Granular API token access to Object Storage (Spaces)
Jens Kirk
DigitalOcean does not yet have granular API token access as an option.
As the API tokens are now give access to all Spaces on the same account which is not optimal for us as a web agency.
We could create an account for each client, but this will give us hundreds of accounts and much more extra work for our bookkeeper.
Keshav Attrey, DigitalOcean Spaces Product Manager
[ Cross-posting beta announcement from https://ideas.digitalocean.com/storage/p/access-key-per-space ]
DigitalOcean is hosting a closed beta test of DigitalOcean Spaces Per-Bucket Access Keys starting this Wednesday, October 30th, 2024, and we would love your feedback in preparation for our General Availability (GA) release, which is currently targeted for the end of 2024.
Prior to this feature, DigitalOcean Spaces only supported full access to all buckets. This new feature is designed to enable customers to configure users and S3-compatible applications for limited (Read-only or Read/Write) access to specific Spaces buckets, in order to support least-privilege security configurations, separation of prod and test environments, and consolidation of workloads under a single account.
If you’d like to participate in this beta test, please let me know by replying to this message, and I will enable the beta feature in your DigitalOcean UI on or after October 30th. At that time, I'll also email you a follow-up message with links to the beta documentation.
If you would be open to a live beta test with someone from DigitalOcean’s product management or UX teams, then please let me know your availability, and I’ll send you an invite for a half-hour call. Alternatively, I can add you to the Slack workspace for DigitalOcean beta, where you can share feedback with the DigitalOcean Spaces product manager and engineers, and interact with other beta customers.
Your feedback is critical. We’re excited to hear your thoughts and insights to help shape the final version of DigitalOcean Spaces Per-Bucket Access Keys and help the feature meet your needs and expectations. To join the beta test, please reply to this message with your interest and availability, and I'll respond by email with additional details.
Awais Malik
Merged in a post:
Spaces access key permissions
B
Brad Kilshaw
When you create a new Space, you can create a new Access Key. However, all Access Keys give you permission to access all Spaces on the account.
Please allow us to grant control which Spaces an Access Key has access to. This way you can create a new Space called "Space1", and create a new Access Key, and then tell that new Access Key it can only access Space1. If it tries to access Space2, which is also on my account, it gets a permission denied error.
Awais Malik
Awais Malik
Merged in a post:
separate read, write and delete access keys
J
Jochem Berends
separate read from write and from delete with certain access keys.
example: We may want to use spaces to upload backups to the s3 compatible storage. However if the server gets compromised and the keys get stolen, the backups may also be deleted. This is a security risk. Its a good habit to separate the 'deletion' of old backups by another instance. Hence separation of delete from the read and the read/write.
Awais Malik
Merged in a post:
BUCKET LEVEL ACL (emergency, must have)
Joshua Brown
Top level "bucket" access needs to be restricted by specific API key. Otherwise we can't use our digital-ocean account for multiple customers, because every production customer machine (even though they have their own api key) could access and CHANGE every bucket!
By not providing this, you are FORCING us to use AWS because your design is a real security risk. We can only host 1 client here on our DO account and we have dozens but we will have to leave them on AWS.
To clear this security hurdle and make your service usable, you only need the most basic (yes/no) ACL for top-level buckets by individual API key
Merged in a post:
Limiting an access/secret key to a certain bucket (Spaces)
clement
On AWS, you can restrict an Access Key / Secret Key to certain S3 bucket(s). This way, your app A can hack bucket X, and your app B can have bucket Y, but if A gets compromised, It won't be able to delete files from Y.
It is way too complicated on AWS, but very powerful.
Being able, on Digital Ocean, to check "all Spaces" or "Space A" or "Space A + Space B" for a given Spaces access key would be great. Like selecting "all repos" or "repo A" on Github !