Per-Bucket Access Keys Now Available for DigitalOcean Spaces

We’re excited to announce the general availability of Per-Bucket Access Keys for DigitalOcean Spaces Object Storage. This highly requested feature gives you fine-grained control over who can access specific storage buckets with read-only or read/write permissions, making it easier to secure and manage your data.

What Are Per-Bucket Access Keys?

With Per-Bucket Access Keys, you can assign unique access credentials with read-only or read/write permission for individual buckets. This enables the right level of access to be granted to different teams, S3-compatible applications and use cases, without over-permissioning.

A Real-World Example

Let’s say you’re running a photography business with three storage buckets:

• Raw Photos: Only accessible by your editing team.
• Final Photos: Your client portal needs read-only access, while your editing team needs read-write access.
• Marketing Materials: Your social media automation tools need read-only access to this bucket.

Before Per-Bucket Access Keys, controlling access to these buckets could get tricky. Now, you can:

• Create a “Read/Write/Delete” access key for the photo editing team to interact with your Raw Photos and Final Photos buckets.
• Generate a “Read” access key for your client portal, restricted to the Final Photos bucket.
• Assign a “Read” access key for your social media tools to access the Marketing Materials bucket.

Key Benefits

Per-Bucket Access Keys open up a range of new possibilities for businesses and developers:

• Enhanced Security: Help ensure applications and team members only have access to the data they need.
• Multi-Tenant Environments: Better safeguard customer data by isolating access for each tenant.
• Environment Isolation: Keep development, staging, and production environments separate within the same account.
• Application-Specific Access: Reduce the impact of a compromised access key by limiting its scope to a single bucket.
• Secure File Sharing: Share content from one bucket without exposing content from any other buckets.

Security Best Practices

This new feature makes it easier to adopt the principle of least privilege, where users and applications are granted only the permissions they require. Here are some recommendations:

• Use separate keys for different applications and team members.
• Opt for “Read” access keys whenever possible.
• Opt for “Read/Write/Delete” access keys over “All Permissions” keys whenever possible.
• Regularly review and rotate your access keys.
• Combine Per-Bucket Access Keys with presigned URLs to enable user-specific file uploads without granting broad bucket access.

Future Enhancements

We’re continuously working to improve the user experience and capabilities of Per-Bucket Access Keys. Here’s what’s on the horizon:

• API and CLI Support: By mid-2025, you’ll be able to create Per-Bucket Access Keys through the DigitalOcean API and CLI, in addition to the DigitalOcean Control Panel.
• S3-Compatible Bucket Policy Support: Compatibility with S3-compatible bucket policies (PutBucketPolicy) is in progress and expected to be available by mid-2025.

Get Started Today

Per-Bucket Access Keys are available now in all DigitalOcean regions at no additional cost. To get started:

1. Visit the Access Keys tab (see image below) on the Spaces Object Storage page in the DigitalOcean Control Panel.
2. Create keys with “Read” or “Read/Write/Delete” permissions for specific buckets.
3. Refer to our documentation for detailed guidance.

If you haven’t tried Spaces Object Storage yet, now’s the perfect time to explore how seamless and affordable it is for your Kubernetes, App Platform, and Droplets storage needs. Try it today!