Working with S3 Keys
Last updated
Last updated
Address
VNG CorporationOn the vStorage system, S3 key is a key pair including access key and secret key integrated by vStorage and compatible with S3 client tools such as s3cmd, s3 SDK,...
To initialize an S3 key, follow the instructions below:
Log in to https://vstorage.console.vngcloud.vn with Root User Account .
Select Region HCM04.
Select the icon 
in the project you just created and then select Identity and Access Management.
Under List of S3 keys of this project , select Generate S3 key .
Select Copy or Download to download the Access Key/Secret Key information you just generated.
Attention:
After clicking to create S3 key, you need to save the Access Key/Secret Key pair for use. If you do not save it now, you will not be able to get the Secret Key of this Access Key later.
The S3 key initialized by the Root User Account will have full access/operation rights on the buckets of this project.
To initialize an S3 key, follow the instructions below:
Log in to https://vstorage.console.vngcloud.vn with your IAM User Account .
Select Region HCM04.
Select the icon in the project you just created and then select Identity and Access Management.
Under List of S3 keys of this project , select Generate S3 key .
Select Copy or Download to download the Access Key/Secret Key information you just generated.
Attention:
After clicking to create S3 key, you need to save the Access Key/Secret Key pair for use. If you do not save it now, you will not be able to get the Secret Key of this Access Key later.
S3 keys created by IAM User Account will have full access/operation rights on buckets/objects according to the permissions of that IAM User Account. For example, if your IAM User Account only has Read Object permission, then S3 keys created by this IAM User Account will also only have Read Object permission.
After you have successfully initialized the project and initialized the S3 key, you can now use 3rd party softwares to connect and work with your project. The 3rd party softwares you can choose to use can be S3cmd, Cyberduck, Rclone, S3 Browser, MinIO Client,... In this document, we will guide you to connect S3 Browser with vStorage. S3 Browser is an optimized tool that allows you to share and upload your files. This tool has a relatively simple interface, is easy to use and is compatible with the API of the vStorage storage service.
To integrate the S3 Browser tool with vStorage, you can follow the instructions below:
Download the S3 Browser user tool here https://s3browser.com/download.aspx .
Open the S3 Browser app . Select the Account folder , then select Add new account
The Add New Account screen appears, now you enter the following information:
Display name: Display name of the account. Example: Demo_HCM04
Account type : Select S3 Compatible Storage.
REST Endpoint : Path to vstorage, for Region HCM04 the path is hcm04.vstorage.vngcloud.vn
Access Key ID & Secret Access Key: This is the S3 key pair you generated in step 2 earlier.
Select the Use Secure transfer (SSL/TLS) option because vStorage only supports encrypted transmission channels (HTTPS, port 443) to ensure data security, vStorage currently does not support unencrypted transmission channels (HTTP, port 80).
Select Add new account.
When the connection is successful, the S3 Browser screen will display as follows:
Below are instructions for some common use cases you can perform on S3 Browser:
Create / Delete bucket
Create and delete a bucket by selecting the New bucket button . Now enter the Bucket name and select Create new bucket.
Upload / Download file
After creating a bucket, select the bucket you want to upload/download files to. Next, select Upload/Download depending on your upload/download needs.
Create / Delete Folder
You can also create/delete folders by selecting New Folder or Delete .
Here are instructions for advanced features you can do on S3 Browser:
ACL
ACLs are a feature on S3 that allows you to control access permissions for each object in your S3 bucket. They define which users or groups of users can access the object and what actions they can perform, such as downloading, uploading, deleting, or overwriting the object.
To set up ACL for a bucket using S3 Browser, right-click on the bucket, then select Edit Permission (ACL). In the permission section, check the permissions you want to grant to the user. For more details, see https://s3browser.com/share-s3-bucket-edit-acls.aspx
SSE-S3
SSE-S3 (Server-Side Encryption with S3 Managed Keys) is a server-side data encryption feature provided by Amazon S3. With SSE-S3, your data is automatically encrypted when uploaded to S3 and automatically decrypted when you download it. To implement this feature on S3 Browser, you need to use S3 Browser Pro version. If your application does not currently support the implementation of the feature, please submit a request to use the feature via a ticket to VNGCloud. For more details, please visit https://s3browser.com/amazon-s3-server-side-encryption.aspx
SSE-C
SSE-C (Server-Side Encryption with Customer-Provided Keys) is a server-side data encryption feature provided by Amazon S3. Like SSE-S3, SSE-C encrypts your data automatically when it is uploaded to S3 and decrypts it automatically when you download it. However, with SSE-C, you provide and manage your own encryption keys, instead of using keys managed by AWS. To implement this feature on S3 Browser, you need to use S3 Browser Pro. If your application does not currently support the implementation of the feature, please submit a request to use the feature via a ticket to VNGCloud. For more details, please visit https://s3browser.com/amazon-s3-server-side-encryption.aspx
Object Locked
Object Lock is a feature that protects your data from being deleted or overwritten for a fixed period of time or indefinitely. It uses the WORM (Write Once, Read Many) model, which means that once an object is uploaded to S3 and locked, it cannot be deleted or changed by anyone, including the root user.
To set up Object Locked for a bucket using S3 Browser, when creating a new bucket, you need to select the Enable S3 Objected Lock option.
Next, when the bucket is successfully created, right-click on the bucket, then select Object Locked . You can set the object locked in both Retention and Legal Hold modes through S3 Browser. For more details, please visit https://s3browser.com/amazon-s3-object-lock.aspx
Versioning
Versioning is a feature that supports storing multiple past versions of objects stored in a bucket. You can use versioning to save, retrieve, and restore any version of an object stored in your bucket. When versioning is enabled, when uploading/deleting an object, instead of deleting the object from the system, we will move the deleted or overwritten objects to the versioning version. From there, you can easily restore mistakenly deleted objects or download old versions of data when needed.
To set up Versioning for a bucket using S3 Browser, right-click on the bucket, then select Edit Versioning Settings . For more details, see https://s3browser.com/amazon-s3-versioning.aspx
Lifecycle rotation
Lifecycle rotation is a feature that manages the lifecycle of objects in a bucket. This feature allows you to automate actions such as deleting objects after a certain period of time.
To set up Lifecycle rotation for a bucket using S3 Browser, right-click on the bucket, then select Lifecycle Configuration . For more details, see https://s3browser.com/bucket-lifecycle-configuration.aspx
Lifecycle transit
Currently on region HCM04 we only support you to create Project with Storage Class Instant Archive Type . Because there is only 1 storage class, currently the Lifecycle transit feature will not work.
CORS
CORS (Cross-Origin Resource Sharing) is a security mechanism that allows websites hosted on one domain to access resources from another domain. When you use S3 to host static content and want to access that content from a website hosted on another domain, you need to configure CORS for your S3 bucket.
To set up CORS for a bucket using S3 Browser, right-click on the bucket, then select CORS Configuration . For more details, see https://s3browser.com/s3-bucket-cors-configuration.aspx
Public/ Private bucket
Public buckets are a feature that allows users to share buckets publicly in the cloud. Users from outside the internet can access the bucket through a URL without having to authenticate access to the system. Public access poses a security risk, so if your scenario does not require such access, we recommend that you do not enable public access to the bucket. At any point, if you no longer want the bucket to be public, you can make the bucket private.
To set a bucket to public using S3 Browser, right-click on the bucket, then select Public Access block Configuration . For more details, see https://s3browser.com/amazon-s3-public-access-block-configuration.aspx
Bucket policy
A Bucket Policy is a type of access policy used to control access to a specific S3 bucket. It allows you to define which users or groups can access the bucket and what operations they can perform, such as uploading, downloading, deleting, or listing objects in the bucket.
To set up a bucket policy using S3 Browser, right-click on the bucket, then select Edit Bucket Policy . For more details, see https://s3browser.com/working-with-amazon-s3-bucket-policies.aspx?v=11.7.5&fam=x64#amazon-s3-bucket-policies-examples
To cancel (delete) one or more previously created S3 keys, follow the instructions below:
Log in to https://vstorage.console.vngcloud.vn with Root User Account or IAM User Account .
Region HCM04
Select the icon in the project you just created and then select Identity and Access Management.
In List of S3 keys of this project , select the S3 key you want to delete and then select Delete.
Once the S3 key is successfully cancelled, you will no longer be able to use this S3 key to access vStorage. Be careful when cancelling (deleting) an S3 account as you will not be able to recover this deleted account.
