Storage

Access Keys

Create and manage S3-compatible access keys for Object Storage

Access Keys

Access keys are S3-compatible credentials that allow programmatic access to your buckets via boto3, aws-cli, or any S3-compatible SDK. Each key consists of an Access Key ID and a Secret Access Key.

Creating an Access Key

Navigate to Object Storage → Access Keys
Click Create Access Key
Enter a Label — a descriptive name for the key (e.g., "Production API", "CI/CD Pipeline")
Choose Bucket Access:
- All Buckets — key can access every bucket in your account
- Specific Buckets — select one or more buckets from the list

Click Create

Save Your Credentials

After creation, your credentials are displayed one time only:

Access Key ID — format: NQAK followed by 16 characters (e.g., NQAK8f7x9k2m1pq0)
Secret Access Key — 40-character random string

Save these credentials immediately. The Secret Access Key is shown only once and cannot be retrieved later. If lost, revoke the key and create a new one.

Copy both values using the copy buttons and store them securely.

Viewing Access Keys

The Access Keys page shows all keys for your account:

Column	Description
Label	User-defined name
Access Key ID	Public key identifier (starts with `NQAK`)
Buckets	"All Buckets" or list of permitted bucket names
Status	Active or Revoked
Created	Creation timestamp

Revoking a Key

Revoking disables a key immediately while preserving it in your history:

Find the key in the table
Click Revoke (orange button)
The key status changes to Revoked

Revoked keys cannot be used to authenticate API requests. Any application using the key will receive 403 Forbidden errors.

Deleting a Key

Deleting permanently removes a key from your account:

Find the key in the table
Click Delete (red button)
Confirm the deletion

Best Practices

Principle of least privilege — scope keys to specific buckets rather than "All Buckets" whenever possible. If a key is compromised, the blast radius is limited to those buckets only.
Rotate keys regularly — create a new key, update your applications, then revoke the old key. Aim for rotation every 90 days.
Never commit keys to source control — use environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, or .env files excluded from git).
Use descriptive labels — include the application name and environment (e.g., "webapp-prod", "backup-script-staging") so you can identify which key is used where.
Revoke before deleting — if you suspect a key is compromised, revoke it immediately to stop access, then investigate before permanent deletion.
One key per application — avoid sharing keys across multiple services. This makes rotation and auditing easier.

Next Steps

Use the S3 API — configure boto3 and aws-cli with your access key
Usage & Billing — monitor per-bucket data transfer and operations

Upload & Manage Objects

Upload, browse, and delete objects in your storage bucket

S3 API Usage

Connect to Object Storage using boto3 and aws-cli