# Key Management

<code class="expression">space.vars.ionos\_cloud\_object\_storage</code> authenticates users by using a pair of keys — **Access Key** and **Secret Key**.

An Object Storage key must be generated manually using [<mark style="color:blue;">Generate a Key</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/get-started/generate-key) or [<mark style="color:blue;">Object Storage Management API</mark>](https://api.ionos.com/docs/s3-management/v1/). Only on generating the first key, the **Canonical User ID** is displayed in the [<mark style="color:blue;">Object Storage Credentials</mark>](#object-storage-credentials) and **Management** > **Users & Groups** > **Users** > **Object Storage Keys** > **Object Storage** section.

You will need the keys to work with Object Storage through supported applications or develop your own using [<mark style="color:blue;">API</mark>](https://docs.ionos.com/cloud/support/general-information/glossary-of-terms#api). Using the **Key management**, you can view and share your [<mark style="color:blue;">Object Storage Credentials</mark>](#object-storage-credentials) and manage [<mark style="color:blue;">Access keys</mark>](#access-keys).

## Object Storage Credentials

There are two forms of user identification: **Contract User ID** and **Canonical User ID**. Depending on the [<mark style="color:blue;">Bucket Types</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types) to get access to, use the appropriate user ID as follows:

* Share your **Contract User ID** with other users to get access to the contract-owned buckets and objects.
* Share your **Canonical User ID** with other users to get access to the user-owned buckets and objects. This is the ID assigned to a user by the <code class="expression">space.vars.ionos\_cloud\_object\_storage</code>.

For more information, see [<mark style="color:blue;">Retrieve User ID</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/how-tos/retrieve-user-id#retrieve-user-id).

![Object Storage Credentials](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-7ce677a0aea1699969f49c980d60d948e326a6eb%2Fs3-credentials.png?alt=media)

## Access keys

Logging on to <code class="expression">space.vars.ionos\_cloud\_object\_storage</code> requires an access key as part of the authentication process. Your Object Storage credentials consist of an **Access Key** and a **Secret Key**. The DCD automatically uses these credentials to set up Object Storage. Hence, deactivating an access key restricts your access through the web interface. These credentials are also required to set up access to <code class="expression">space.vars.ionos\_cloud\_object\_storage</code> using [<mark style="color:blue;">S3 Tools</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools).

{% hint style="info" %}
**Key Management Feature Update:**

Keys generated before April 25, 2024, will only have access to user-owned buckets and will be usable only on endpoints that support user-owned buckets. The keys generated after this time period are valid for both the [<mark style="color:blue;">Bucket Types</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/concepts/bucket-types) by default and are usable at all the [<mark style="color:blue;">Endpoints</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/endpoints). For more information, see [<mark style="color:blue;">Service availability</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/overview#service-availability).
{% endhint %}

In the **Access keys** list,

* Each key shows whether it is valid for all buckets (contract-owned buckets and user-owned buckets) or valid only for user-owned buckets.
* The `ADMIN KEY` refers to the key valid for all the buckets and provides the same access permissions as the contract owner or administrator.

![Access keys](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-dddb092e480bb6094aa5bdb5937830c578dc800a%2Fs3-access-keys.png?alt=media)

**Access Key and Secret Key Length:** The key character length is as follows:

* **Access Key:** The key length is increased from 20 to 92 characters.
  * Previous format example: `23cbca2790edd9f62100`
  * New format example: `EAAAAAFaSZEvg5hC2IoZ0EuXHRB4UNMpLkvzWdKvecNpEUF-YgAAAAEB41A3AAAAAAHnUDl-h_Lwot1NVP6F_MARJv_o`
* **Secret Key:** The key length is increased from 40 to 64 characters.
  * Previous format example: `0Q1YOGKz3z6Nwv8KkkWiButqx4sVmSJW4bTGwbzO`
  * New format example: `Opdxr7mG09tK4wX4s6J3nrl1Z4EJgYRui/rldkgiPmrI5bavWHuThswRqPwgbeLP`

{% hint style="info" %}
**Key Length Update:** Keys generated before April 25, 2024, continue to exist in the older key length format and remain functional. However, these keys do not support the new Object Storage features.
{% endhint %}

**Generate object storage keys:** A user can have multiple Object Storage keys, which can be given to other users or automated scripts. Users using such an additional Object Storage key to access the <code class="expression">space.vars.ionos\_cloud\_object\_storage</code> automatically inherit the credentials and access rights of the user.

This can be useful for allowing users automated (scripted) or temporary access to object storage. For more information, see [<mark style="color:blue;">Generate a Key</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/get-started/generate-key).

{% hint style="info" %}
**Note:** A maximum of five object storage keys per user is possible. You can create technical users to assign a different set of permissions and share access to the bucket with them. For more information, see [<mark style="color:blue;">Retrieve the User ID of a new user</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/how-tos/retrieve-user-id#retrieve-the-user-id-of-a-new-user).
{% endhint %}

**Activate or deactivate keys:** A key when generated is in an active state by default. You can change the key status between `active` and `inactive`. Deactivating an Object Storage key will block its access to the <code class="expression">space.vars.ionos\_cloud\_object\_storage</code>. You can reactivate the key and restore access to manage buckets and objects. For more information, see [<mark style="color:blue;">Manage Keys</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/how-tos/manage-keys).

**Delete:** If a key is no longer needed or if it should no longer be possible to gain access to the <code class="expression">space.vars.ionos\_cloud\_object\_storage</code> with this key, it can be deleted. This cannot be undone.

{% hint style="info" %}
**Note:**

* Deleting all the Object Storage keys does not affect the stored objects. However, the contract is charged for the data stored. You can create a new key and continue to work with Object Storage.
* You need to delete all the objects from the user-owned bucket before you delete a user or all of their Object Storage Keys from your account; otherwise, the contract continues to be charged for the stored data. In this case, contact [<mark style="color:blue;">IONOS Cloud Support</mark>](https://docs.ionos.com/cloud/support/general-information/contact-information).
  {% endhint %}