R2 permissions

Hello all,

I just signed up for the R2 beta and looking forward to an S3 alternative.
However I can’t seem to find a way to restrict access to a single bucket. Either it’s read all, or read/write all. This baffles me and I must be missing something?

Is there a way to restrict a key to read/write a single bucket, under S3 compatibility?
I’m not comfortable having a key in one site, which can read backups in another bucket.
It’s the same issue with DigitalOcean Spaces. Can it be true?

Greetings from Denmark.

Currently, you’re correct - tokens are currently account-wide and either read or full access.

Stuff like public buckets, presigned URLs, bucket-level tokens and whatnot are all on the way.

Currently the stop-gap would be using a Worker that you can bind to a single bucket and do any of that logic in there but that’s just for the interim.

Cloudflare doesn’t plan to lock you into using a Worker but rather whilst they add the functionality natively into R2, they are a good alternative.

1 Like

Thank you for the quick reply.
Is the thought that the worker also emulates the S3 API?

But it sounds great, with alternatives. Especially for various downloadables at the edge.

Sort-of - the Workers route has native bindings much like KV or Durable Objects do.

Your bucket would be bound to the Worker and then you can do stuff like BUCKET.get(key) or BUCKET.put(key, object).

You can see the full options and documentation here: https://developers.cloudflare.com/r2/runtime-apis/

Eventually the Workers API is likely to have a lot more functionality than the S3 API since the S3 API has to stick to the S3 spec which doesn’t give a lot of room for flexibility or extensions that’d change existing behaviour but for now it’s mostly feature equivalent to the S3 API.

Well, using S3 API’s for for simple read and write and then build from there.
Looking forward to follow it.

GitHub - kotx/render: Cloudflare Worker to proxy and cache requests to R2 is a great example of using a Worker to serve files from R2 made by a member of the community.

Since Workers have access to the Cache API, you can store the responses in cache to save on read operations to your R2 bucket.

Thank you. I’ll play around with it.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.