitalOcean’s object storage product. The digitalocean_spaces_bucket_logging
resource allows Terraform to configure access logging for Spaces buckets. For more information, see: How to Configure Spaces Access Logs
How to Configure Spaces Access Logs
Validated on 18 Aug 2025 • Last edited on 5 Sep 2025
Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.
Spaces can automatically generate access logs for buckets and store the logs in a bucket you specify. Access logs include:
- Reads, writes, and deletions of objects in the bucket
- Requests to origin endpoints
- Accesses to the bucket’s CDN endpoints, if enabled
Access logs are in Amazon’s S3 server access log format. CDN access logs are in Amazon’s CloudFront access logs format.
Access logs are delivered asynchronously. They usually appear in the destination bucket within an hour of activity, but delivery may take two hours or longer.
Access logs are disabled by default. You can view whether logs are enabled or disabled in the control panel. To enable or disable access logs, use the S3-compatible API (for example, with the AWS CLI) or Terraform.
Check the Status of Access Logs
To check whether access logs are enabled for a bucket, go to the DigitalOcean Control Panel. In the left menu, click Spaces Object Storage, and then click the bucket you want to check to go to its overview page. On the bucket’s overview page, click its Settings tab. The Access Logs section displays Enabled or Disabled.

Manage Access Logs Using the AWS CLI
You can enable or disable access logs using the S3-compatible API with the AWS CLI (aws
).
Enable Access Logs
Create a JSON file that sets the logging configuration. Specify the target bucket (where logs are stored) and a target prefix (the prefix for log objects). The target bucket must be different from the source bucket. Currently, we do not support writing access logs into the same bucket that is generating them.
{
"LoggingEnabled": {
"TargetBucket": "use_your_destination_bucket",
"TargetPrefix": "example_log_prefix/"
}
}
Apply the configuration:
aws --endpoint-url https://use_your_region.digitaloceanspaces.com \
s3api put-bucket-logging \
--bucket use_your_source_bucket \
--bucket-logging-status file://use_your_logging_config_path.json
This call sets the bucket’s logging configuration to the state you provide. On success, the command returns no output and exits with code 0
.
You can verify that logging is enabled by checking your configuration in Verify Your Logging Configuration.
Disable Access Logs
To disable access logs, send an empty logging configuration. This removes the LoggingEnabled
section entirely:
aws --endpoint-url https://use_your_region.digitaloceanspaces.com \
s3api put-bucket-logging \
--bucket use_your_source_bucket \
--bucket-logging-status '{}'
After this, the source bucket no longer writes access logs. You can verify that logging is disabled by checking your configuration in Verify Your Logging Configuration.
Verify Your Logging Configuration
Check the current logging configuration:
aws --endpoint-url https://use_your_region.digitaloceanspaces.com \
s3api get-bucket-logging \
--bucket use_your_source_bucket
If logging is enabled, the response includes a LoggingEnabled
object with your TargetBucket
and TargetPrefix
, for example:
{
"LoggingEnabled": {
"TargetBucket": "your-log-bucket",
"TargetPrefix": "example_log_prefix/"
}
}
If logging is disabled, the response is an empty JSON object.
Manage Access Logs Using Terraform
You can also configure access logs with Terraform using the digitalocean_spaces_bucket_logging
resource. The destination bucket must be in the same region as the source bocket, and your access key must include permission to write to it.