CD
Cloudflare Developers3y ago
Sid

Bucket-scoped tokens

I've got great news everyone: you're now able to create API tokens scoped to specific (or all) buckets! All existing tokens will continue to work and will have access to all buckets. You can edit permissions for these tokens, or create new ones to limit them to specific buckets. If you find issues with the authorization itself or the UI, please shout here! If you have other thoughts about the feature, please feel free to leave them in this thread. Here are some docs to go with it: https://developers.cloudflare.com/r2/api/s3/tokens/ @Deleted User I can't take all the credit here, this was a lot of work from @Bradley & @Phillip as well!
Authentication · Cloudflare R2 docs
You can generate an API token to serve as the Access Key for usage with existing S3-compatible SDKs or XML APIs.
10 Replies
Sid
SidOP3y ago
Thread
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Sid
SidOP3y ago
Sure, you should be able to edit the token by clicking on the three dots next to it
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Sid
SidOP3y ago
Bucket selections only make sense for “Object Read&Write” and “Object Read” permissions though, so you have one of them selected?
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Sid
SidOP3y ago
Yeah, so the admin permission lets you list and/or manage buckets, so it doesn’t quite make sense to let you select buckets there
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
George Boot
George Boot3y ago
Are there docs for the resource identifier and permission group id? the api/v4/user/token endpoint is used, but it gets a permission group id (?) and identifies each bucket using “com.cloudflare.edge.r2.bucket.{accountId}default{bucketName}” for me, but both seem to be still undocumented
Sid
SidOP3y ago
Ah so the API is a little new so it isn't documented yet. I'll ask around to see when that is planned to happen. In the mean time, you can fetch all permission groups via /api/v4/user/tokens/permission_groups. You'll have to find the R2 permission group you want (there should be 4, one for each permission that shows up in the UI). This is the ID you'll use.

Did you find this page helpful?