Logo
ScallerFox Docs
Back to Home
ScallerFox Docs

Access Keys & Policies

Manage S3 access credentials and IAM-style policies to control who can access your storage and what they can do.

Access Keys

Access keys are S3-compatible credentials that authenticate your requests. Each key consists of an Access Key ID and a Secret Key — similar to AWS IAM credentials.

You can create multiple access keys for different purposes: one for your production app, one for development, one for a specific team member.

Creating Access Keys

  1. Go to your Object Storage subscription → Access Keys tab
  2. Click Create Access Key
  3. Enter a description (e.g., "Production app", "Dev laptop")
  4. Optionally set an expiration date
  5. Select which policies to attach (at least one required)
  6. Click Create — the Secret Key is shown only once, copy it immediately

Important: The Secret Key is displayed only once when the key is created. Store it securely — it cannot be retrieved again. If lost, revoke the key and create a new one.

Access Policies

Policies define what an access key can do. ScallerFox uses AWS IAM-style policies: JSON documents with Effect, Action, and Resource.

Pre-Defined Policies

FullAccess

Read, write, and delete all objects in all buckets. Use for admin access.

ReadOnly

GetObject, HeadObject, ListBucket. Use for public-facing read-only access.

WriteOnly

PutObject, multipart, CopyObject, ListBucket. Use for upload-only access.

DeleteAccess

DeleteObject, DeleteObjects. Use for cleanup/automation tasks.

Custom Policies

Create custom policies for fine-grained control. Limit access to specific buckets and path prefixes.

Example: Read-Only on Specific Bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:HeadObject", "s3:ListBucket"],
      "Resource": ["arn:sf:s3:subscription:SUB_ID/bucket:my-bucket/prefix:*"]
    }
  ]
}

Example: Write to Specific Folder Only

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:ListBucket"],
      "Resource": ["arn:sf:s3:subscription:SUB_ID/bucket:my-bucket/prefix:uploads/"]
    }
  ]
}

Policy Evaluation

When an access key has multiple policies, the evaluation follows these rules:

  1. Deny wins over Allow. If any policy explicitly denies an action, access is denied.
  2. Explicit Allow is required. No policy = no access by default.
  3. All attached policies are evaluated. The union of allowed actions across all policies determines what the key can do.

Revoking Access Keys

To revoke an access key (disable it immediately), go to Access Keys tab → click the Revoke button next to the key. The key is deactivated instantly — any requests using it will be rejected.

Warning: Revoking a key is immediate and irreversible. Any application using that key will lose access immediately.