How to Manage Administrative Access to Spaces

Spaces Object Storage is an S3-compatible object storage service. Spaces buckets let you store and serve large amounts of data, and the built-in CDN minimizes page load times and improves performance.

Spaces owners can create, destroy, and read all content in all the Spaces buckets for an account. They also make decisions and manage what everyone else can see. If an owner wants to allow one or more people to co-manage buckets, there are two options: access keys and DigitalOcean Teams.

  • Access keys allow people or programs to connect to buckets with third-party clients and the API, but do not provide access to the control panel or other DigitalOcean resources.
  • DigitalOcean Teams allow members to use the control panel, including creating and managing buckets and access keys as well as other DigitalOcean resources (like billing information, Droplets, and more).

Sharing Access to Buckets with Access Keys

Users who connect with access keys can create, destroy, read, and write to all of the buckets for the account. However, the privileges granted by Spaces access keys do not provide access to the control panel and do not extend to other DigitalOcean resources.

You can create an unlimited number of keys for your account. This allows you to generate unique key pairs for each person or program, so if it’s necessary to revoke access in the future, you can remove the keys or reset the secret without affecting other users.

To generate Spaces access keys, from the control panel, click API.

Navigate to the Spaces Keys tab, select Generate New Key. A text box in the Spaces access keys section opens. Name the key in a way that allows you to identify who or what uses the key, then click the checkmark.

The text box to name a new key

Once you name the key, you see the access key and, on the next line, the secret key. This is the only time the secret key is displayed, so copy it immediately and store it in a secure place.

A newly-created Spaces access key with the secret key visible

If a secret gets lost, forgotten, or compromised, you can open its More menu, click Edit and choose Regenerate Token to create a new secret. When you regenerate a secret, you also need to reconfigure any scripts or clients that use the key to use the new secret value.

Sharing Access to the Control Panel with Teams

DigitalOcean Teams, like Spaces access keys, allow members to create, manage, and destroy buckets associated with the team account using the control panel’s web interface. Members can also create, delete, and regenerate access keys for buckets.

However, unlike Spaces access keys, members of a team can also access other team resources, like Droplets, firewalls, and more.

Because buckets cannot be transferred directly between accounts, we recommend you create the team first, then create the buckets.

To give one or more people access to co-manage buckets using the control panel, open the User menu and choose Create a team, then follow the setup steps.

Once a user is a member of the team, they can manage buckets with the web interface as well as generate their own keys for API or third-party clients.