+1 this is clearly a deal breaker

Thanks for the feedback. This is something we are looking at. The limitation is unfortunately on the key-based permission support on the Ceph side but we are looking at other ways to mitigate this problem.

I would certainly like the same. As it stands, if one set of keys were compromised, they would gain access to every Space.

I just started playing with spaces today and after creating my first key and moving some data I came to the same question. Is there anything in the works to tie a specific key to a specific ‘space’ or 'bucket’? Is there already a way to do this and I’m not finding it? Thank you.

Yes, this is a feature that should be implemented, both for security like @jonny5alive states, but also for using a single DO account with multiple projects / customers.

Any update on that?

+1

+1

+1 this is stopping me from using spaces, I’m having to use S3 instead.

We, as services provider, are in a process of migrating most of our infrastructure on to digital ocean (from ovh, google cloud and scale way). We do host external backup in the cloud. For this purpose and to be compliant with the GDPR law, we must set different access for each buckets, the data of a client should not be accessible in any way with the key of another one.

I’m pretty sure CEPH can allow this kind of policy. Anyway, this absence of security is slowing our migration. Any info from the DO team ?

News? Please

+1

+1… seriously, prioritize this one. Completely ridiculous. I’m not creating completely different DO accounts just to get proper security isolation.

I think it has more factors on your platform.
Many other companys can do it also with Ceph without issues.
So ita possible. But depends on how you implement it :)

+1

+1

+1

+1

We need unique keys for different spaces. When this feature is added I can migrate from s3 to spaces. :)

Very much in need of this feature! Any news on when this might be implemented?

Thanks.

Assign different accesskeys at bucket level is a must have feature … If not how to acomplish the following scenario:

• One Bucket to be used to store private HOME files.
• One bucket to store files for WORK
• One bucket to be used as the unlimited file storage through Nextcloud.
• One bucket devoted to store daily backups of the MAIL server & the WEB apps. server.

The target is to have all of them issolated to each other but, as far as I can see, currently, there is no way to assign a different AccessKeys to each one as all accesskey have same priviledges and can be used to see/ access all the mentioned buckets content at once.

• Please, DO what do you suggest to acomplish the described scenario now?

Having all buckets accessible to all users it’s not an option at our company as well, we need to have some sort of isolation per bucket (or group of buckets, but I would already be happy if it was just per bucket).

+1111

+1

Is there any news here? Can this be solved by creating teams, and basically putting each project, space and API key in a team? I hope there will be some news here soon. Otherwise, I would need to create one DO account per project, which would be very cumbersome.

+1

+1

+1

+1 Please! I started off with spaces but need to move now as my SASS clients should not be able to access other buckets. :-(

just subscribed and payed. deal breaker. back to aws

Absolute deal breaker. You should make this much clearer before people waste time and money creating “Spaces”. The way it works right now means that anyone with any key assigned to a “Space” can access all the other “Spaces”, even if the files they contain are specific to different servers! This makes the entire thing useless. Very disappointed.

This question is 1.5 years old at this moment. Is this feature still on the road map? Is it something that can be expected anytime soon?

Totally dead breaker not having this for sooo many ppl, myself included.

Please, please, please DO, we beg you, prioritize this pleaaasee!!!

There is a feature request where ppl can vote:
https://ideas.digitalocean.com/ideas/DO-I-320

I agree - this needs to be a thing.