Links

Access Management

IONOS S3 Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what. By default, newly created buckets and objects are private. Only the bucket owner can access them.

Share access

Use the following options to share access to a bucket and to all or specific objects in a bucket:
  • Bucket and Object Access Control Lists (ACLs): Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address. For more information, see Access Control List.
  • Bucket Policy: This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access.
With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy. For more information, see Bucket Policy.

Other access management functions

  • Pre-Signed URLs: An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires. For more information, see Share Objects with Pre-Signed URLs.
  • Cross-Origin Resource Sharing (CORS): If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.
  • Block Public Access: Overrides any other permissions applicable on buckets and objects. Essential for maintaining your data’s privacy by ensuring your buckets and objects are not accidentally made public and accessible only to authorized individuals or systems. Currently, this feature is available only via the IONOS S3 Object Storage API.

Grant access

IONOS S3 Object Storage allows for comprehensive access management at the bucket and object levels. This allows you to define precisely who may access what.
There are two roles involved in granting access:
  • Owner: The user who creates the bucket is referred to as the owner.
  • Grantee: Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Usually, the grantee is the user under the same contract at IONOS, but it also could be the user under another contract. You need to get the Grantee’s Canonical User ID to share access to the bucket or object. For more information, see Retrieve Canonical User ID.
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web interface due to the S3 protocol's architecture. To access the bucket, the user will need to utilize other S3 Tools, as the granted access does not translate to interface visibility.
Grantee
Bucket
Object
Public
Everyone
Authenticated Users
All users of the IONOS S3 Object Storage (not limited to a contract).
Log Delivery Group
Group required for logging (in combination with the "Log Delivery Write" ACL)
n/a
Individual users
Selected users of the IONOS S3 Object Storage (not limited to a contract). Sharing buckets with individual users requires their IONOS S3 Object Storage ID.
Permissions: These are the access rights that can be assigned to Grantees. By default, buckets and objects are private and only the bucket owner can access them. The content of a bucket is always accessible (as a list) as soon as the bucket is public, even if the objects it contains are private and can therefore neither be displayed nor downloaded!
Permission
Bucket
Object
Read access (Readable)
View the contents of a bucket as a list. Opening and downloading objects is not possible.
Open and download objects
Write access (Writable)
Upload and delete objects
n/a
Read access to permissions (ACP Readable)
View the access rights of the bucket or object
Write access to permissions (ACP Writable)
View and edit the access rights of the bucket or object