DigitalOcean home
  • Droplets
  • Spaces
  • Kubernetes
  • Tools & Integrations
  • One-click Apps
  • API Documentation
  • Community
  • Tutorials
  • Q&A
  • Projects
  • Meetups
  • Customers
  • Pricing
  • Docs
  • Support
  • DigitalOcean home
  • Products
    • Droplets

      Scalable compute services.

    • Spaces

      Simple object storage.

    • Kubernetes

      Run managed Kubernetes clusters.

    • Tools & Integrations

      Automate your infrastructure.

    • One-click Apps

      Deploy pre-built applications.

    • API Documentation
  • Customers
  • Community
    • Community Overview

      Connect, share and learn

    • Tutorials

      DevOps and development guides

    • Questions & Answers

      Development and systems Q&A

    • Projects

      Community-built integrations

    Get Involved
    Write for DOnations
    Join us at a Meetup
    Featured Post
    An Introduction to Kubernetes

    by Justin Ellingwood

  • Pricing
  • Docs
  • Support
    • Documentation

    • Contact Support

    • Network Status

  • Home /
  • DO-I-320 /
  • New idea
303 Vote

Spaces: custom API key permissions

Let us select which Spaces can be accessed on different API keys. Example: A key can only access a single Space.

  • Erik Tobiassen
  • Sep 11 2018
  • Needs review
Object Storage (Spaces)
  • Comments (81)
  • Votes (303)
  • Merged ideas (1)
  • Attach files
  • Matt SUmmers commented
    21 Jan 05:22pm

    As an example, the Digital Ocean DNS plugin for Plesk requires an API key. This key that only needs to manage DNS entries, now has access to the resources of your entire team? It's kind of crazy.

    ×

    Attachments Open full size

  • Paul K commented
    5 Jan 08:21pm

    Lack of this feature was a dealbreaker for us, as separation of environments was a must.

    ×

    Attachments Open full size

  • t t commented
    5 Jan 08:47am

    This feature is very useful for me

    ×

    Attachments Open full size

  • Cyrill commented
    25 Dec, 2020 06:58pm

    This is must have. What are you waiting for Digital Ocean? It cannot be that hard....

    ×

    Attachments Open full size

  • Lukasz Piliszczuk commented
    14 Dec, 2020 05:20pm

    How this is not a base feature is beyond me.

    ×

    Attachments Open full size

  • ne az commented
    27 Oct, 2020 02:53pm

    Any update on restricting access keys? Slightly absurd, this is not available.. are we supposed to create a different account just to separate dev/production?

    ×

    Attachments Open full size

  • Co van Leeuwen commented
    27 Oct, 2020 02:15am

    In this day and age where every DPO is breathing down our necks about data security, this seems like a non-starter.

    ×

    Attachments Open full size

  • Fernando Souza commented
    21 Oct, 2020 10:11pm

    This would be extremely useful. We need this functionality.

    ×

    Attachments Open full size

  • David T commented
    20 Oct, 2020 05:58pm

    I have 10+ apps that need object storage but I can't use Spaces because of the lack of access control. If 1 app is compromised, all my Spaces would be at risk. It is not production ready object storage without proper access control.

    ×

    Attachments Open full size

  • Alejandro Barrera commented
    18 Oct, 2020 03:45pm

    Dissapointing to see that there's no progress in this at all.

    This is super necessary.

    ×

    Attachments Open full size

  • Jorge Gonzalez commented
    10 Oct, 2020 03:11pm

    This is absolutely necessary, in fact, without this it is impossible to work with large development teams in which a large part of them should not have access to spaces in production.

    I do not understand how this has not been solved for more than two years, in DO they should realize that if this is losing thousands of potential clients that when realizing this they take a step back in the migration of their services to DO.

    ×

    Attachments Open full size

  • Dan Sherry commented
    7 Oct, 2020 09:44pm

    Also granular access to droplets, volumes, snapshots, etc. Related:

    Fine grained API tokens

    https://ideas.digitalocean.com/ideas/DO-I-966

    Restrict API personal access token to a specific project

    https://ideas.digitalocean.com/ideas/DO-I-7

    ×

    Attachments Open full size

  • Rob Nova commented
    28 Sep, 2020 05:28am

    Any updates here?

    Trying to setup separate spaces for "test" and "prod" isolation. Having one key is super dangerous to expose access to production buckets while testing.

    ×

    Attachments Open full size

  • Steve Angel commented
    3 Sep, 2020 04:46pm

    Yet another web developer with multiple clients and websites going elsewhere because of this severely lacking feature.

    If anyone from Digital Ocean is listening, you might want to do some analysis on how much money you're losing by not implementing this. Especially as it hits the power users the hardest.

    Not holding out too much hope though since only 1 idea has been "shipped" in the last year and the copyright notice is stuck on 2018.

    Did the staff just up and leave a couple of years ago or something?

    ×

    Attachments Open full size

  • Artem Russakovskii commented
    28 Aug, 2020 06:58pm

    This is a must for any serious organization using Spaces. Please add support.

    ×

    Attachments Open full size

  • Kyrylo Kobets commented
    13 Aug, 2020 09:57am

    Any update on this?

    This is really a blocker

    ×

    Attachments Open full size

  • jo commented
    3 Aug, 2020 05:49pm

    In case it helps anyone, I ended up going with Backblaze B2. They reputable, have the cheapest prices on the market[0], have an S3 compatible API (like DO), and they have per-space/bucket permissions! I honestly would have preferred to stick within the DO ecosystem even if it is 4x more expensive (since I don't need to store a lot of data anyway), but without this very basic feature, it's impossible for my use case.

    [0] https://www.backblaze.com/b2/cloud-storage-pricing.html

    ×

    Attachments Open full size

  • Kevin Chi Yan Tang commented
    30 Jul, 2020 10:19am

    Right now I need to create an intermediary service just to handle authorization to buckets and use presigned URLs. It would be a lot easier if I could just give the users rights to their specific buckets without needing a server in the middle.

    ×

    Attachments Open full size

  • John Robinson commented
    6 Jul, 2020 01:56pm

    I finally sat down to start migrating from S3 to DO Spaces, and quickly found out that every API key gives access to every Space.

    It boggles my mind that there is no way to restrict an API key to a specific Space.


    Until this is implemented, there is absolutely no way I can use Spaces.

    ×

    Attachments Open full size

  • Marcus Olsson commented
    22 Jun, 2020 12:18pm

    This is more or a less a must have. Signed up for Spaces and started some experiments when I soon realised that an IAM-like system wasn't possible. Dropped Spaces immediately. Will revisit if this is implemented though.

    ×

    Attachments Open full size

  • Load older comments
  • +203
  • 115 Vote

    Limiting an access/secret key to a certain bucket (Spaces) Merged

    On AWS, you can restrict an Access Key / Secret Key to certain S3 bucket(s). This way, your app A can hack bucket X, and your app B can have bucket Y, but if A gets compromised, It won't be able to delete files from Y. It is way too complicated o...
    Created 6 Jan 08:10am by Guest
    Object Storage (Spaces)
    0 Needs review
Log in / Sign up

Identify yourself with your email address

Subscribe

You won't be notified about changes to this idea.

Related ideas

DigitalOcean home

© 2018 DigitalOcean, LLC. All rights reserved.
Proudly made in NY

  • Twitter
  • Facebook
  • Instagram
  • YouTube
  • LinkedIn
  • Glassdoor
Company
About
Leadership
Blog
Careers
Partner Network
Referral Program
Events
Press
Legal & Security
Products
Droplets
Spaces
Kubernetes
Tools & Integrations
One-click Apps
API
Pricing
Documentation
Release Notes
Community
Tutorials
Meetups
Q&A
Write for DOnations
Droplets for Demos
Hatch
Shop Swag
Research Program
Currents Research
Open Source
Support
Contact Support
FAQ
Network Status