- Print
- DarkLight
S3-Compatible App Keys
- Print
- DarkLight
As with the Backblaze B2 Cloud Storage Native API, the capabilities of an application key (app key) give you access to the S3-Compatible API.
For the purposes of terminology, the app key and app key ID are the equivalent of the secret access key and access key ID respectively. For more information about app keys, click here.
App Key Restrictions
The master app key that is automatically created by the system is not supported in the S3-Compatible API. You must manually create app keys in the Backblaze web UI or the B2 Native API to authenticate the S3-Compatible API.
If an app key is restricted to a bucket, the listAllBucketNames
permission is required for compatibility with SDKs and integrations. You can enable the listAllBucketNames
permission in the Backblaze web UI or use the b2_create_key
API call.
As a general rule, you should include both the writeFiles
and deleteFiles
capabilities for the Delete Object and Delete Objects calls. The writeFiles
permission is necessary when you delete a file by name, and the deleteFiles
permission is required when you delete a specific version.
The S3-Compatible API does not support unauthenticated ListObject
calls on public buckets.
S3-Compatible App Key Capabilities
The following table lists the capabilities for the S3-Compatible API:
listBuckets | This operation lists the buckets in the account or verify whether they exist. If an app key is restricted to one bucket, listing the buckets requires the The operation provides access to the following APIs:
|
listAllBucketNames | This operation lists the buckets that are in the account even if the app key is restricted to one bucket. The operation provides access to the following API:
|
readBuckets | This operation lets you read additional information about a bucket such as access control lists (ACLs), location, and versioning. The operation provides access to the following APIs:
|
writeBuckets | This operation lets you create new buckets in the account. You can also update the bucket type, bucket information, and the Lifecycle Rules for a bucket. Writing buckets is not allowed for the app keys that are restricted to a bucket. The operation provides access to the following APIs:
|
deleteBuckets | This operation lets you delete any bucket in the account. Deleting buckets is not allowed for app keys that are restricted to a bucket. The operation provides access to the following API:
|
readBucketEncryption | This operation lets you read the default encryption settings on a bucket. The operation provides access to the following API:
|
writeBucketEncryption | This operation lets you enable or disable the default encryption on a bucket. The operation provides access to the following APIs:
|
readBucketRetentions | This operation lets you read the Object Lock configuration on a bucket. The operation provides access to the following API:
|
writeBucketRetentions | This operation lets you enable Object Lock or update the default lock mode and time period on a bucket. This operation also provides additional access in the Create Bucket API to enable Object Lock during creation. The operation provides access to the following API:
|
listFiles | This operation lists the metadata for your objects. Metadata includes the file name, file ID, file information, size, and content type. For app keys that are restricted to a bucket, only the files that are in that bucket can be listed. For app keys that are restricted to a file name prefix, a you must include a matching prefix in the list request. You can supply the same prefix as in the app key, or a more restrictive prefix. The operation provides access to the following APIs:
|
readFiles | This operation lets you view the metadata for files and download their contents. Metadata includes the file name, file ID, file info, size, and content type. For app keys that are restricted to a bucket, only the files that are in that bucket can be downloaded. For app keys that are restricted to a file name prefix, only the files that have a name that begins with that prefix can be downloaded. The operation provides access to the following APIs:
|
writeFiles | This operation lets you upload files to Backblaze B2, including both regular files and large files. For app keys that are restricted to a bucket, you can upload only the files that are in that bucket. For app keys that are restricted to a file name prefix, only the files that have a name that begins with a prefix can be uploaded. The operation provides access to the following APIs:
|
deleteFiles | This operation lets you delete files. For app keys that are restricted to a bucket, only the files in that bucket can be deleted. For app keys that are restricted to a file name prefix, only the files that have a name that begins with a prefix can be deleted. The operation provides access to the following APIs:
|
readFileRetentions | This operation lets you view the Object Lock settings (mode and expiration) on an object. These objects must be located in a bucket that has Object Lock enabled. The operation provides access to the following API:
|
writeFileRetentions | This operation lets you update the Object Lock settings (mode and expiration) on an object. These objects must be located in a bucket that has Object Lock enabled. The operation provides access to the following API:
|
bypassGovernance | This operation lets you delete governance mode-locked files. It also allows you to shorten governance mode expiration times and to switch governance mode to compliance mode. The operation provides access to the following APIs:
|
readFileLegalHolds | This operation lets you view the Object Lock settings (legal hold status) of an object. These objects must be located in a bucket that has Object Lock enabled. The operation provides access to the following API:
|
writeFileLegalHolds | This operation lets you update the Object Lock settings (legal hold status) of an object. These objects must be located in a bucket that has Object Lock enabled. The operation provides access to the following API:
|