IONOS S3 Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what. By default, newly created buckets and objects are 'private'. Only the bucket owner can access them.
Use the following options to share access to a bucket and to all or specific objects in a bucket:
Bucket and Object Access Control Lists (ACLs): Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address. For more information, see Access Control List.
Bucket Policy: This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access.
With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy. For more information, see Bucket Policy.
Pre-Signed URLs: An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires. For more information, see Share Objects with Pre-Signed URLs.
Cross-Origin Resource Sharing (CORS): If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.
Block Public Access: Overrides any other permissions applicable on buckets and objects. Essential for maintaining your data’s privacy by ensuring your buckets and objects are not accidentally made public and accessible only to authorized individuals or systems. Currently, this feature is available only via the IONOS S3 Object Storage API.
IONOS S3 Object Storage allows for comprehensive access management at the bucket and object levels. This allows you to define precisely who may access what.
There are two roles involved in granting access:
Owner: The user who creates the bucket is referred to as the owner.
Grantee: Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Usually, the grantee is the user under the same contract at IONOS, but it also could be the user under another contract. You need to get the Grantee’s Canonical User ID to share access to the bucket or object. For more information, see Retrieve Canonical User ID.
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web interface due to the S3 protocol's architecture. To access the bucket, the user will need to utilize other S3 Tools, as the granted access does not translate to interface visibility.
Permissions: These are the access rights that can be assigned to Grantees. By default, buckets and objects are private and only the bucket owner can access them. The content of a bucket is always accessible (as a list) as soon as the bucket is public, even if the objects it contains are private and can therefore neither be displayed nor downloaded!
Grantee | Bucket | Object |
---|---|---|
Permission | Bucket | Object |
---|---|---|
Public
Everyone
Authenticated Users
All users of the IONOS S3 Object Storage (not limited to a contract).
Log Delivery Group
Group required for logging (in combination with the "Log Delivery Write" ACL)
n/a
Individual users
Selected users of the IONOS S3 Object Storage (not limited to a contract)
Sharing buckets with individual users requires their IONOS S3 Object Storage ID.
Read access (Readable)
View the contents of a bucket as a list. Opening and downloading objects is not possible.
Open and download objects
Write access (Writable)
Upload and delete objects
n/a
Read access to permissions (ACP Readable)
View the access rights of the bucket or object
Write access to permissions (ACP Writable)
View and edit the access rights of the bucket or object
In IONOS S3 Object Storage, a bucket is the primary container for data. Think of it like a directory in a file system where you can store files (known as objects). Each object is stored in a bucket and is identified by a unique key, allowing easy retrieval. You can store any number of objects in a bucket and can create up to 500 buckets in a user account.
A region corresponds to a geographical location where the data inside the buckets will be stored. Different regions have different S3 Endpoints, which are URLs to access the Object Storage.
IONOS S3 Object Storage is currently available in 3 regions:
Berlin, Germany
Frankfurt, Germany
Logrono, Spain
Choosing the right bucket region is crucial for optimizing your Cloud storage. Consider the following:
Proximity: Select a region that is close to your application or user base to reduce latency and costs.
Redundancy: For backups, consider a region geographically separate from your primary location to ensure data safety during local outages or disasters.
When naming buckets and folders, the name must adhere to the following rules:
Be unique throughout the entire IONOS S3 Object Storage.
Consists of 3 to 63 characters.
Starts with a letter or a number.
Consists of lowercase letters (a-z) and numbers (0-9).
The use of hyphens (-), periods (.), and underscores (_) is conditional. The name must not:
End with a period, hyphen, or underscore.
Include multiple periods in a row (...).
Contain hyphens next to periods.
Have the format of an IPv4 address (Example: 192.168.1.4).
Contain underscores if the bucket is to be used for auto-tiering later.
Following are a few examples of correct bucket naming:
data-storage-2023
userphotos123
backup-archive
1234
Following are a few examples of incorrect bucket naming:
Learn about the key components of IONOS S3 Object Storage, its functions, and capabilities to manage your Object Storage.
IONOS S3 Object Storage authenticates users by using a pair of keys – Access Key and Secret Key. For each user, an Object Storage Key is generated automatically on user creation which is activated when the user is granted permission to use the IONOS S3 Object Storage. You will need the keys to work with Object Storage through supported applications or develop your own using API.
Using the key management section in the IONOS S3 Object Storage, you can view and share your S3 Credentials and manage Access keys.
Depending on the selected S3 client, you have various options for sharing buckets, objects, or object versions with users of the IONOS S3 Object Storage. In addition to roles and predefined profiles, you can share the content of your buckets with selected users by using their IONOS S3 Object Storage ID known as ACL Sharing or S3 Sharing.
There are two forms of user identification - Canonical User ID, and Email address. The Canonical User ID is the ID assigned to a user by the IONOS S3 Object Storage. You can Retrieve Canonical User ID and share it with other S3 users to get access to their buckets and objects.
Some S3 clients only require the e-mail address of a registered S3 user for sharing objects as they are capable of converting the e-mail address to the ID required by the object storage.
S3 clients that support the 'Display Name' feature will display the e-mail address instead of the ID of a user for better readability.
Logging on to IONOS S3 Object Storage requires an access key as part of the authentication process. Your S3 credentials consist of an Access Key and a Secret Key. The web console automatically uses these credentials to set up Object Storage. Hence, deactivating an access key restricts your access through the web interface. These credentials are also required to set up access to IONOS S3 Object Storage using S3 Tools.
Generate object storage keys: A bucket owner can have multiple Object Storage Keys, which can be given to other users or automated scripts. Users using such an additional Object Storage Key to access the IONOS S3 Object Storage automatically inherit credentials and access rights of the bucket owner. This can be useful for allowing users automated (scripted) or temporary access to object storage. For more information, see Generate a Key.
Note: A maximum of five object storage keys per user is possible. You can create technical users to assign a different set of permissions and share access to the bucket with them. For more information, see Retrieve the Canonical User ID of a new user.
Activate or deactivate keys: A key when generated is in an active state by default. You can change the key status between active
and deactivation
. When the automated or temporary use of the key is over, the additional Object Storage Key can be deactivated. Deactivating an Object Storage Key will block access to the IONOS S3 Object Storage. You can reactivate the key and restore access to buckets and objects. For more information, see Manage Keys.
Delete: If a key is no longer needed or if it should no longer be possible to gain access to the IONOS S3 Object Storage with this key, it can be deleted. This cannot be undone.
Note: Before you delete a user or all of their Object Storage Keys from your account, ensure that the content in their IONOS S3 Object Storage is accessible so that you can continue to use it or delete it by adjusting the access rights accordingly.
The content set to 'private' that has not been removed before the user or all of their Object Storage Keys have been deleted is no longer accessible, but will continue to be charged. In this case, contact IONOS Cloud Support.
IONOS S3 Object Storage organizes data as objects. The data could range from documents, pictures, videos, backups, and other types of content. You can store these objects within the buckets and each object can be a maximum of 5 TB in size. An object consists of a key, that represents the name given to the object. This key acts like a unique identifier and you can use it to retrieve the object.
Every object uploaded to a bucket includes Object properties and Object metadata.
The properties refer to object details and the metadata are key-value pairs that store additional information about the object. The maximum size of metadata is 2 KB (keys+values). For instance, an object of type 'image' can include metadata such as its photographer, capture date, or camera used. Properly defined metadata aids in filtering and pinpointing objects using specific criteria.
Note: Currently, it is not possible to add metadata using the web console. You can add metadata using the PutObject or CreateMultipartUpload (in case of multipart upload) API calls for uploading objects.
During object storage, its properties and metadata are retrievable alongside the object.
In the web console, for any object under a bucket, the following object properties are displayed:
From the Object Properties page, you can also perform the following actions:
Download an object.
Copy the object URL to the clipboard.
Generate a Pre-Signed URL.
Delete an object.
Versions: Versioning objects enables the preservation, retrieval, and restoration of all versions of objects in your bucket. When versioning is enabled for a bucket, it also influences the object upload. For more information, see Versioning.
Access Control List (ACL): The object Access Control List (ACL) contains access control for each object defining which user accounts can read, write, or modify objects within a bucket. The access permissions defined at the bucket level also influence the object access in a bucket. For more information, see Access Control List.
Object lock: Object lock allows you to prevent objects from being deleted or overwritten for a specified amount of time or indefinitely. It is beneficial for compliance or regulatory reasons. Currently, enabling Object lock is possible only during the bucket creation. For more information, see Object Lock.
Multi-part upload: Breaks down a single large object into smaller parts and uploads these objects to the bucket maximizing the upload speed. For more information, see Multi-part upload.
Folders, also known as Prefixes are containers that help to organize the objects within a bucket. You can create folders within a bucket and upload objects to folders. Object Storage offers a flat data structure instead of a hierarchy such as a file system. Hence, to support the organization of data in a well-structured way, the creation of Folders is allowed within a bucket. You can also create subfolders within a folder and upload objects to subfolders.
Unlike traditional file systems with nested folders, IONOS S3 Object Storage maintains a flat environment. There is no hierarchy of folders or directories. While the structure is flat, you can emulate folders using key naming conventions with slashes (/).
You can use prefix names that contain alphanumeric characters, dashes, and hyphens only.
Example: Instead of saving a report as Annual_Report_2023.pdf
, using a key such as reports/2023/Annual_Report.pdf
gives the semblance of a folder structure. These virtual folders through prefixes aid in logically grouping related objects.
Following are a few examples of using prefixes for objects to emulate folder structure:
user_profiles/john_doe/avatar.jpg
data/backups/June/backup.zip
The S3 (Simple Storage Services) API has been the global standard for object storage for many years. It provides interoperability and compatibility of various object storage systems that adhere to this standard. IONOS S3 Object Storage has one of the highest levels of S3 API support.
For more information, see IONOS S3 Object Storage API documentation.
Example | Reason for Incorrectness |
---|---|
Properties | Description |
---|---|
To store your data in IONOS S3 Object Storage, learn about buckets that serve as data containers.
To organize data in the Object Storage, learn about objects, folders, its metadata, functions, and prefixes.
To authenticate with your S3 credentials for using Object Storage and to manage S3 keys, learn about key management.
To control access permissions to your buckets and objects, learn about access management.
Learn about the features compatible with S3 API.
Data-Storage
Contains uppercase letters.
user.photos
Contains periods which might cause SSL issues.
a2
Too short, less than 3 characters.
a-very-very-long-bucket-name-that-exceeds-sixty-three-characters-in-total
Exceeds the 63 character limit.
bucket-
Ends with a hyphen.
bucket_with_underscore
Allowed but not a recommended naming convention.
Type
Defines the object (file) type such as image, pdf, zip, and so on.
Size
The file size is shown as sequence of bytes such as MB, KB, and so on.
Modified on
The date and time when the object was last modified is displayed here.
Version ID
Represents an unique object version. If versioning for the bucket is enabled, then every object in that bucket is assigned a unique version ID. If versioning is not enabled for a bucket, then, version ID is not available for the object.
Feature
Supported
Notes
Bucket CRUD
Yes
Object CRUD
Yes
Object Copy
Yes
Cross-regional copying is not supported
Multipart Uploads
Yes
Pre-Signed URLs
Yes
Signature types v2 and v4 are supported
Bucket ACLs
Yes
Object ACLs
Yes
Block Public Access
Yes
Only via the API
Bucket Policies
Yes
Object Policies
Yes
CORS Configuration
Yes
Bucket Versioning
Yes
Bucket Replication
Yes
Intraregional and cross-regional replication are supported
Bucket Tagging
Yes
Only via the API
Object Tagging
Yes
Only via the API
Bucket Lifecycle
Yes
Bucket Access Logging
Yes
Bucket Encryption Configuration
Yes
Server-side encryption is used by default in the web interface. The encryption with customer-managed encryption keys is available via the API.
Object Encryption
Yes
Only via the API
Bucket Websites
Yes
Bucket Inventory
Yes
Only via the API
Object Lock
Yes
Legal Hold
Yes
Identity and Access Management (IAM)
No
Security Token Service (STS)
No
Multi-factor Authentication
No
Bucket Notifications
No
Request Payment
No
Bucket Metrics
No
Bucket Analytics
No
Bucket Accelerate
No
S3 Select
No