Skip to content

Access Keys

Each RGW user has one AWS-style credential pair: an access key ID and a secret key. The access key ID is stable (it does not change on rotation). The secret key can be rotated at any time using the renew_key endpoint, as long as the user is not locked.

View credentials

The secret key is masked in most API responses. The full, unmasked secret key is returned only immediately after:

  • Creating a new RGW user (POST /rgw/users)
  • Successfully rotating the key (POST /rgw/users/{id}/renew_key)

If you lose the secret key, rotate it to generate a new one.

Rotate the secret key

POST /rgw/users/{id}/renew_key
Authorization: Bearer <token>

Generates a new secret key for the user. The response includes the full RGW user object with the unmasked secret key so you can store it immediately.

{
  "id": "...",
  "name": "...",
  "access_key_id": "AKIAIOSFODNN7EXAMPLE",
  "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "locked": false,
  ...
}

The old secret key is immediately invalidated. Any application using the previous key must be updated before making further S3 requests.

Locked users cannot rotate keys

If the user has locked: true, the renew_key endpoint is a no-op — the existing key is returned unchanged. Unlock the user first (requires admin privileges).

Lock / unlock a user

The locked flag is a platform-level protection that prevents:

  • Key rotation (renew_key is a no-op while locked)
  • Deletion of the user

Locking is useful when you want to freeze credentials for compliance or incident-response purposes.

Requires platform-admin privileges.

Lock a user

PATCH /rgw/users/{id}
Authorization: Bearer <admin-token>
Content-Type: application/json

{ "locked": true }

Unlock a user

PATCH /rgw/users/{id}
Authorization: Bearer <admin-token>
Content-Type: application/json

{ "locked": false }

A non-admin request that includes the locked field receives 403 Forbidden.

Configure S3 clients

Use the credentials with any S3-compatible client. Example with the AWS CLI:

aws configure --profile bnerd
# AWS Access Key ID: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name: de-muc1
# Default output format: json

aws --profile bnerd \
  --endpoint-url https://storage.muc1.de.bnerd.com \
  s3 ls

The S3 endpoint is https://storage.muc1.de.bnerd.com. The region is de-muc1.