Access key per space
Keshav Attrey, DigitalOcean Spaces Product Manager
Thanks for your feedback on how we can further improve DigitalOcean Spaces object storage. We’ve heard lots of feedback from the community requesting Per-Bucket Access Keys and I’m excited to share that this new feature is now generally available! You’ll notice "Access Keys" on your Spaces page and under each bucket’s settings. There, you can create access keys with read-only or read/write permissions to specific buckets.
We’ll be announcing the feature to the wider community after the holiday season, but I wanted to give Ideas portal contributors a heads up before the break. You can find the documentation here: https://docs.digitalocean.com/products/spaces/how-to/manage-access/
A few caveats: legacy "All Permissions" access keys cannot be converted into per-bucket access keys (you have to create new access keys); access keys can only be created in the UI (we’re currently working on DO API support); and buckets configured using PutBucketPolicy-based bucket policies only support legacy access keys (we’re working on Per-Bucket Access Keys / PutBucketPolicy integration).
Thank you for your continued feedback to the Ideas Portal and a huge thanks to everyone involved in the beta. We’ve been working on this feature for a while now, and we’re really excited to finally get it into your hands.
All the best,
Keshav Attrey
Product Manager, DigitalOcean Spaces
Awais Malik
Merged in a post:
Granular API token access to Object Storage (Spaces)
Jens Kirk
DigitalOcean does not yet have granular API token access as an option.
As the API tokens are now give access to all Spaces on the same account which is not optimal for us as a web agency.
We could create an account for each client, but this will give us hundreds of accounts and much more extra work for our bookkeeper.
Keshav Attrey, DigitalOcean Spaces Product Manager
[ Cross-posting beta announcement from https://ideas.digitalocean.com/storage/p/access-key-per-space ]
DigitalOcean is hosting a closed beta test of DigitalOcean Spaces Per-Bucket Access Keys starting this Wednesday, October 30th, 2024, and we would love your feedback in preparation for our General Availability (GA) release, which is currently targeted for the end of 2024.
Prior to this feature, DigitalOcean Spaces only supported full access to all buckets. This new feature is designed to enable customers to configure users and S3-compatible applications for limited (Read-only or Read/Write) access to specific Spaces buckets, in order to support least-privilege security configurations, separation of prod and test environments, and consolidation of workloads under a single account.
If you’d like to participate in this beta test, please let me know by replying to this message, and I will enable the beta feature in your DigitalOcean UI on or after October 30th. At that time, I'll also email you a follow-up message with links to the beta documentation.
If you would be open to a live beta test with someone from DigitalOcean’s product management or UX teams, then please let me know your availability, and I’ll send you an invite for a half-hour call. Alternatively, I can add you to the Slack workspace for DigitalOcean beta, where you can share feedback with the DigitalOcean Spaces product manager and engineers, and interact with other beta customers.
Your feedback is critical. We’re excited to hear your thoughts and insights to help shape the final version of DigitalOcean Spaces Per-Bucket Access Keys and help the feature meet your needs and expectations. To join the beta test, please reply to this message with your interest and availability, and I'll respond by email with additional details.
Awais Malik
Merged in a post:
Spaces access key permissions
B
Brad Kilshaw
When you create a new Space, you can create a new Access Key. However, all Access Keys give you permission to access all Spaces on the account.
Please allow us to grant control which Spaces an Access Key has access to. This way you can create a new Space called "Space1", and create a new Access Key, and then tell that new Access Key it can only access Space1. If it tries to access Space2, which is also on my account, it gets a permission denied error.
Awais Malik
Merged in a post:
Spaces: custom API key permissions
E
Erik Tobiassen
Let us select which Spaces can be accessed on different API keys. Example: A key can only access a single Space.
Awais Malik
Merged in a post:
separate read, write and delete access keys
J
Jochem Berends
separate read from write and from delete with certain access keys.
example: We may want to use spaces to upload backups to the s3 compatible storage. However if the server gets compromised and the keys get stolen, the backups may also be deleted. This is a security risk. Its a good habit to separate the 'deletion' of old backups by another instance. Hence separation of delete from the read and the read/write.
Awais Malik
Merged in a post:
BUCKET LEVEL ACL (emergency, must have)
Joshua Brown
Top level "bucket" access needs to be restricted by specific API key. Otherwise we can't use our digital-ocean account for multiple customers, because every production customer machine (even though they have their own api key) could access and CHANGE every bucket!
By not providing this, you are FORCING us to use AWS because your design is a real security risk. We can only host 1 client here on our DO account and we have dozens but we will have to leave them on AWS.
To clear this security hurdle and make your service usable, you only need the most basic (yes/no) ACL for top-level buckets by individual API key
Keshav Attrey, DigitalOcean Spaces Product Manager
DigitalOcean is hosting a closed beta test of DigitalOcean Spaces Per-Bucket Access Keys starting this Wednesday, October 30th, 2024, and we would love your feedback in preparation for our General Availability (GA) release, which is currently targeted for the end of 2024.
Prior to this feature, DigitalOcean Spaces only supported full access to all buckets. This new feature is designed to enable customers to configure users and S3-compatible applications for limited (Read-only or Read/Write) access to specific Spaces buckets, in order to support least-privilege security configurations, separation of prod and test environments, and consolidation of workloads under a single account.
If you’d like to participate in this beta test, please let me know by replying to this message, and I will enable the beta feature in your DigitalOcean UI on or after October 30th. At that time, I'll also email you a follow-up message with links to the beta documentation.
If you would be open to a live beta test with someone from DigitalOcean’s product management or UX teams, then please let me know your availability, and I’ll send you an invite for a half-hour call. Alternatively, I can add you to the Slack workspace for DigitalOcean beta, where you can share feedback with the DigitalOcean Spaces product manager and engineers, and interact with other beta customers.
Your feedback is critical. We’re excited to hear your thoughts and insights to help shape the final version of DigitalOcean Spaces Per-Bucket Access Keys and help the feature meet your needs and expectations. To join the beta test, please reply to this message with your interest and availability, and I'll respond by email with additional details.
Diane Hannay
Per bucket access keys are currently on the roadmap for delivery in 2024!
W
Whitney Jutzin
Thank you so much for taking time to raise this product improvement idea to us! Though we are still working on the true ask here, we wanted to let you know that we have made some scoped access improvements that we think you'll be interested in trying out. You can learn more about it here: https://docs.digitalocean.com/reference/api/create-personal-access-token/ We will continue to work on the larger request in this Idea and will update you as soon as we have more information to share.
Load More
→