IONOS Object Storage authenticates users by using a pair of keys — Access Key and Secret Key.
An Object Storage key must be generated manually using Generate a Key or Object Storage Management API. Only upon generating the first key, the Canonical User ID is displayed in the Object Storage Credentials and Users & Groups > Users > Object Storage Keys > IDs section.
You will need the keys to work with Object Storage through supported applications or develop your own using API. Using the Key management, you can view and share your Object Storage Credentials and manage Access keys.
There are two forms of user identification: Contract User ID and Canonical User ID. Depending on the Bucket Types to get access to, use the appropriate user ID as follows:
Share your Contract User ID with other users to get access to the contract-owned buckets and objects.
Share your Canonical User ID with other users to get access to the user-owned buckets and objects. This is the ID assigned to a user by the IONOS Object Storage.
For more information, see Retrieve User ID.
Logging on to IONOS Object Storage requires an access key as part of the authentication process. Your Object Storage credentials consist of an Access Key and a Secret Key. The DCD automatically uses these credentials to set up Object Storage. Hence, deactivating an access key restricts your access through the web interface. These credentials are also required to set up access to IONOS Object Storage using S3 Tools.
Note:
— Starting May 30, 2024, a new endpoint eu-central-3 is added in Berlin, Germany to support contract-owned bucket types.
— All the newly generated keys from April 25, 2024, are valid for both the Bucket Types by default and are usable at all the Endpoints.
— The keys generated before April 25, 2024, will only have access to the user-owned buckets and be usable only in the endpoints that support user-owned buckets. For more information, see Service availability.
In the Access keys list,
Each key shows whether it is valid for all buckets (contract-owned buckets and user-owned buckets) or valid only for user-owned buckets.
The ADMIN KEY refers to the key valid for all the buckets and provides the same access permissions as the contract owner or administrator.
Access Key and Secret Key Length: To prepare new functionalities of IONOS Object Storage, effective April 25, 2024, the key character length is modified as follows:
Access Key: The key length is increased from 20 to 92 characters.
Previous format example: 23cbca2790edd9f62100
New format example: EAAAAAFaSZEvg5hC2IoZ0EuXHRB4UNMpLkvzWdKvecNpEUF-YgAAAAEB41A3AAAAAAHnUDl-h_Lwot1NVP6F_MARJv_o
Secret Key: The key length is increased from 40 to 64 characters.
Previous format example: 0Q1YOGKz3z6Nwv8KkkWiButqx4sVmSJW4bTGwbzO
New format example: Opdxr7mG09tK4wX4s6J3nrl1Z4EJgYRui/rldkgiPmrI5bavWHuThswRqPwgbeLP
Note: The keys generated before April 25, 2024, continue to exist in the previous key length format and remain functional. However, these keys may not enable you to use the new functionalities in the Object Storage.
Generate object storage keys: A user can have multiple Object Storage keys, which can be given to other users or automated scripts. Users using such an additional Object Storage key to access the IONOS Object Storage automatically inherit the credentials and access rights of the user.
This can be useful for allowing users automated (scripted) or temporary access to object storage. For more information, see Generate a Key.
Note: A maximum of five object storage keys per user is possible. You can create technical users to assign a different set of permissions and share access to the bucket with them. For more information, see Retrieve the User ID of a new user.
Activate or deactivate keys: A key when generated is in an active state by default. You can change the key status between active and inactive. Deactivating an Object Storage key will block its access to the IONOS Object Storage. You can reactivate the key and restore access to manage buckets and objects. For more information, see Manage Keys.
Delete: If a key is no longer needed or if it should no longer be possible to gain access to the IONOS Object Storage with this key, it can be deleted. This cannot be undone.
Note:
— Deleting all the Object Storage keys does not affect the stored objects. However, the contract is charged for the data stored. You can create a new key and continue to work with Object Storage.
— You need to delete all the objects from the user-owned bucket before you delete a user or all of their Object Storage Keys from your account; otherwise, the contract continues to be charged for the stored data. In this case, contact IONOS Cloud Support.
The S3 (Simple Storage Service) API has been the global standard for object storage for many years. It provides interoperability and compatibility of various object storage systems that adhere to this standard. IONOS Object Storage has one of the highest levels of S3 API support.
IONOS Object Storage lets users create the following two types of buckets:
1. Contract-owned buckets
2. User-owned buckets
Each of these bucket types offers a different feature set. For more information, see Bucket Types.
Starting May 30, 2024, all the newly launched Endpoints have a contract owner as a bucket owner, and the administrator also holds the same set of permissions as a contract owner. You can continue creating user-owned buckets using specific endpoints, but the shift towards a contract-owned bucket model will be our primary focus for future features.
For more information, see IONOS Object Storage API documentation.
IONOS Object Storage organizes data as objects. The data could range from documents, pictures, videos, backups, and other types of content. You can store these objects within the buckets and each object can be a maximum of 5 TB in size. An object consists of a key that represents the name given to the object. This key acts like a unique identifier, which you can use to retrieve the object.
Every object uploaded to a bucket includes Object properties and Object metadata.
The properties refer to object details and the metadata are key-value pairs that store additional information about the object. The maximum size of metadata is 2 KB (keys+values). For instance, an object of type 'image' can include metadata such as its photographer, capture date, or camera used. Properly defined metadata aids in filtering and pinpointing objects using specific criteria.
Note: Currently, it is not possible to add metadata using the DCD. You can add metadata using the or (in case of multipart upload) API calls for uploading objects.
In the Object Settings, you can retrieve the object's properties and metadata alongside the object.
From the Object Properties page, you can also perform the following actions:
Download an object.
Copy the object URL to the clipboard.
Generate a Pre-Signed URL.
Delete an object.
Folders, also known as Prefixes are containers that help to organize the objects within a bucket. You can create folders within a bucket and upload objects to folders. Object Storage offers a flat data structure instead of a hierarchy such as a file system. Hence, to support the organization of data in a well-structured way, the creation of Folders is allowed within a bucket. You can also create subfolders within a folder and upload objects to subfolders.
Unlike traditional file systems with nested folders, IONOS Object Storage maintains a flat environment without a hierarchy of folders or directories; hence you can emulate folders using key naming conventions with slashes (/).
You can use prefix names that contain alphanumeric characters, slashes, and hyphens only.
Example: Instead of saving a report as Annual_Report_2023.pdf, using a key such as reports/2023/Annual_Report.pdf gives the semblance of a folder structure. These virtual folders through prefixes aid in logically grouping related objects.
Following are a few examples of using prefixes for objects to emulate folder structure:
user_profiles/john_doe/avatar.jpg
data/backups/June/backup.zip
Learn about the key components of IONOS Object Storage, its functions, and capabilities to manage your Object Storage.
In the , for any object under a bucket, the following object properties are displayed:
| Properties | Description |
|---|
Versions: Versioning objects enables the preservation, retrieval, and restoration of all versions of objects in your bucket. When versioning is enabled for a bucket, every time an object is uploaded to it, a new version of that object is created, and each version has a unique version ID. For more information, see .
Access Control List (ACL): The object Access Control List (ACL) contains access control for each object, defining which user accounts can read, write, or modify objects within a bucket. You can share access to a bucket and to all or specific objects in a bucket. The access permissions defined at the bucket level also influence the object access in a bucket. For more information, see .
Note: For contract-owned buckets, you cannot share access to a specific object with users from the same contract using ACL. Instead, use .
Object Lock: Prevents objects from being deleted or overwritten for a specified amount of time or indefinitely. It is beneficial for compliance or regulatory reasons. Currently, enabling Object lock is possible only during the . For more information, see .
Multi-part upload: This breaks down a single large object into smaller parts and uploads these objects to the bucket, maximizing the upload speed. For more information, see .
Feature
Supported by contract-owned buckets
Supported by user-owned buckets
Bucket Create, Read, Update, Delete (CRUD)
Yes
Yes
Object CRUD
Yes
Yes
Object Copy
Yes, only for buckets without encryption.
Yes, cross-regional copying is not supported.
Multipart Uploads
Yes
Yes
Pre-Signed URLs
Yes
Yes
Bucket ACLs
Yes, but without the Logging Group.
Yes
Object ACLs
Yes
Yes
Block Public Access
Yes, only via the API.
Yes, only via the API.
Bucket Policy
Yes
Yes
CORS Configuration
Yes
Yes
Bucket Versioning
Yes
Yes
Bucket Replication
Not supported as contract-owned buckets are currently supported only in the eu-central-3 region. But, you can replicate user-owned buckets to contract-owned buckets in the eu-central-3 region. This function is supported both via the DCD and the API.
Yes, intraregional and cross-regional replication are supported.
Bucket Tagging
Yes, only via the API.
Yes, only via the API.
Object Tagging
Yes, only via the API.
Yes, only via the API.
Bucket Lifecycle
Yes
Yes
Bucket Access Logging
No
Yes
Bucket Encryption Configuration
Yes, only via the API.
Yes, only via the API.
Object Encryption
Yes, server-side encryption is used by default in the web interface. The encryption with customer-managed encryption keys is available via the API.
Yes, server-side encryption is used by default in the web interface. The encryption with customer-managed encryption keys is available via the API.
Bucket Website
Yes, including support for redirects through the API reference.
Yes
Bucket Inventory
No
Yes, only via the API.
Object Lock
Yes
Yes
Legal Hold
Yes
Yes
Object Ownership
No
Yes
Identity and Access Management (IAM)
No, available in the near future.
No
Security Token Service (STS)
No
No
Multi-factor Authentication
No
No
Bucket Notifications
No
No
Request Payment
Yes
No
Bucket Metrics
No
No
Bucket Analytics
No
No
Bucket Accelerate
No
No
Object Query
Yes
No
Type | Defines the object (file) type such as image, pdf, zip, and so on. |
Size | The file size is shown as sequence of bytes such as MB, KB, and so on. |
Modified on | The date and time when the object was last modified is displayed here. |
Version ID | Represents an unique object version. If versioning for the bucket is enabled, then every object in that bucket is assigned a unique version ID. If versioning is not enabled for a bucket, then, version ID is not available for the object. |
In IONOS Object Storage, a bucket is the primary container for data. Think of it like a directory in a file system where you can store files known as objects. Each object is stored in a bucket and is identified by a unique key, allowing easy retrieval. You can store any number of objects in a bucket and can create up to 500 buckets in a user account.
A region corresponds to a geographical location where the data inside the buckets will be stored. Different regions have different Endpoints, which are URLs to access the Object Storage.
IONOS Object Storage is currently available in four regions:
Berlin, Germany in eu-central-2 and eu-central-3
Frankfurt, Germany in de
Logroño, Spain in eu-south-2
Choosing the right bucket region is crucial for optimizing your Cloud storage. Consider the following:
Proximity: Select a region that is close to your application or user base to reduce latency and costs.
Redundancy: For backups, consider a region geographically separate from your primary location to ensure data safety during local outages or disasters.
For information on supported regions based on the Bucket Types, see Service availability.
When naming buckets and folders, the name must adhere to the following rules:
Be unique throughout the entire IONOS Object Storage.
Consists of 3 to 63 characters.
Starts with a letter or a number.
Consists of lowercase letters (a-z) and numbers (0-9).
The use of hyphens (-), periods (.), and underscores (_) is conditional.
Note: The bucket name must not:
End with a period, hyphen, or underscore.
Include multiple periods in a row (...).
Contain hyphens next to periods.
Have the format of an IPv4 address (Example: 192.168.1.4).
Contain underscores if the bucket is to be used for auto-tiering later.
Following are a few examples of correct bucket naming:
data-storage-2023
userphotos123
backup-archive
1234
Following are a few examples of incorrect bucket naming:
To store your data in IONOS Object Storage, learn about buckets that serve as data containers. |
Learn about the contract-owned bucket and user-owned bucket types' feature sets and limitations. |
Organize data in the Object Storage by learning about the objects, object functions, metadata, folders, and prefixes. |
To authenticate with your Object Storage credentials for using Object Storage and to manage keys, learn about key management. |
To control access permissions to your buckets and objects, learn about access management. |
Learn about the features compatible with S3 API. |
IONOS Object Storage allows users to create the following two types of buckets:
1. Contract-owned buckets
2. User-owned buckets
Each bucket type has a different feature set to cater to your business needs. For more information, see Feature comparison.
Note: Starting from May 30, 2024, all the newly launched Endpoints (regions) will use a contract owner as a bucket owner. You can still create user-owned buckets using specific endpoints, but this shift toward a contract-owned bucket model will be the primary focus for future Object Storage updates.
This bucket type is recommended for users within a single organization. Contract-owned buckets are the new bucket types supported in the Object Storage starting May 30, 2024.
Following are the key highlights of this bucket type:
The contract owner is the bucket owner of all the contract buckets. The contract owner or an administrator can create and manage buckets by default and define permissions in the Bucket Policy settings for other users to manage the buckets.
Every user in the contract can view the list of all buckets within their contract, even if they do not have permission to access the content.
Only the contract owner or an administrator can grant users access to view the bucket objects or manage these buckets.
You can create contract-owned buckets only in the following region:
| Data Center | Region |
|---|---|
Currently, cross-regional bucket replication is not possible for contract-owned buckets since this bucket type is supported only in the eu-central-3 region. However, you can replicate user-owned buckets to contract-owned buckets in the eu-central-3 and this function is supported both via the DCD and the API.
Logging bucket setting is not supported at the moment.
This bucket type is recommended if the users of the contract are separate entities and does not require viewing or accessing buckets of other users in the contract. The bucket type supported before the launch of contract-owned buckets is now termed user-owned buckets.
Every contract user independently owns their buckets and has the autonomy to create and manage them without seeking approval from the contract owner. A combined list of all user-owned buckets under the contract is not available, and the contract owner must individually check the bucket list of the users to view the buckets a user owns.
Users under the contract can only have visibility to their buckets, with no access to other user's bucket lists in the contract.
You can create user-owned buckets only in the following regions:
The user-owned bucket and contract-owned bucket offer a wide range of operations with the following differences in their feature set:
For information on supported API functions for these bucket types, see S3 API Compatibility.
IONOS Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what.
By default, newly created user-owned buckets and objects are private, and only the bucket owner can access them. In the case of the newly created contract-owned buckets, the buckets and objects are private, and both the contract owner and administrators can access and manage them.
Use the following options to share access to a bucket and to all or specific objects in a bucket:
: This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access. With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy.
: Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address.
There are two roles involved in granting access: Owner and Grantee. Their definitions depend on the .
Owner: The contract owner owns all the buckets. Administrators have the same permissions as the contract owner but must use the that is created after they have become administrators.
Grantee: Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
A user of the same contract according to the Bucket Policy defined by the contract owner or administrator.
Another contract using ACL. If you share contract access, all contract users are granted access.
Specific users of another contract according to the Bucket Policy defined by the contract owner or administrator.
Predefined groups: All users and authenticated users of IONOS Object Storage (users from any contract). Both ACL and Bucket Policy support this function.
Owner: The user who creates the bucket is called the owner. Each user owns buckets of their account.
Grantee: Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
A user from the same contract.
A user from another contract.
Predefined groups: All users, authenticated users of IONOS Object Storage (users from any contract), and Log Delivery Group.
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the DCD due to the Object Storage protocol's architecture. To access the bucket, the user will need to utilize other , as the granted access does not translate to interface visibility.
| Example | Reason for Incorrectness |
|---|---|
| Data Center | Region |
|---|---|
| Features | Contract-owned buckets | User-owned buckets |
|---|---|---|
: An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires.
: If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.
Block Public Access: Overrides any other permissions applicable on buckets and objects. Maintaining your data’s privacy is essential. Using Block Public Access, ensure your buckets and objects are not accidentally made public and are accessible only to authorized individuals or systems. Currently, this feature is available only via the .
Berlin, Germany
eu-central-3
Frankfurt, Germany
de
Berlin, Germany
eu-central-2
Logroño, Spain
eu-south-2
Bucket ACL
Use to share access to other contracts. To share access with users from the same contract, use Bucket Policy.
Use to share access between users of the contract and to other contracts.
Bucket Access Logging
Not supported
Supported
Bucket Replication
Cannot replicate contract-owned buckets as this bucket type is currently supported only in the eu-central-3 region. But, you can replicate user-owned buckets to contract-owned buckets in the eu-central-3 region. This function is supported both via the DCD and the API.
Supports replication within user-owned buckets of the same user and as well as replication to contract-owned buckets.
Identity and Access Management (IAM)
No, available in the near future.
Not supported
Object Query
Supported
Not supported
Redirects for Static Website Hosting
Supported
Not supported
Free data transfer to VMs within the same region
Supported
Not supported
Data-Storage
Contains uppercase letters.
user.photos
Contains periods which might cause SSL issues.
a2
Too short, less than 3 characters.
a-very-very-long-bucket-name-that-exceeds-sixty-three-characters-in-total
Exceeds the 63 character limit.
bucket-
Ends with a hyphen.
bucket_with_underscore
Allowed but not a recommended naming convention.
