Skip to content

Commit

Permalink
Add documentation on creating R2 API tokens via API (#15711)
Browse files Browse the repository at this point in the history
* Add documentation on creating R2 API tokens via API

* Removed Account resource type description, collapsed permission group tables

* Moving temp access credentials to the bottom
  • Loading branch information
jonesphillip authored Jul 19, 2024
1 parent 0cdf212 commit 7a5c8f6
Showing 1 changed file with 126 additions and 1 deletion.
127 changes: 126 additions & 1 deletion content/r2/api/s3/tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,136 @@ Jurisdictional buckets can only be accessed via the corresponding jurisdictional

| Permission | Description |
|------------|-------------|
| Admin Read and Write | Allows the ability to create, list and delete buckets, and edit bucket configurations in addition to list, write, and read object access. |
| Admin Read & Write | Allows the ability to create, list and delete buckets, and edit bucket configurations in addition to list, write, and read object access. |
| Admin Read only | Allows the ability to list buckets and view bucket configuration in addition to list and read object access. |
| Object Read & Write | Allows the ability to read, write, and list objects in specific buckets. |
| Object Read only | Allows the ability to read and list objects in specific buckets. |

## Create API tokens via API

You can create API tokens via the API and use them to generate corresponding Access Key ID and Secret Access Key values. To get started, refer to [Create API tokens via the API](/fundamentals/api/how-to/create-via-api/). Below are the specifics for R2.

### Access Policy

An Access Policy specifies what resources the token can access and the permissions it has.

#### Resources

There are two relevant resource types for R2: `Account` and `Bucket`. For more information on the Account resource type, refer to [Account](/fundamentals/api/how-to/create-via-api/#account).

##### Bucket

Include a set of R2 buckets or all buckets in an account.

A specific bucket is represented as:

```json
"com.cloudflare.edge.r2.bucket.<ACCOUNT_ID>_<JURISDICTION>_<BUCKET_NAME>": "*"
```

- `ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).
- `JURISDICTION`: The [jurisdiction](/r2/reference/data-location/#available-jurisdictions) where the R2 bucket lives. For buckets not created in a specific jurisdiction this value will be `default`.
- `BUCKET_NAME`: The name of the bucket your Access Policy applies to.

All buckets in an account are represented as:

```json
"com.cloudflare.api.account.<ACCOUNT_ID>": {
"com.cloudflare.edge.r2.bucket.*": "*"
}
```

- `ACCOUNT_ID`: Refer to [Find zone and account IDs](/fundamentals/setup/find-account-and-zone-ids/#find-account-id-workers-and-pages).

#### Permission groups

Determine what [permission groups](/fundamentals/api/how-to/create-via-api/#permission-groups) should be applied. There are four relevant permission groups for R2.

<table>
<tbody>
<th colspan="5" rowspan="1">
Permission group
</th>
<th colspan="5" rowspan="1">
Resource
</th>
<th colspan="5" rowspan="1">
Permission
</th>
<tr>
<td colspan="5" rowspan="1">
<code>Workers R2 Storage Write</code>
</td>
<td colspan="5" rowspan="1">
Account
</td>
<td colspan="5" rowspan="1">
Admin Read & Write
</td>
</tr>
<tr>
<td colspan="5" rowspan="1">
<code>Workers R2 Storage Read</code>
</td>
<td colspan="5" rowspan="1">
Account
</td>
<td colspan="5" rowspan="1">
Admin Read only
</td>
</tr>
<tr>
<td colspan="5" rowspan="1">
<code>Workers R2 Storage Bucket Item Write</code>
</td>
<td colspan="5" rowspan="1">
Bucket
</td>
<td colspan="5" rowspan="1">
Object Read & Write
</td>
</tr>
<tr>
<td colspan="5" rowspan="1">
<code>Workers R2 Storage Bucket Item Read</code>
</td>
<td colspan="5" rowspan="1">
Bucket
</td>
<td colspan="5" rowspan="1">
Object Read only
</td>
</tr>
</tbody>
</table>

#### Example Access Policy

```json
[
{
"id": "f267e341f3dd4697bd3b9f71dd96247f",
"effect": "allow",
"resources": {
"com.cloudflare.edge.r2.bucket.4793d734c0b8e484dfc37ec392b5fa8a_default_my-bucket": "*",
"com.cloudflare.edge.r2.bucket.4793d734c0b8e484dfc37ec392b5fa8a_eu_my-eu-bucket": "*"
},
"permission_groups": [
{
"id": "6a018a9f2fc74eb6b293b0c548f38b39",
"name": "Workers R2 Storage Bucket Item Read"
}
]
}
]
```

### Get S3 API credentials from an API token

You can get the Access Key ID and Secret Access Key values from the response of the [Create Token](/api/operations/user-api-tokens-create-token) API:
- Access Key ID: The `id` of the API token.
- Secret Access Key: The SHA-256 hash of the API token `value`.

## Temporary access credentials

If you need to create temporary credentials for a bucket or a prefix/object within a bucket, you can use the [temp-access-credentials endpoint](/api/operations/r2-create-temp-access-credentials) in the API. You will need an existing R2 token to pass in as the parent access key id. You can use the credentials from the API result for an S3-compatible request by setting the credential variables like so:
Expand Down

0 comments on commit 7a5c8f6

Please sign in to comment.