R2 Token per bucket

I have explored R2 functionality and noticed that there is no ability to create token with access to only specific R2 bucket.

Only option is to create token that permits access to all buckets inside account.

But how do I create a token with access to only one bucket?
With a microservice based architecture we want each service having access only to certain bucket.
So it means, that each small service will have access to all buckets in our infrastructure, which in unacceptable.

How do we handle it with Cloudflare R2 buckets? Is this topic addressed somehow?

Currently? You’d need to use a Worker which can be bound to a single bucket.

Bucket-scoped tokens are being discussed and would currently be a feature request.

Got it! Thank you!

Have just realized, that even if we use a worker and bound it to single bucket - it does not solve the situation when one single Token is compromised.

Attacker can use aws cli and has access to all our buckets!
Because aws cli uses internal api, it does not involve workers.

All buckets will be accessible with every compromised edit-access token.

1 Like

Workers don’t use a token at all so I don’t see how that’d happen?

They have native bindings to the bucket. The point would be that you use 0 tokens.

We might have token attached to elements of our infrastructure, for example in environment variables of some small microservice backend service.

We might have vds with shell access with those tokens saved in ~/.aws/credentials for bucket management.

Might also have it shared with developer. Developer will have access to all buckets then even if we do not want that.

I’m not saying that tokens wouldn’t give access to every bucket. I agree.

I’m saying with Workers, there are no tokens at all and you can scope to a single bucket or type of operation as much as you like.

It’s just the only way until bucket-scoped tokens are a thing.

1 Like

Understood, thank you!

Presigned URLs are on the way too so you could give your backup task a URL that it can use purely to upload and nothing else - should be landing in the near future.

ok, we get presigned URL using token, right?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.