IONOS Object Storage provides multiple features to manage access to your buckets and objects effectively. This allows you to define precisely who may access what.
By default, newly created user-owned buckets and objects are private, and only the bucket owner can access them. In the case of the newly created contract-owned buckets, the buckets and objects are private, and both the contract owner and administrators can access and manage them.
Use the following options to share access to a bucket and to all or specific objects in a bucket:
Bucket Policy: This policy is applied at the bucket level and it offers a robust framework for setting fine-grained access controls to your Object Storage buckets and objects. It is useful for restricting access based on certain conditions like IP addresses or time of access. With Bucket Policy, you can manage access to specific objects or prefixes within a bucket. However, the size of the policy is limited, which could be a consideration if you have extensive access control requirements. You can use Bucket Policy to make a bucket or object public, or to share access with specific authorized users by defining the necessary permissions within the policy.
Bucket and Object Access Control Lists (ACLs): Provides a simpler mechanism for controlling access and can be specified for every object if needed, making them more flexible on a per-object basis. You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. ACLs do not offer the ability to restrict access based on conditions like IP address.
There are two roles involved in granting access: Owner and Grantee. Their definitions depend on the Bucket Types.
Owner: The contract owner owns all the buckets. Administrators have the same permissions as the contract owner but must use the access key that is created after they have become administrators.
Grantee: Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
A user of the same contract according to the Bucket Policy defined by the contract owner or administrator.
Another contract using ACL. If you share contract access, all contract users are granted access.
Specific users of another contract according to the Bucket Policy defined by the contract owner or administrator.
Predefined groups: All users and authenticated users of IONOS Object Storage (users from any contract). Both ACL and Bucket Policy support this function.
Owner: The user who creates the bucket is called the owner. Each user owns buckets of their account.
Grantee: Refers to the Object Storage defined user groups to whom permissions are granted that specify which buckets and objects they may access. Grantee could be any of the following:
A user from the same contract.
A user from another contract.
Predefined groups: All users, authenticated users of IONOS Object Storage (users from any contract), and Log Delivery Group.
Share Objects with Pre-Signed URLs: An excellent choice for securely providing temporary access to your objects. Essential for sharing files with someone without requiring them to have an IONOS account, and for granting temporary access to authorized users for a specified period, after which the URL expires.
Cross-Origin Resource Sharing (CORS): If you allow public access to your bucket, you can specify which domains can make cross-origin requests to your Object Storage using this function. It is useful when you need to serve resources from your bucket to web applications hosted on different domains.
Block Public Access: Overrides any other permissions applicable on buckets and objects. Maintaining your data’s privacy is essential. Using Block Public Access, ensure your buckets and objects are not accidentally made public and are accessible only to authorized individuals or systems. Currently, this feature is available only via the IONOS Object Storage API.
IONOS Object Storage authenticates users by using a pair of keys — Access Key and Secret Key.
An Object Storage key must be generated manually using Generate a Key or Object Storage Management API. Only on generating the first key, the Canonical User ID is displayed in the Object Storage Credentials and Management > Users & Groups > Users > Object Storage Keys > Object Storage section.
You will need the keys to work with Object Storage through supported applications or develop your own using API. Using the Key management, you can view and share your Object Storage Credentials and manage Access keys.
There are two forms of user identification: Contract User ID and Canonical User ID. Depending on the Bucket Types to get access to, use the appropriate user ID as follows:
Share your Contract User ID with other users to get access to the contract-owned buckets and objects.
Share your Canonical User ID with other users to get access to the user-owned buckets and objects. This is the ID assigned to a user by the IONOS Object Storage.
For more information, see Retrieve User ID.
Logging on to IONOS Object Storage requires an access key as part of the authentication process. Your Object Storage credentials consist of an Access Key and a Secret Key. The DCD automatically uses these credentials to set up Object Storage. Hence, deactivating an access key restricts your access through the web interface. These credentials are also required to set up access to IONOS Object Storage using S3 Tools.
In the Access keys list,
Each key shows whether it is valid for all buckets (contract-owned buckets and user-owned buckets) or valid only for user-owned buckets.
The ADMIN KEY refers to the key valid for all the buckets and provides the same access permissions as the contract owner or administrator.
Access Key and Secret Key Length: To prepare new functionalities of IONOS Object Storage, effective April 25, 2024, the key character length is modified as follows:
Access Key: The key length is increased from 20 to 92 characters.
Previous format example: 23cbca2790edd9f62100
New format example: EAAAAAFaSZEvg5hC2IoZ0EuXHRB4UNMpLkvzWdKvecNpEUF-YgAAAAEB41A3AAAAAAHnUDl-h_Lwot1NVP6F_MARJv_o
Secret Key: The key length is increased from 40 to 64 characters.
Previous format example: 0Q1YOGKz3z6Nwv8KkkWiButqx4sVmSJW4bTGwbzO
New format example: Opdxr7mG09tK4wX4s6J3nrl1Z4EJgYRui/rldkgiPmrI5bavWHuThswRqPwgbeLP
Generate object storage keys: A user can have multiple Object Storage keys, which can be given to other users or automated scripts. Users using such an additional Object Storage key to access the IONOS Object Storage automatically inherit the credentials and access rights of the user.
This can be useful for allowing users automated (scripted) or temporary access to object storage. For more information, see Generate a Key.
Activate or deactivate keys: A key when generated is in an active state by default. You can change the key status between active and inactive. Deactivating an Object Storage key will block its access to the IONOS Object Storage. You can reactivate the key and restore access to manage buckets and objects. For more information, see Manage Keys.
Delete: If a key is no longer needed or if it should no longer be possible to gain access to the IONOS Object Storage with this key, it can be deleted. This cannot be undone.
In IONOS Object Storage, a bucket is the primary container for data. Think of it like a directory in a file system where you can store files known as objects. Each object is stored in a bucket and is identified by a unique key, allowing easy retrieval. You can store any number of objects in a bucket and can create up to 500 buckets in a user account.
A region corresponds to a geographical location where the data inside the buckets will be stored. Different regions have different , which are URLs to access the Object Storage.
IONOS Object Storage is available in the following regions:
Berlin, Germany in eu-central-2 and eu-central-3
Frankfurt, Germany in de and eu-central-4
Logroño, Spain in eu-south-2
Lenexa, USA in us-central-1
Choosing the right bucket region is crucial for optimizing your cloud storage. Consider the following:
Proximity: Select a region that is close to your application or user base to reduce latency and costs.
Redundancy: For backups, consider a region geographically separate from your primary location to ensure data safety during local outages or disasters.
For information on supported regions based on the , see .
When naming buckets and folders, the name must adhere to the following rules:
Be unique throughout the entire .
Consists of 3 to 63 characters.
Starts with a letter or a number.
Consists of lowercase letters (a-z) and numbers (0-9).
The use of hyphens (-), periods (.), and underscores (_) is conditional.
Note: The bucket name must not:
End with a period, hyphen, or underscore.
Include multiple periods in a row (...).
Contain hyphens next to periods.
Have the format of an IPv4 address (Example: 192.168.1.4).
Contain underscores if the bucket is to be used for auto-tiering later.
Following are a few examples of correct bucket naming:
data-storage-2023
userphotos123
backup-archive
1234
Following are a few examples of incorrect bucket naming:
Example
Reason for Incorrectness
Data-Storage
Contains uppercase letters.
user.photos
Contains periods which might cause SSL issues.
a2
Too short, less than 3 characters.
a-very-long-bucket-name-that-exceeds-sixty-three-characters-in-total-length
Exceeds the 63—character limit.
bucket-
Ends with a hyphen.
bucket_with_underscore
Allowed but not a recommended naming convention.
The S3 (Simple Storage Service) API has been the global standard for object storage for many years. It provides interoperability and compatibility of various object storage systems that adhere to this standard. IONOS Object Storage has one of the highest levels of S3 API support.
IONOS Object Storage lets users create the following two types of buckets:
1. Contract-owned buckets
2. User-owned buckets
Each of these bucket types offers a different feature set. For more information, see Bucket Types.
Starting May 30, 2024, all the newly launched Endpoints have a contract owner as a bucket owner, and the administrator also holds the same set of permissions as a contract owner. You can continue creating user-owned buckets using specific endpoints, but the shift towards a contract-owned bucket model will be our primary focus for future features.
For more information, see IONOS Object Storage API documentation.
IONOS Object Storage allows users to create the following two types of buckets:
1. Contract-owned buckets
2. User-owned buckets
Each bucket type has a different feature set to cater to your business needs. For more information, see Feature comparison.
This bucket type is recommended for users within a single organization. Contract-owned buckets are the new bucket types supported in the Object Storage starting May 30, 2024.
Following are the key highlights of this bucket type:
The contract owner is the bucket owner of all the contract buckets. The contract owner or an administrator can create and manage buckets by default and define permissions in the Bucket Policy settings for other users to manage the buckets.
Every user in the contract can view the list of all buckets within their contract, even if they do not have permission to access the content.
Only the contract owner or an administrator can grant users access to view the bucket objects or manage these buckets.
You can create contract-owned buckets only in the following region:
Data Center
Region
Frankfurt, Germany
eu-central-4
Berlin, Germany
eu-central-3
Lenexa, USA
us-central-1
Cross-regional bucket replication is not supported for contract-owned buckets but will be available soon. However, you can replicate user-owned buckets to contract-owned bucket regions, and this function is supported both through the DCD and the API.
Logging bucket setting is not supported at the moment.
Flow logs do not operate on contract-owned buckets. However, flow logs can capture network traffic flow data for IPv4 and IPv6 addresses in user-owned buckets.
This bucket type is recommended if the users of the contract are separate entities and does not require viewing or accessing buckets of other users in the contract. The bucket type supported before the launch of contract-owned buckets is now termed user-owned buckets.
Every contract user independently owns their buckets and has the autonomy to create and manage them without seeking approval from the contract owner. A combined list of all user-owned buckets under the contract is not available, and the contract owner must individually check the bucket list of the users to view the buckets a user owns.
Users under the contract can only have visibility to their buckets, with no access to other user's bucket lists in the contract.
You can create user-owned buckets only in the following regions:
Data Center
Region
Frankfurt, Germany
de
Berlin, Germany
eu-central-2
Logroño, Spain
eu-south-2
The user-owned bucket and contract-owned bucket offer a wide range of operations with the following differences in their feature set:
Features
Contract-owned buckets
User-owned buckets
Bucket ACL
Use to share access to other contracts. To share access with users from the same contract, use .
Use to share access between users of the contract and to other contracts.
Bucket Access Logging
Not supported
Supported
Bucket Replication
Cross-regional bucket replication is not supported for contract-owned buckets but will be available soon. You can only replicate user-owned buckets in the contract-owned buckets region. This function is supported both through the DCD and the API.
It supports replication within the same user's user-owned buckets and in contract-owned buckets. You can also replicate within the regions where user-owned buckets are supported. For more information, see .
Identity and Access Management (IAM)
No, available in the near future.
Not supported
Object Query
Supported
Not supported
Redirects for Static Website Hosting
Supported
Not supported
Free data transfer to VMs within the same region
Supported
Not supported
Flow logs
Not supported
Supported
For information on supported API functions for these bucket types, see S3 API Compatibility.
IONOS Object Storage organizes data as objects. The data could range from documents, pictures, videos, backups, and other types of content. You can store these objects within the buckets and each object can be a maximum of 5 TB in size. An object consists of a key that represents the name given to the object. This key acts like a unique identifier, which you can use to retrieve the object.
Every object uploaded to a bucket includes Object properties and Object metadata.
The properties refer to object details and the metadata are key-value pairs that store additional information about the object. The maximum size of metadata is 2 KB (keys+values). For instance, an object of type 'image' can include metadata such as its photographer, capture date, or camera used. Properly defined metadata aids in filtering and pinpointing objects using specific criteria.
In the Object Settings, you can retrieve the object's properties and metadata alongside the object.
In the DCD, for any object under a bucket, the following object properties are displayed:
Type
Defines the object (file) type such as image, pdf, zip, and so on.
Size
The file size is shown as sequence of bytes such as MB, KB, and so on.
Modified on
The date and time when the object was last modified is displayed here.
Version ID
Represents an unique object version. If versioning for the bucket is enabled, then every object in that bucket is assigned a unique version ID. If versioning is not enabled for a bucket, then, version ID is not available for the object.
From the Object Properties page, you can also perform the following actions:
Download an object.
Copy the object URL to the clipboard.
Generate a Pre-Signed URL.
Delete an object.
Versions: Versioning objects enables the preservation, retrieval, and restoration of all versions of objects in your bucket. When versioning is enabled for a bucket, every time an object is uploaded to it, a new version of that object is created, and each version has a unique version ID. For more information, see Versioning.
Access Control List (ACL): The object Access Control List (ACL) contains access control for each object, defining which user accounts can read, write, or modify objects within a bucket. You can share access to a bucket and to all or specific objects in a bucket. The access permissions defined at the bucket level also influence the object access in a bucket. For more information, see Access Control List.
Object Lock: Prevents objects from being deleted or overwritten for a specified amount of time or indefinitely. It is beneficial for compliance or regulatory reasons. Currently, enabling Object lock is possible only during the bucket creation. For more information, see Object Lock.
Multi-part upload: This breaks down a single large object into smaller parts and uploads these objects to the bucket, maximizing the upload speed. For more information, see Multi-part upload.
Folders, also known as Prefixes are containers that help to organize the objects within a bucket. You can create folders within a bucket and upload objects to folders. Object Storage offers a flat data structure instead of a hierarchy such as a file system. Hence, to support the organization of data in a well-structured way, the creation of Folders is allowed within a bucket. You can also create subfolders within a folder and upload objects to subfolders.
Unlike traditional file systems with nested folders, IONOS Object Storage maintains a flat environment without a hierarchy of folders or directories; hence you can emulate folders using key naming conventions with slashes (/).
You can use prefix names that contain alphanumeric characters, slashes, and hyphens only.
Example: Instead of saving a report as Annual_Report_2023.pdf, using a key such as reports/2023/Annual_Report.pdf gives the semblance of a folder structure. These virtual folders through prefixes aid in logically grouping related objects.
Following are a few examples of using prefixes for objects to emulate folder structure:
user_profiles/john_doe/avatar.jpg
data/backups/June/backup.zip
