Is there any plans to decrease the scope of what R2 API tokens have access to? Currently: * There a

Is there any plans to decrease the scope of what R2 API tokens have access to? Currently:

There are two access levels, read, or write, any consideration to make this more granular? What if my token only needs to Put items, but does not need to Delete anything? (protecting from mass deletion attacks)
Allowing us to scope what buckets each token has access to, I host a few R2 buckets, and a lot of them have to write to their relevant R2 bucket, it would be neat if I could scope them to be able to only write to the buckets they actually need.

AAiden Is there any plans to decrease the scope of what R2 API tokens have access to? C...

Unsmart•5/7/23, 11:27 PM

Bucket scoped is coming soon I believe there was a tweet saying Q3 this year. As far as the first point not sure if that is currently planned.

AidenOP•5/7/23, 11:28 PM

Great to hear about bucket scoping! Sounds good, is this the best place to leave product feedback for the first point?

Unsmart•5/7/23, 11:28 PM

Yes it is the team actively monitors this channel

AAiden Great to hear about bucket scoping! Sounds good, is this the best place to leave...

Sid•5/8/23, 1:00 AM

For the first point, a presigned URL might work as well (although you’ll have to deal with expiry etc.)

AidenOP•5/8/23, 2:40 AM

My concern isn’t with reading, my concern is with what each token can do.

AidenOP•5/8/23, 2:41 AM

If my api process only needs to upload and never delete, I’d like that R2 token to be scoped down, to only do that (ie. Least privilege), it doesn’t need to read the bucket directly, thus I don’t think a pre signed URL would apply here

JJamesXXV Will R2 support S3 IAM compatible permissions in the near future? I understand t...

Sid•5/8/23, 10:31 AM

Bucket-scoped permissions are coming pretty soon, but IAM-compatible permissions aren't planned for now

Jay Townsend•5/8/23, 4:20 PM

anyone know how to get your bucket to have public access, as even on the r2.dev domain it is not viewable publicly and I have no idea what I am doing wrong

JJay Townsend anyone know how to get your bucket to have public access, as even on the r2.dev ...

Hello, I’m Allie!•5/8/23, 4:21 PM

What do you mean? If you navigate to a file, does it show up? Like https://account.r2.dev/hey.html

Jay Townsend•5/8/23, 4:22 PM

JJay Townsend Click to see attachment

Hello, I’m Allie!•5/8/23, 4:23 PM

No, I mean, if you replace account.r2.dev with your R2.Dev domain, and hey.htmlhey.html with a file in your bucket

Jay Townsend•5/8/23, 4:27 PM

so on my custom domain for it I get this which is the same thing that I get when I had it use the r2.dev url as well, do you want me to remove my custom domain while testing?

JJay Townsend so on my custom domain for it I get this which is the same thing that I get whe...

Hello, I’m Allie!•5/8/23, 4:29 PM

What is the path you are using?

Jay Townsend•5/8/23, 4:30 PM

@HardAtWork you mean the url?

JJay Townsend @HardAtWork you mean the url?

Hello, I’m Allie!•5/8/23, 4:31 PM

Yes. I don't need the hostname, just the stuff after the

Jay Townsend•5/8/23, 4:39 PM

@HardAtWork ah that did it, worked out what you are saying so if I give it the file name after the url, it then starts downloading the file. My assumptions was that I could just go to my custom domain and could view everything like this https://cdimage.kali.org/kali-weekly/ as an example

JJay Townsend @HardAtWork ah that did it, worked out what you are saying so if I give it the ...

Hello, I’m Allie!•5/8/23, 4:40 PM

R2 just serves files, it doesn't do file listings. For that, you want https://github.com/kotx/render

GitHub

GitHub - kotx/render: Cloudflare Worker to proxy and cache requests...

Cloudflare Worker to proxy and cache requests to R2 - GitHub - kotx/render: Cloudflare Worker to proxy and cache requests to R2

Jay Townsend•5/8/23, 4:41 PM

thanks for your help and clearing up my confusion and thanks for that will have a look

cake•5/8/23, 8:06 PM

A few questions about R2:

What is cloudflares uptime guarantee for r2?
Are my buckets backed up into multiple regions with failover, or if the location that my bucket is stored in goes down, will my files go down as well?

Ccake A few questions about R2: 1. What is cloudflares uptime guarantee for r2? 2. Ar...

Hello, I’m Allie!•5/8/23, 8:15 PM

AFAIK, R2 is covered by the CF-standard uptime SLA.
Disaster recovery is single-region, multi-datacenter atm

HHello, I’m Allie!1. AFAIK, R2 is covered by the CF-standard uptime SLA. 2. Disaster recovery is s...

cake•5/8/23, 8:36 PM

that'd be 100% uptime?

kian•5/8/23, 8:37 PM

Yes, but you're only entitled to SLA credits on Business and Enterprise plans.

cake•5/8/23, 9:07 PM

So r2 is already highly available?

Unsmart•5/9/23, 2:29 AM

using r2 for terraform state stonks

Stofolus•5/9/23, 6:47 AM

When settings a bucket to public. Does that mean only reads are public or can anyone upload?

SStofolus When settings a bucket to public. Does that mean only reads are public or can an...

Karew•5/9/23, 6:49 AM

Only object reads are public

Karew•5/9/23, 6:49 AM

Everything else (uploading, listing, etc) is still private

Erisa•5/9/23, 10:57 AM

What kind of wrong behaviour do you see? Could you share a URL maybe?

DanCodes•5/9/23, 6:29 PM

Hi guys, really weird random issue, I seem to get this error when using r2 today (with no code change) and any s3 commands hang and never finish

connect ETIMEDOUT 104.18.9.90:443

connect ETIMEDOUT 104.18.9.90:443

after a quick google it seems this is a cloudflare ip, also this doesn't happen locally
again, no firewall changes or anything

DanCodes•5/9/23, 6:32 PM

Still happening

DanCodes•5/9/23, 6:32 PM

and a "curl 104.18.8.90:443" on my server hangs, while works locally

DanCodes•5/9/23, 6:44 PM

I do see this:

20:41:11.128329 IP <some hosting provider uri thing here> > one.one.one.one.domain: 28849+ [1au] A? <cloudflare id>.r2.cloudflarestorage.com. (86)

20:41:11.128329 IP <some hosting provider uri thing here> > one.one.one.one.domain: 28849+ [1au] A? <cloudflare id>.r2.cloudflarestorage.com. (86)

but that's it

DanCodes•5/9/23, 6:52 PM

Yep so one packet goes out, nothing comes back lmao

DanCodes•5/9/23, 6:53 PM

Its a VPS so sadly can't do that

DanCodes•5/9/23, 7:07 PM

I got it

DanCodes•5/9/23, 7:07 PM

so obscure

DanCodes•5/9/23, 7:07 PM

but for some reason fail2ban

DanCodes•5/9/23, 7:07 PM

banned the ip

Is there any plans to decrease the scope of what R2 API tokens have access to? Currently: * There a

Similar Threads

Similar Threads

Similar Threads