Access management

By assigning access rights a to a group of users in accordance with an S3-compliant access control list (ACL), you can manage who may access the buckets and objects of your IONOS S3 Object Storage.

Every user is the bucket owner of their own IONOS S3 Object Storage and has full access to its content.

A DCD feature allows contract owners and administrators to log on to the object storage accounts of their contract members as bucket owners with full access rights.

The access management of the IONOS S3 Object Storage includes:

Grantees

Grantees are S3-defined user groups to whom permissions are granted that specify which buckets and objects they may access in which way.

Overview of grantees available in the IONOS S3 Object Storage

Grantee

Bucket

Object

Public

Everyone

Authenticated Users

All users of the IONOS S3 Object Storage (not limited to a contract).

Log Delivery Group

Group required for logging (in combination with the "Log Delivery Write" ACL)

n/a

Individual users

Selected users of the IONOS S3 Object Storage (not limited to a contract)

Sharing buckets with individual users requires their S3 ID.

Permissions

These are the access rights that can be assigned to grantees.

By default, buckets and objects are "private", i.e. only the bucket owner can access them.

The content of a bucket is always accessible (as a list) as soon as the bucket is "public", even if the objects it contains are private and can therefore neither be displayed nor downloaded!

Overview of permissions available in the IONOS S3 Object Storage

Permission

Bucket

Object

Read access (Readable)

View the contents of a bucket as a list. Opening and downloading objects is not possible.

Open and download objects

Write access (Writable)

Upload and delete objects

n/a

Read access to permissions (ACP Readable)

View the access rights of the bucket or object

Write access to permissions (ACP Writable)

View and edit the access rights of the bucket or object

Canned ACLs

So called "canned ACLs" are pre-defined access profiles so that you don't have to enter the combination of permissions per grantee manually.

By default, buckets and objects are "private", i.e. only the bucket owner can access them.

Every user is the bucket owner of their own IONOS S3 Object Storage and has full access to its content.

Overview of pre-defined access profiles available in the IONOS S3 Object Storage

__

Canned ACL

Bucket

Object

Private (default)

Full access for bucket owners

Public Read

Full access for bucket owners

Read access to buckets for all users of the IONOS S3 Object Storage (not limited to a contract).

Please note that the content of a bucket is always displayed as a list as soon as it is made "public", even if the objects it contains are private and can therefore neither be displayed nor downloaded!

Public Read Write

Full access for bucket owners

Read and write access for everyone. Everyone may view the bucket contents and upload and delete files.

n/a

Authenticated Read

Full access for bucket owners

Read access for all users of the IONOS S3 Object Storage (not limited to a contract).

Log Delivery Write

Full access for bucket owners

Write access for the Log Delivery Group, which can also view the access permissions of a bucket. This access profile is required for saving the log files generated when logging is activated for a bucket.

n/a

Bucket Owner Read

n/a

Full access for object owners

Read access for bucket owners

Bucket Owner Full

n/a

Full access for object and bucket owners

For more on sharing objects, see:

If you want to share your bucket contents with others who do not use any S3 Object Storage or client, you have the following options:

Sharing objects through access rights

You can use access rights and predefined profiles ("canned ACLs") to control access to buckets and objects in your IONOS S3 Object Storage for different user groups. Users can then use a suitable S3 client to access the objects whose authorization profile they match.

By default, buckets and objects are "private", i.e. only the bucket owner can access them.

The content of a bucket is always accessible (as a list) as soon as the bucket is "public", even if the objects it contains are private and can therefore neither be displayed nor downloaded!

Prerequisites

  • You are logged on to the IONOS S3 Object Storage using the Object Storage Management Console. (?)

  • You are the bucket owner.

    • or -

    You have write access to permissions ("ACP writable"). (?)

How to share objects through access rights

  • Open the properties of the item that you would like to share by clicking on Properties in the respective tab.

  • Grant access:

    • In the Bucket Canned ACL or Object Canned ACL tab, select a predefined access profile ("access control list").

      Example: public read means the item is available to everyone but cannot be modified.

      • or -

    • In the Bucket Permissions or General Permissions tab, assign permissions to the required user group ("grantees").

      Example: Grantee=Authenticated Users, writable grants write access to all users of the IONOS-S3 Object Storage (even those outside of your own contract).

  • Confirm your entries by clicking on Save.

    The item is shared according to your settings.

Sharing objects with users

If you want to share your buckets and their content with users of the IONOS S3 Object Storage outside your own contract, you can use ACL sharing. All you need is the user’s "contract user id" in the format contract number|User UUID.

Prerequisites

  • You are logged on to the IONOS S3 Object Storage using the Object Storage Management Console. (?)

  • You are the bucket owner.

    • or -

    You have write access to permissions ("ACP writable"). (?)

How to share objects with users

  • Open the properties of the bucket, object, or object version that you would like to share by clicking on Properties in the respective tab.

  • In the General Permissions tab, click on + ADD NEW.

    A new line is added.

  • In the Grantee column, enter the contract user id of the user. (?)

If you want to share the bucket or object with all users of a particular contract, you only have to enter the contract number as follows: contract number| ( e. g. 12345678|).

IDs entered this way are not validated. An invalid ID has no effect.

  • Set the permission for the user by selecting the appropriate check box.

  • Confirm your entries by clicking on Save.

    The item is shared according to your settings.

  • To remove access, click on Delete.

Sharing objects through an URL

If you want to share content with users who do not have access to an S3 client application, you can share an object by making it publicly available through a URL. This URL can be generated by the Object Storage Management Console and can optionally be provided as an SSL-encrypted URL (using HTTPS).

Objects shared this way are always visible to everyone as they are public - regardless of their access permissions. You can, however, limit the number of downloads and the period of availability.

Prerequisites

  • You are logged on to the IONOS S3 Object Storage using the Object Storage Management Console. (?)

  • You are the bucket owner.

    • or -

    You have write access to permissions ("ACP writable"). (?)

How to share objects through an URL

  • Open the properties of the item that you would like to share by clicking on Properties in the respective tab.

  • Open the Public URL Access tab.

  • Activate the Enable Public URL Access check box.

    Weitere Eingabefelder werden geöffnet:

  • In the Maximum Downloads field, specify the maximum number of downloads for this URL.

    ℹ Enter -1 for unlimited access.

    The Current Downloads field will show you the number of downloads.

  • (Optional) Activate the Secure URL (Https) checkb box to generate an SSL-encrypted URL and increase the security of the file.

  • (Optional) Change the expiration date of the URL.

  • To generate the URL, click on Apply.

    The URL is generated and displayed.

    You can now copy the URL and share it with others or send it by e-mail using the MAIL TO button. ℹ To send e-mail, your browsers needs to be configured so that it can open your default web-based e-mail program. The file can be accessed using a browser. No S3 application is required. In the Current Downloads field you can see how often the file has already been accessed. To update this field, please reload the dialog in the Object Storage Management Console by means of a so called "hard refresh"..

    After expiration or change of the validity or the number of downloads, a new URL is generated and the link is no longer accessible. An error message will appear instead.

Sharing objects on a static website

If you want to share content with users who do not have access to an S3 client application, you can configure a bucket as a website, which can be accessed using a standard web browser (instead of an S3 web client). This website needs to be static; it cannot deliver personalised content or run server-side scripts. This feature is useful for sharing a collection of objects.

A bucket-hosted website can be accessed as follows: ''http://<Bucketname>.<S3WebsiteEndpoint>/<IndexDocument>'' (e. g. http://mywebsite.s3-website-de-central.profitbricks.com/index.htm).

Shared objects contained in this bucket are available as follows: http://<Bucketname>.<S3WebsiteEndpoint>/<Objectname>. <Objectname> may also contain folders.

Please note that a website configured with this feature can only be accessed via HTTP. HTTPS (SSL) is not supported.

Example

The bucket mywebsite is used as a container for your website. “Static Website Hosting” has been enabled in its properties. It contains the start page (index.htm) and a page that is displayed on error (404.htm).

The bucket contains the img folder in which images are stored. Among others, it contains the file test0.png:

The file is available at: http://mywebsite.s3-website-de-central.profitbricks.com/img/test0.png

Files can be linked with each other through relative paths. If you want to link from index.htm at the bucket (root) level to test0.png, which is located in the img folder of the mywebsite bucket, you can refer to it with href=”img/test0.png”.

Prerequisites

  • You are logged on to the IONOS S3 Object Storage using the Object Storage Management Console. (?)

  • You have write access to permissions ("ACP writable"). (?)

How to share objects on a static website

  • Create a bucket. (?)

    ℹ The bucket name is part of the URL of the static website. Please mind the naming rules that apply!

  • Upload the website content to the bucket, which also includes the start page (usually index.htm) and an error page (usually 404.htm). (?)

  • In the Properties of the bucket, open the Static Website Hosting tab.

  • Activate the Enable Website Hosting check box.

  • In the dialog box that appears, confirm that you want all objects to be public by clicking Ok.

    ℹ If you upload other objects to the bucket, please make sure that they are set to "public read"! Otherwise they are not accessible to others.

  • In the Index Document, enter the start page that you uploaded (e.g. index.htm).

  • (Optional) In the Error Document, enter the error page that you uploaded (e. g. 404.htm).

  • Save your entries by clicking Save.

    The website is now available at http://<Bucketname>.<S3WebsiteEndpoint>/<IndexDocument> (e.g. http://mywebsite.s3-website-de-central.profitbricks.com/index.htm)

Logging access to a bucket

The IONOS S3 Object Storage allows you to record all accesses to a bucket in a log file that conforms to S3 bucket logging from the time logging is activated. If the bucket is accessed, this log file is created in a bucket of your choice at an interval specified by the system.

Logging is not activated by default.

Prerequisites

  • You are logged on to the IONOS S3 Object Storage using the Object Storage Management Console. (?)

How to log access to a bucket

  • (Optional) Legen Sie einen Bucket an, in dem die Log-Dateien gespeichert werden sollen (Ziel-Bucket). Alternativ kann der Ziel-Bucket auch der Bucket sein, für den das Logging aktiviert wird.

  • Assign write access on the target bucket to the Log Delivery Group:

    • Bucket Properties > Bucket Canned ACL: Log Delivery Write,

      • or -

    • Bucket Properties > Bucket Permissions: Log Delivery - writable, acp readable.

  • Open the properties of the bucket for which you want to activate logging.

  • Open the Logging: tab.

  • Activate logging:

    • Activate the Enable Logging check box.

    • In the Destination Bucket field, enter the name of the buckets in which to save the log files. Source and target bucket may be identical.

      ℹ Write access for Log Delivery needs to be enabled on the target bucket. You have to be the owner of the target bucket.

    • (Optional) In the Target Prefix field, enter the prefix for log files so that you can sort them more easily later (e. g. log_). If you enter no prefix, the log file name is derived from its time stamp alone.

  • Deactivate logging:

    • Deactivate the Enable Logging check box.

  • Save your settings by clicking Save.

    Log files are generated and saved to the target bucket in the format (<prefix>)<time stamp>.

You can modify or deactivate logging any time with no effect on existing log files. Log files are handled like any other object in the IONOS S3 Object Storage.