> **For AI agents:** The documentation index is at [https://docs.digitalocean.com/llms.txt](https://docs.digitalocean.com/llms.txt). Markdown versions of pages use the same URL with `index.html.md` in place of the HTML page (for example, append `index.html.md` to the directory path instead of opening the HTML document).

# Spaces S3 Compatibility

Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.

DigitalOcean Spaces provides an S3-compatible API with partial support for Amazon S3 features.

## Feature Compatibility

The following table lists supported S3 features and restrictions:

| Feature | Notes |
|---|---|
| **Object Copy** | Supported with `CopyObject`. Cross-region and cross-cluster copies are not supported. |
| **Multipart Uploads** | Supported for large objects. `UploadPartCopy` is not supported across regions or clusters. |
| **Presigned URLs** | Supported with both Signature Version 2 and Version 4. |
| **Bucket Policies** | Supported only through the API (not configurable in the control panel). |
| **Bucket Versioning** | Supported only through the API (not configurable in the control panel). |
| **Bucket Lifecycle** | Supported for time-based expiration and removing incomplete multipart uploads. Tag-based lifecycle rules are not supported. |
| **Bucket Access Logging** | Supported only through the API. The source and destination buckets must be different. |
| **Object Encryption** | Supported with SSE-C (server-side encryption with customer-provided keys). Bucket-level encryption settings are not supported. |
| **Bucket Websites** | Supported at `https://[bucket-name].[region]-static.digitaloceanspaces.com`. CDN is not supported for bucket websites. |
| **List Objects** | Both `ListObjects` (legacy) and `ListObjectsV2` are supported. Use `ListObjectsV2` for new applications. |
| **Preflight Requests** | `OPTIONS` preflight requests require no permissions, but the bucket policy or ACL must still allow the subsequent request. |
| **Unsupported API Calls** | Unsupported S3 operations return a standard `NotImplemented` error. |
| **Authentication** | Spaces supports AWS Signature Version 4 (recommended) and Signature Version 2 for legacy clients. |

For more information on product-wide usage limits, see [Spaces Limits](https://docs.digitalocean.com/products/spaces/details/limits/index.html.md).

## Access Control Lists (ACLs)

Spaces supports a limited set of canned ACLs for buckets and objects. Only two ACLs are available:

- `private`: Grants `FULL_CONTROL` to the bucket or object owner. Blocks public access.
- `public-read`: Grants `FULL_CONTROL` to the owner and allows unauthenticated read access to anyone on the internet.

You can apply an ACL in two ways:

1. Send a `PUT ?acl` request with an XML `AccessControlPolicy`.
2. Use the `x-amz-acl` header with a canned ACL (simpler and recommended).

### Private ACL Example

To restrict access so only the bucket owner has full control, set the ACL to private. You can apply this setting either by adding the `x-amz-acl` header or by using an XML access control policy:

## x-amz-acl Header

```shell
curl -X PUT "https://example-space.nyc3.digitaloceanspaces.com/example.txt" \
  -H "Authorization: ..." \
  -H "Date: ..." \
  -H "x-amz-acl: private" \
  --upload-file ./example.txt
```

## XML Policy

```xml
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Owner><ID>6174283</ID></Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>6174283</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
```

### Public Read ACL Example

To make objects readable by anyone on the internet while still retaining full control as the owner, set the ACL to public-read. You can configure this either with the `x-amz-acl` header or with an XML access control policy:

## x-amz-acl Header

```shell
curl -X PUT "https://example-space.nyc3.digitaloceanspaces.com/example.txt" \
  -H "Authorization: ..." \
  -H "Date: ..." \
  -H "x-amz-acl: public-read" \
  --upload-file ./example.txt
```

## XML Policy

```xml
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Owner><ID>6174283</ID><DisplayName>6174283</DisplayName></Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
        <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>6174283</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
```