Key Management

IONOS S3 Object Storage authenticates users by using a pair of keys – Access Key and Secret Key. For each user, an Object Storage Key is generated automatically on user creation which is activated when the user is granted permission to use the IONOS S3 Object Storage. You will need the keys to work with Object Storage through supported applications or develop your own using API.

Using the key management section in the IONOS S3 Object Storage, you can view and share your S3 Credentials and manage Access keys.

S3 Credentials

Depending on the selected S3 client, you have various options for sharing buckets, objects, or object versions with users of the IONOS S3 Object Storage. In addition to roles and predefined profiles, you can share the content of your buckets with selected users by using their IONOS S3 Object Storage ID known as ACL Sharing or S3 Sharing.

There are two forms of user identification: Canonical User ID, and Email address. The Canonical User ID is the ID assigned to a user by the IONOS S3 Object Storage. You can Retrieve Canonical User ID and share it with other S3 users to get access to their buckets and objects.

Some S3 clients only require the email address of a registered S3 user for sharing objects, as they can convert the email address to the ID required by the object storage.

S3 clients that support the Display Name feature will display the email address instead of the ID of a user for better readability.

Access keys

Logging on to IONOS S3 Object Storage requires an access key as part of the authentication process. Your S3 credentials consist of an Access Key and a Secret Key. The web console automatically uses these credentials to set up Object Storage. Hence, deactivating an access key restricts your access through the web interface. These credentials are also required to set up access to IONOS S3 Object Storage using S3 Tools.

Generate object storage keys: A bucket owner can have multiple Object Storage Keys, which can be given to other users or automated scripts. Users using such an additional Object Storage Key to access the IONOS S3 Object Storage automatically inherit credentials and access rights of the bucket owner. This can be useful for allowing users automated (scripted) or temporary access to object storage. For more information, see Generate a Key.

Note: A maximum of five object storage keys per user is possible. You can create technical users to assign a different set of permissions and share access to the bucket with them. For more information, see Retrieve the Canonical User ID of a new user.

Activate or deactivate keys: A key when generated is in an active state by default. You can change the key status between active and deactivation. When the automated or temporary use of the key is over, the additional Object Storage Key can be deactivated. Deactivating an Object Storage Key will block access to the IONOS S3 Object Storage. You can reactivate the key and restore access to buckets and objects. For more information, see Manage Keys.

Delete: If a key is no longer needed or if it should no longer be possible to gain access to the IONOS S3 Object Storage with this key, it can be deleted. This cannot be undone.

Note: Before you delete a user or all of their Object Storage Keys from your account, ensure that the content in their IONOS S3 Object Storage is accessible so that you can continue to use it or delete it by adjusting the access rights accordingly.

If the content is set to private and not removed before the user deletion and if all the user's Object Storage Keys have been deleted and are no longer accessible, then the Object Storage is subject to be billed. In this case, contact IONOS Cloud Support.

Last updated