Skip to main content

Access Key

Access keys authenticate CLI and API requests to your EOS buckets. Each key is scoped to a specific bucket with a defined role, giving you fine-grained control over who can read, write, or manage your data.

Create an Access Key

You can create an access key from the Permissions tab in the bucket detail panel, or from the Manage Access Keys page.

  1. Select your bucket from the Manage Object Storage list.

  2. Click the Permissions tab.

  3. Click Create Access Key.

  4. Enter a name for the key (e.g., application name, team name).

  5. Generate a new key or select an existing one.

  6. Assign a role:

    RolePermissions
    bucket adminread, write, manage
    bucket writerread, write
    bucket readerread only

  7. Click Save.

tip

Use a short, recognizable name — you will type it for every CLI command that references this key.

warning

The secret key is shown only once. Copy and store it securely before closing the dialog.

Manage Access Keys

The Manage Access Keys page lists all keys across your buckets. To access it, click Manage Access Keys on the Manage Object Storage page.

From this page you can:

  • Lock a key to immediately revoke access without deleting the key.
  • Unlock a previously locked key to restore access.
  • Delete a key to permanently remove it.

To lock or unlock a key:

  1. Click Manage Access Keys on the Manage Object Storage page.
  2. Find the key by name.
  3. Click the Lock or Unlock icon next to it.

Public Access Config

Public Access Config controls URL-based access to objects in a bucket, without requiring a key.

Available modes:

ModeDescription
PrivateNo public access (default)
DownloadAnyone can download objects via URL
UploadAnyone can upload objects via URL
Upload & DownloadBoth upload and download are publicly allowed

To configure it, click Public Access Config on the bucket and select the desired mode.

Protect Bucket Data with Encryption (SSE-C)

The procedure on this page configures and enables Server-Side Encryption with Client-Managed Keys (SSE-C). EOS SSE-C supports client-driven encryption of objects before writing the object to the drive. Clients must specify the correct key to decrypt objects for read operations.

Prerequisites

  • The mc client must be installed. See How to install mc.
  • The encryption key must be a 256-bit base64-encoded string.
  • You are responsible for storing the key. If you lose it, the encrypted objects cannot be decrypted and the data is unrecoverable.

Step 1: Generate the Encryption Key

cat /dev/urandom | head -c 32 | base64 -
  • It is important to notice that a 256-bit base64-encoded string should be used.
  • Save the output. This is your encryption key.

Step 2: Upload an Object with Encryption

mc cp ~/path/to/my_object.json ALIAS/BUCKET/my_object.json \
  --encrypt-key "ALIAS/BUCKET/=ENCRYPTION_KEY"

Replace:

  • ALIAS — the mc alias configured for your EOS credentials
  • BUCKET — your bucket name
  • ENCRYPTION_KEY — the key generated in Step 1

Step 3: Copy an SSE-C Encrypted Object Between Two Buckets

EOS also supports copying an SSE-C encrypted object to another S3-compatible service:

mc cp SOURCE/BUCKET/mydata.json TARGET/BUCKET/mydata.json \
--encrypt-key \
 "SOURCE/BUCKET/=ENCRYPTION_KEY","TARGET/BUCKET/=ENCRYPTION_KEY"
  • Replace ALIAS with the key_name used while configuring the mc client on which you want to read and write the SSE-C encrypted object.
  • Replace source and destination BUCKET with the full path to the bucket or bucket prefix on which you want to read and write the SSE-C encrypted object.
  • Replace ENCRYPTION_KEY with the key generated in the first step.

Considerations

  • SSE-C encrypted objects are not compatible with the EOS bucket replication feature.
  • Users manage a mapping of which encryption key was used to encrypt which object. E2E does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.
  • If your bucket is versioning-enabled, each object version that you upload using this feature can have its own encryption key. You are responsible for tracking which encryption key was used for which object version.
  • For downloading an encrypted object, the encryption key is required. If the key is lost, the data cannot be downloaded and will be unrecoverable. E2E is not responsible for the loss of your data in this case.

References