Bucket Policies
Bucket access in IBEE Object Storage is controlled through two mechanisms:
- Public Access — a bucket-level toggle that exposes objects unauthenticated via a Public Access URL.
- API Credentials — programmatic access scoped to a permission level and a set of buckets.
For browser-based cross-origin access, see CORS. For Object Lock retention, see Objects → Locking.
Public access
Enabling Public Access allows objects in the bucket to be served unauthenticated via a Public Access URL.
Enable Public Access
Toggle Public Access from Disabled to Enabled. A confirmation toast appears: “Bucket access changed to public”.
Enable the Public Access URL
The Public Access URL section becomes active but no URL is assigned automatically — it shows “No Public Access URL is assigned to this bucket.”
Click Enable in the top-right of the Public Access URL card to assign a URL to the bucket.
Copy the URL. Objects are then accessible at:
Enabling Public Access makes all objects in the bucket readable without authentication. Only enable this for buckets intended for public content.
If Public Access is disabled, the Public Access URL section shows: “Please enable public access in General to use the Public Access URL.”
To serve from your own hostname instead of the assigned Public Access URL, see Custom Domains — the bucket must be public to register a custom domain.
API Credential access
For programmatic access via the REST API, AWS CLI, rclone, or any S3-compatible tool, use an API credential scoped to Object Storage. A credential provides:
- Bearer Token — for the IBEE REST API
- Access Key ID + Secret Access Key — for S3-compatible tools
- S3 Endpoint —
https://{workspaceId}.blob.ibeestorage.com
Permission levels
Each credential is created with one Object Storage permission level:
Bucket scoping
Credentials can apply to:
- All buckets in this organization (including newly created buckets) — the simplest option for application-wide access.
- Specific buckets only — pick one or more buckets the credential can access.
This is the bucket-level access boundary: a credential scoped to bucket A cannot read or write to bucket B.
Best practices
- Default to private. Only enable Public Access on buckets that genuinely serve public content (websites, media, downloads).
- Use one credential per application or environment with the narrowest permission level and bucket scope that works.
- Rotate credentials by creating a new credential, switching applications to use it, then revoking the old one. The Secret Access Key is shown only once — store it securely.
- Separate buckets for prod / staging / dev rather than relying on prefix-based separation alone.
