# How to Manage Access to Spaces

Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.

As a Spaces owner, you limit others’ access to your buckets using Spaces access keys or DigitalOcean teams:

- **Access keys** allow people or programs to connect to buckets using third-party clients and the DigitalOcean API. However, they do not grant access to the control panel or other DigitalOcean resources.
- [**DigitalOcean Teams**](https://docs.digitalocean.com/platform/teams/index.html.md) allow members to use the control panel, including creating and managing buckets and access keys as well as other DigitalOcean resources (like billing information, Droplets, and more).

**Note**: Spaces Cold Storage buckets support authentication only through access keys. They do not support bucket policies. For details, see [Spaces Limits](https://docs.digitalocean.com/products/spaces/details/limits/index.html.md).

## Sharing Access to Buckets with Access Keys

Access keys can provide several levels of permissions to create, destroy, read, and write to specific associated buckets. However, access keys only limit access [to certain commands](https://docs.digitalocean.com/reference/api/spaces/index.html.md) using the S3 API or CLI, not the control panel or other DigitalOcean resources.

By default, you can create up to 200 keys for your account using the control panel. This allows you to generate unique key pairs for each team member or application, so that you can later revoke a member’s access without affecting other users. To temporarily revoke access, edit an access key’s permissions and deselect all buckets. To permanently revoke access, delete the access key altogether. If you need to raise this limit, [contact support](https://cloudsupport.digitalocean.com). You currently cannot create keys using the DigitalOcean API or CLI.

To generate Spaces access keys, go to the [Spaces Access Keys page](https://cloud.digitalocean.com/spaces/access_keys) and click **Create Access Key**. This opens the **New Spaces Access Key** window.

First, select the key’s access scope. Full access allows all supported S3 API commands on all buckets. Limited access lets you set more specific Read or Read/Write/Delete permissions for each bucket.

If you selected limited access, check the boxes for the buckets you’d like the key to provide access to. For each bucket, use the corresponding dropdown menu to select a level of permissions: Read or Read/Write/Delete. Name the key, then click **Create Access Key** to confirm.

Once you generate the key, you see the access key and the secret key. This is the only time the secret key is displayed, so copy it immediately and store it in a secure place.

If a secret gets lost, forgotten, or compromised, you can open its **More (…)** menu, click **Edit** and choose **Regenerate Key** to create a new secret. When you regenerate a secret, you also need to reconfigure any scripts or clients that use the key to use the new secret value.

Currently, per-bucket access keys are incompatible with S3-compatible bucket policies. In other words, you cannot currently create a limited access key on a bucket if it is configured with a PutBucketPolicy-based bucket policy, and you cannot use the PutBucketPolicy S3 API on any bucket that a limited access key has access to.

### Edit Key Permissions in the Control Panel

To edit a limited access Spaces key’s permissions, go to the [Spaces Access Keys](https://cloud.digitalocean.com/spaces/access_keys) page. Find the key, click its **More** (…) menu, then select **Edit Permissions** to open the **Edit Permissions** window.

Check the boxes for the buckets you’d like the key to provide access to. For each bucket, choose a permission level from the dropdown: Read or Read/Write/Delete. Name the key, then click **Save** to confirm.

## Sharing Access to the Control Panel with Teams

[DigitalOcean Teams](https://docs.digitalocean.com/platform/teams/index.html.md), like Spaces access keys, allow members to create, manage, and destroy buckets associated with the team account using the control panel’s web interface. Members can also create, delete, and regenerate access keys for buckets.

However, unlike Spaces access keys, members of a team can also access other team resources, like Droplets, firewalls, and more.

**Warning**: Because buckets cannot be transferred directly between accounts, we recommend you create the team first, then create the buckets.

To give one or more people access to co-manage buckets using the control panel, open the User menu and [choose **Create a team**](https://docs.digitalocean.com/platform/teams/index.html.md), then follow the setup steps.

Once a user is a member of the team, they can manage buckets with the web interface as well as generate their own keys for API or third-party clients.