How to Manage Spaces Access Keys
Spaces Object Storage is an S3-compatible object storage service. Spaces buckets let you store and serve large amounts of data, and the built-in CDN minimizes page load times and improves performance.
As a Spaces owner, you limit others’ access to your buckets using Spaces access keys or DigitalOcean teams:
- Access keys allow people or programs to connect to buckets with third-party clients and the API, but do not provide access to the control panel or other DigitalOcean resources.
- DigitalOcean Teams allow members to use the control panel, including creating and managing buckets and access keys as well as other DigitalOcean resources (like billing information, Droplets, and more).
Sharing Access to Buckets with Access Keys
Access keys can provide several levels of permissions to create, destroy, read, and write to specific associated buckets. However, access keys only limit access to certain commands using the API or CLI, not the control panel or other DigitalOcean resources.
By default, you can create up to 200 keys for your account using the control panel, not the API or CLI. This allows you to generate unique key pairs for each person or program, so if it’s necessary to revoke access in the future, you can remove the keys or reset the secret without affecting other users. If you need to raise this limit, contact support.
To generate Spaces access keys, go to the Spaces Access Keys page and click Generate New Key. This opens the New Spaces Access Key modal.
Select which permissions you’d like the key to provide access to: read, read/write, or full access. Then, using the dropdown menu, select which existing bucket you’d like the key to provide access to. Finally, name the key. To confirm your configuration, click Create Access Key.
After generation, you cannot convert Spaces “All Permissions” keys into “Read” or “Read/Write/Delete” access keys or vice-versa.
Once you generate the key, you see the access key and the secret key. This is the only time the secret key is displayed, so copy it immediately and store it in a secure place.
If a secret gets lost, forgotten, or compromised, you can open its More menu, click Edit and choose Regenerate Token to create a new secret. When you regenerate a secret, you also need to reconfigure any scripts or clients that use the key to use the new secret value.
Currently, per-bucket access keys are incompatible with S3-compatible bucket policies. In other words, you cannot currently create a “Read” or “Read/Write/Delete” access key on bucket if it is configured with a PutBucketPolicy-based bucket policy, and you cannot use the PutBucketPolicy S3 API on any bucket that a “Read” or “Read/Write/Delete” access key has access to.
Edit Key Permissions in the Control Panel
To edit a Spaces access key’s permissions in the control panel, go to the Spaces Access Keys page. Find the access key you want to edit, click its More (…) menu, and click Edit Permissions. This opens the Edit Permissions modal.
Select which permissions you’d like the key to provide access to: Read (Objects), Read/Write/Delete (Objects), or All Permissions (Bucket & Objects). Then, using the dropdown menu, select which existing bucket you’d like the key to provide access to. Finally, name the key. To confirm your configuration, click Save.
Sharing Access to the Control Panel with Teams
DigitalOcean Teams, like Spaces access keys, allow members to create, manage, and destroy buckets associated with the team account using the control panel’s web interface. Members can also create, delete, and regenerate access keys for buckets.
However, unlike Spaces access keys, members of a team can also access other team resources, like Droplets, firewalls, and more.
Warning
To give one or more people access to co-manage buckets using the control panel, open the User menu and choose Create a team, then follow the setup steps.
Once a user is a member of the team, they can manage buckets with the web interface as well as generate their own keys for API or third-party clients.