How to Manage Access to Spaces

Validated on 11 Mar 2026 • Last edited on 26 Mar 2026

Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.

Copy page as Markdown View page as Markdown

You can control access to Spaces buckets either using Spaces access keys or DigitalOcean Teams.

  • Access keys allow people or applications to connect to buckets using the S3-compatible API, CLI tools, or third-party clients.

    Access keys do not grant access to the DigitalOcean Control Panel or other resources.

  • DigitalOcean Teams allow members to manage resources through the control panel, including creating and managing buckets and access keys, as well as other resources such as Droplets and billing settings.

Spaces access keys can only be created and managed through the DigitalOcean Control Panel. They cannot currently be created, edited, or deleted using the DigitalOcean API or CLI.

Note
Spaces Cold Storage buckets support authentication only through access keys. They do not support bucket policies.

Sharing Access with an Access Key

Access keys allow users or applications to perform operations on specific buckets using the S3 API or CLI. You can configure each key with different permission levels for individual buckets.

By default, you can create up to 200 access keys per account using the control panel. Creating separate keys for each user or application allows you to revoke or rotate credentials without affecting other users or systems.

If you need to increase this limit, contact support. Spaces access keys cannot currently be created using the DigitalOcean API or CLI.

Create an Access Key

To generate Spaces access keys, go to the Control Panel, in the left menu, click Spaces Object Storage, click the Access Keys tab, and then click Create Access Key to open the Create Access Key window.

Under the Select access scope section, choose the key’s access level:

  • Limited access allows you to grant permissions for specific buckets. Under the Select the buckets and permissions sub-section, select the buckets the key can access, and then on the right of the bucket, click the Permissions dropdown menu to assign Read or Read/Write/Delete permissions. Limited access keys are incompatible with PutBucketPolicy bucket policies.

    Warning
    Per-bucket access keys are not compatible with S3-compatible bucket policies. You cannot create a limited access key for a bucket that uses a PutBucketPolicy policy, and you cannot apply a PutBucketPolicy to a bucket that already has a limited access key.

  • Full access allows all supported S3 APIs on all buckets, including bucket creation and configuration (lifecycle rules, bucket policies, versioning, CORS, and static website settings), as well as listing all buckets.

Under the Given this access key a name section, either use the generated name or enter a name for your access key, which must only contain alphanumeric characters, dashes, and periods.

Then, click Create Access Key.

The Access Keys tab shows your new access key alongside its secret key, which appears only once. Copy the secret key and store it securely.

Regenerate a Secret Key

If a secret key is lost or compromised, go to the Control Panel, in the left menu, click Spaces Object Storage, click the Access Keys tab, and then find the access key that you need to regenerate.

On the right of the access key, click , and then click Regenerate key to open the Regenerate Access Keys window. Regenerating a key invalidates the existing secret and permanently revokes access for any applications using it. Update your applications with the new key after regeneration to restore access. This action cannot be undone.

To confirm regeneration, enter your access key name, and then click Regenerate Access Key. After regeneration, copy your secret key and store securely, and then update any applications, scripts, or clients that use the key.

Edit Key

To edit a limited access key, go to the Control Panel, in the left menu, click Spaces Object Storage, click the Access Keys tab, and then find the access key that you need to edit.

On the right of the key, click , and then click Edit Permissions to open the Edit Permissions window.

Under the Select the buckets and permissions section, update the key’s permissions by using the Permissions dropdown on the right to choose Read or Read/Write/Delete, or clear the checkbox next to a bucket on the left to remove the key’s access to that bucket entirely.

Under the Access Key Name section, rename your key with only alphanumeric characters, dashes, and periods.

Then, click Save.

Delete an Access Key

Deleting this access key permanently revokes access for any applications using it and may cause service disruptions. Update your applications with a new key before deleting the existing key to avoid interruptions. If you want to revoke access instead, you can revoke access by editing the key and removing all bucket permissions.

To delete an access key, go to the Control Panel, in the left menu, click Spaces Object Storage, click the Access Keys tab, and then find the access key that you want to delete.

To confirm deletion, enter the name of your access key, and then click Delete.

Sharing Access with a DigitalOcean Team

Creating a DigitalOcean Team allows multiple users to manage Spaces resources through the control panel, including creating and managing buckets and access keys.

Note
Because buckets cannot be transferred between accounts, create the team before creating your Spaces buckets whenever possible.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.