For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
LoginGet Started
DocsAPI ReferenceChangelog
DocsAPI ReferenceChangelog
    • Home
  • Getting Started
  • Infrastructure
    • GPU VMs
    • Cloud VMs
    • Object Storage
      • Core Concepts
      • Upload Your First Object
      • Buckets
        • Bucket Policies
        • Lifecycle Management
        • CORS
        • Custom Domains
        • Event Notifications
      • Objects
      • Mount a Bucket as a Filesystem
      • Metrics
      • API Tokens
      • Static Site Hosting
      • CDN integration
      • Pricing
      • Limits
    • Block Storage
  • Network & Security
    • Load Balancer
    • DNS
    • CDN
    • Firewalls
    • SSL Certificates
  • Tools
    • Backups
    • Snapshots
    • ISOs
    • SSH Keys
    • API Tokens
    • Secret Manager
    • Container Registry
  • Platform Fundamentals
    • Projects and tenancy model
    • IAM
    • Networking overview
    • Billing and usage
    • Limits and quotas
    • SLA and reliability
  • Tutorials
    • Deploy a web app
    • Host a static website with object storage
    • Run an AI model on a GPU VM
    • Set up a load-balanced architecture
    • Backup and disaster recovery
    • Multi-region deployment
  • Migration Guides
    • Migrate from AWS
    • Migrate from GCP
    • Migrate from Vultr and Linode
    • Move S3 workloads to IBEE Object Storage
    • VM image migration
  • Reference
    • Pricing
    • Regions
    • Limits
    • Error codes
    • Service level agreement
  • Support
    • Contact Support
    • Create a request
    • Troubleshooting guides
    • Visit ibee.ai
LogoLogo
LoginGet Started
On this page
  • Public access
  • API token access
  • Permission levels
  • Bucket scoping
  • Best practices
  • Related
InfrastructureObject StorageBuckets

Bucket Policies

Was this page helpful?
Edit this page
Previous

Lifecycle Management

Next
Built with

Bucket access in IBEE Object Storage is controlled through two mechanisms:

  • Public Access — a bucket-level toggle that exposes objects unauthenticated via a Public Access URL.
  • API tokens — programmatic access scoped to a permission level and a set of buckets.

For browser-based cross-origin access, see CORS. For Object Lock retention, see Objects → Locking.

Public access

Enabling Public Access allows objects in the bucket to be served unauthenticated via a Public Access URL.

1

Open General settings

Open your bucket → click Settings → click the General tab.

2

Enable Public Access

Toggle Public Access from Disabled to Enabled. A confirmation toast appears: “Bucket access changed to public”.

3

Enable the Public Access URL

The Public Access URL section becomes active but no URL is assigned automatically — it shows “No Public Access URL is assigned to this bucket.”

Click Enable in the top-right of the Public Access URL card to assign a URL to the bucket.

Copy the URL. Objects are then accessible at:

https://<public-access-url>/<object-key>

Enabling Public Access makes all objects in the bucket readable without authentication. Only enable this for buckets intended for public content.

If Public Access is disabled, the Public Access URL section shows: “Please enable public access in General to use the Public Access URL.”

To serve from your own hostname instead of the assigned Public Access URL, see Custom Domains — the bucket must be public to register a custom domain.

API token access

For programmatic access via the REST API, AWS CLI, rclone, or any S3-compatible tool, use an API token scoped to Object Storage. A token provides:

  • Bearer Token — for the IBEE REST API
  • Access Key ID + Secret Access Key — for S3-compatible tools
  • S3 Endpoint — https://{project_id}.blob.ibeestorage.com

Permission levels

Each token is created with one Object Storage permission level:

PermissionWhat it allows
Admin Read & WriteCreate, list, delete buckets, edit bucket configuration, read, write, and list objects.
Admin Read onlyList buckets, view configuration, read and list objects.
Object Read & WriteRead, write, and list objects in specific buckets.
Object Read onlyRead and list objects in specific buckets.

Bucket scoping

Tokens can apply to:

  • All buckets in this project (including newly created buckets) — the simplest option for application-wide access.
  • Specific buckets only — pick one or more buckets the token can access.

This is the bucket-level access boundary: a token scoped to bucket A cannot read or write to bucket B.

Create an API token →

Best practices

  • Default to private. Only enable Public Access on buckets that genuinely serve public content (websites, media, downloads).
  • Use one token per application or environment with the narrowest permission level and bucket scope that works.
  • Rotate tokens by creating a new token, switching applications to use it, then revoking the old one. The Secret Access Key is shown only once — store it securely.
  • Separate buckets for prod / staging / dev rather than relying on prefix-based separation alone.

Related

  • Buckets
  • API Tokens
  • CORS
  • Custom Domains
  • Objects → Locking