We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

Managing Access to DigitalOcean Spaces

PostedSeptember 20, 2017 5.7k views Object Storage DigitalOcean

Introduction

DigitalOcean Spaces currently provide two levels of access: owners and everyone else. Owners can create, destroy, and read all content in all the Spaces for an account. They also make decisions and manage what everyone else can see.

This article will first cover the access settings for Spaces and the files in them, then cover how account owners can allow others to co-manage their Spaces.

Making Content Public

There are two decisions that Space owners need to make with regards to accessing its contents:

  • Whether to allow anonymous users to list the full contents of the Space. This decision is made when creating a Space, and can be changed after.
  • Whether a file should be public, meaning anyone on the internet can view the contents, or private, meaning only owners can see it. This decision is made when uploading a file, and can be changed after.

In the next two sections, we'll explore the implications of these two administrative choices.

Decision 1 — Allowing Listing of the Contents of a Space

If an owner gives everyone permission to list the contents of a Space, it means anyone on the internet who looks can see the names (called keys) of every file in the Space as well as other file information, like their sizes and last modified dates. This meta-information is visible even when the permission to view the contents of a file is set to private.

If a Space is set to allow everyone to view this list of contents, anonymous users could gain more information than an owner intends. Because of this, the permission to list the contents of a DigitalOcean Space is denied by default.

To illustrate this, consider the following situation:

  • A Space named permissions set to public, meaning file listing is allowed.
  • A text file in the Space named guest-list-for-sammys-surprise-party.txt, which is set to private at the individual file level.
  • An image file in the Space named sammy.png, which is set to public at the individual file level.

When we visit the two files in a web browser as an ordinary user, we'll get the results we expect.

We will be able to see the image sammy.png because it's public:

Screenshot of the shark pic loaded in a browser

We won't be able to view the contents of the guest list because it's private. Instead, we'll get an AccessDenied message:

Screenshot of access denied message for the guest list

Output
<Error> <Code>AccessDenied</Code> <BucketName>permissions</BucketName> <RequestId>tx000000000000001986a9f-0059c052b0-fc31-nyc3a</RequestId> <HostId>fc31-nyc3a-nyc</HostId> </Error>

However, when we visit the base URL of the Space, we'll be able to see the list of all files in the Space. This means we'll see information about both files, despite the fact that the contents of the guest list aren't public.

Screenshot of file information in the Space

Output
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <Name>permissions</Name> <Prefix/> <Marker/> <MaxKeys>1000</MaxKeys> <IsTruncated>false</IsTruncated> <Contents> <Key>guest-list-for-sammys-surprise-party.txt</Key> <LastModified>2017-09-17T19:20:21.360Z</LastModified> <ETag>"39365ac292b6471ef008d1099bf99963"</ETag> <Size>42</Size> <StorageClass>STANDARD</StorageClass> <Owner> <ID>2900818</ID> <DisplayName>2900818</DisplayName> </Owner> </Contents> <Contents> <Key>image.png</Key> <LastModified>2017-09-17T23:19:53.222Z</LastModified> <ETag>"00d3c043c2e54e99712d6e526932bb76"</ETag> <Size>95607</Size> <StorageClass>STANDARD</StorageClass> <Owner> <ID>2900818</ID> <DisplayName>2900818</DisplayName> </Owner> </Contents> </ListBucketResult>

Displaying the file name means Sammy could discover the existence of the guest list. Even though viewing the actual contents is denied at the file permissions level, the surprise would be spoiled.

So why make listings public? An owner might set the contents of a Space to public when all its contents are public and they want unauthenticated scripts to be able to read what's available.

The visibility of the list of contents is set when creating a Space and can be edited on the Space's settings tab after.

Decision 2 — Allowing Public Access to Files

Just as the permission to list the contents of a Space is denied by default, permission to view the contents of files is denied by default as well. Owners must explicitly choose to make files publicly visible.

Note: Defaulting to privacy can be overridden in the settings of some 3rd party clients, but at this time, there is no way to change the default from private to public in the Control Panel. File permissions can be set to public as file are staged for upload, bulk updated within a directory using the Actions menu, or changed on a per-file basis.

Owners can also give time-bound permission to view a private file by creating a pre-signed URL, also known as a Quick Share link, for an individual item. Anyone with the link will be able to view a private file during the specified time interval. For more detailed information, see the Managing Individual Files and Folders section in An Introduction to DigitalOcean Spaces.

Sharing Ownership

If an owner wants to allow one or more people to co-manage Spaces, there are two distinctly different ways: Spaces access keys and DigitalOcean Teams.

Spaces access keys allow people to connect to Spaces with third-party clients and the API. The privileges granted by Spaces access keys do not provide access to the Control Panel and do not extend to other DigitalOcean resources.

DigitalOcean Teams, on the other hand, allow Members to use the Control Panel to create and manage Spaces and Spaces access keys. In addition, Members can administer other DigitalOcean resources like billing information, Droplets, Load Balancers, Cloud Firewalls, and more.

Option 1 — Sharing Access to Spaces with Access Keys

Spaces access keys are generated from within the DigitalOcean Control Panel, but they are only used with third-party clients and the API. Users who connect with access keys can create, destroy, read, and write to all the Spaces for the account. However, they cannot connect to the Control Panel itself.

To generate Spaces access keys, use the main navigation bar and follow the API link. Within the Spaces access keys section, select Generate New Key.

Screenshot of the API Page

In the example that follows, we'll create a key pair to give access to our teammate, Nattie Narwhal. We can create an unlimited number of keys for our account, so we'll generate a key pair just for her. That way, if it's necessary to revoke access in the future, we can remove the keys or reset the secret without affecting other users.

When we're prompted to provide the Key name, we'll enter her name (Nattie Narwhal), and then click Generate Key.

Screenshot of the Key name dialog

The name we've chosen will appear opposite the access key, and the secret key will be displayed below. Because this is the only time the secret key will be displayed, we'll copy it immediately and store it in a secure place. When we send her the keys, we'll follow the same procedures we use for sharing other privileged credentials.

Screenshot of new key pair

Keys can also be used programmatically. If we have a website with an object storage plugin that lets it write assets directly to a Space, we would generate a key pair specifically for it and name it accordingly.

If a secret gets lost, forgotten, or compromised, we can open its More menu, click Edit and choose Regenerate Token to create a new secret. When a secret is regenerated, the user will need to reconfigure any scripts or clients to use the new secret value.

Option 2 — Sharing Access to the DigitalOcean Control Panel with Teams

DigitalOcean Teams, like Spaces access keys, allow members to create, manage, and destroy Spaces associated with the Team account using the Control Panel's web interface. Members can also create, delete, and regenerate access keys for Spaces. However, unlike using Spaces access keys, Members of a Team can also access other Team resources, like Droplets, Firewalls, and more.

To give one or more people access to co-manage Spaces using the Control Panel, open the User menu and choose Create a team, then follow the setup steps.

Screenshot of User menu with mouse over Create a Tem

Visit How To Use Teams on DigitalOcean for detailed information about creating and managing Teams.

Once a user is a Member of the Team, they can manage Spaces with the web interface as well as generate their own keys for API or third-party clients.

Important: Because Spaces cannot be transferred directly between accounts, we recommend you create the Team first, then create the Spaces.

Conclusion

In this article, we've covered the access permissions for the list of a Space's contents, the access permissions for the contents of individual files, and how to share owner-level access to a DigitalOcean account's Spaces with Spaces access keys or by using DigitalOcean Teams. To learn more about Spaces, visit one of the following guides.

Using the DigitalOcean Control Panel interface to Spaces:

Managing Spaces with third-party tools:

Managing Spaces with the DigitalOcean API:

4 Comments

Creative Commons License