Access Control

The Object Storage service controls access depending on which type of credentials are used to access a bucket. There are two types of credentials:

User credentials
Bucket service account credentials

User credentials

User credentials belong to a human user, and are short-lived. A human user has full access to all the buckets and objects within the project or projects that they can access. The user credentials can also be used to e.g. create new buckets, or delete buckets. In short, user credentials have access to both data plane and management plane operations.

Bucket service account credentials

A bucket service account can be created to give long-lived programmatic access to specific buckets. A given bucket service account only has access to specific buckets configured, and only within the same project as it was created in. Additionally, a bucket service account only has access to data plane operations, meaning that these credentials can't be used to e.g. create or delete buckets.

evroc User Documentation

Access Control

User credentials

Bucket service account credentials