Contents x
S3-Compatible App Keys
    • Print
    • Dark
      Light
    Contents

    S3-Compatible App Keys

      • Print
      • Dark
        Light
      Article Summary

      As with the Backblaze B2 Cloud Storage Native API, the capabilities of an application key (app key) give you access to the S3-Compatible API.

      For the purposes of terminology, the app key and app key ID are the equivalent of the secret access key and access key ID respectively. For more information about app keys, click here.

      For all of the Backblaze API operations and their corresponding documentation, see API Documentation.

      App Key Restrictions

      The master app key that is automatically created by the system is not supported in the S3-Compatible API. You must manually create app keys in the Backblaze web UI or the B2 Native API to authenticate the S3-Compatible API.

      If an app key is restricted to a bucket, the listAllBucketNames permission is required for compatibility with SDKs and integrations. You can enable the listAllBucketNames permission in the Backblaze web UI or use the b2_create_key API call.

      As a general rule, you should include both the writeFiles and deleteFiles capabilities for the Delete Object and Delete Objects calls. The writeFiles permission is necessary when you delete a file by name, and the deleteFiles permission is required when you delete a specific version.

      The S3-Compatible API does not support unauthenticated ListObject calls on public buckets.

      S3-Compatible App Key Capabilities

      The following table lists the capabilities for the S3-Compatible API:

      listBuckets

      This operation lists the buckets in the account or verify whether they exist.

      If an app key is restricted to one bucket, listing the buckets requires the listAllBucketNames capability.

      The operation provides access to the following APIs:

      • List Buckets
      • Head Bucket
      listAllBucketNames

      This operation lists the buckets that are in the account even if the app key is restricted to one bucket.

      The operation provides access to the following API:

      • List Buckets
      readBuckets

      This operation lets you read additional information about a bucket such as access control lists (ACLs), location, and versioning.

      The operation provides access to the following APIs:

      • Get Bucket ACL
      • Get Bucket Cors
      • Get Bucket Location
      • Get Bucket Versioning
      writeBuckets

      This operation lets you create new buckets in the account. You can also update the bucket type, bucket information, and the Lifecycle Rules for a bucket.

      Writing buckets is not allowed for the app keys that are restricted to a bucket.

      The operation provides access to the following APIs:

      • Create Bucket
      • Delete Bucket Cors
      • Put Bucket ACL
      • Put Bucket Cors
      • Put Bucket Versioning
      • Put Object ACL
      deleteBuckets

      This operation lets you delete any bucket in the account.

      Deleting buckets is not allowed for app keys that are restricted to a bucket.

      The operation provides access to the following API:

      • Delete Bucket
      readBucketEncryption

      This operation lets you read the default encryption settings on a bucket.

      The operation provides access to the following API:

      • Get Bucket Encryption
      writeBucketEncryption

      This operation lets you enable or disable the default encryption on a bucket.

      The operation provides access to the following APIs:

      • Delete Bucket Encryption
      • Put Bucket Encryption
      readBucketRetentions

      This operation lets you read the Object Lock configuration on a bucket.

      The operation provides access to the following API:

      • Get Object Lock Configuration
      writeBucketRetentions

      This operation lets you enable Object Lock or update the default lock mode and time period on a bucket.

      This operation also provides additional access in the Create Bucket API to enable Object Lock during creation.

      The operation provides access to the following API:

      • Put Object Lock Configuration
      listFiles

      This operation lists the metadata for your objects. Metadata includes the file name, file ID, file information, size, and content type.

      For app keys that are restricted to a bucket, only the files that are in that bucket can be listed.

      For app keys that are restricted to a file name prefix, a you must include a matching prefix in the list request. You can supply the same prefix as in the app key, or a more restrictive prefix.

      The operation provides access to the following APIs:

      • List Multipart Uploads
      • List Objects
      • List Objects V2
      • List Object Versions
      readFiles

      This operation lets you view the metadata for files and download their contents. Metadata includes the file name, file ID, file info, size, and content type.

      For app keys that are restricted to a bucket, only the files that are in that bucket can be downloaded.

      For app keys that are restricted to a file name prefix, only the files that have a name that begins with that prefix can be downloaded.

      The operation provides access to the following APIs:

      • Copy Object
      • Get Object
      • Get Object ACL
      • Head Object
      writeFiles

      This operation lets you upload files to Backblaze B2, including both regular files and large files.

      For app keys that are restricted to a bucket, you can upload only the files that are in that bucket.

      For app keys that are restricted to a file name prefix, only the files that have a name that begins with a prefix can be uploaded.

      The operation provides access to the following APIs:

      • Abort Multipart Upload
      • Complete Multipart Upload
      • Copy Object
      • Create Multipart Upload
      • List Parts
      • Put Object
      • Put Object ACL
      • Upload Part
      deleteFiles

      This operation lets you delete files.

      For app keys that are restricted to a bucket, only the files in that bucket can be deleted.

      For app keys that are restricted to a file name prefix, only the files that have a name that begins with a prefix can be deleted.

      The operation provides access to the following APIs:

      • Delete Object
      • Delete Objects
      readFileRetentions

      This operation lets you view the Object Lock settings (mode and expiration) on an object.

      These objects must be located in a bucket that has Object Lock enabled.

      The operation provides access to the following API:

      • Get Object Retention
      writeFileRetentions

      This operation lets you update the Object Lock settings (mode and expiration) on an object.

      These objects must be located in a bucket that has Object Lock enabled.

      The operation provides access to the following API:

      • Put Object Retention
      bypassGovernance

      This operation lets you delete governance mode-locked files. It also allows you to shorten governance mode expiration times and to switch governance mode to compliance mode.

      The operation provides access to the following APIs:

      • Delete Object
      • Delete Objects
      • Put Object Retention
      readFileLegalHolds

      This operation lets you view the Object Lock settings (legal hold status) of an object.

      These objects must be located in a bucket that has Object Lock enabled.

      The operation provides access to the following API:

      • Get Object Legal Hold
      writeFileLegalHolds

      This operation lets you update the Object Lock settings (legal hold status) of an object.

      These objects must be located in a bucket that has Object Lock enabled.

      The operation provides access to the following API:

      • Put Object Legal Hold
      Was this article helpful?
      Related articles
      What's Next