Main Concept
Object
In Object Storage, all files are stored in the form of objects (Key-Value structure) and are included in a container that can hold objects called Bucket. A file is a sub-concept of an object and corresponds to value in the object structure, and can be accessed through key, a unique identifier that can recognize the file.
Object key
The object key is a unique identifier for the object and is expressed as the location of the file in the bucket. For example, if a file called 'cloud.png' is located in the 'i' folder located under the kakao folder in the bucket, the object key is expressed as kakao/i/cloud.png.
The object key cannot exceed 432 bytes, including /, which represents the directory hierarchy. Requests where the key (path) changes, such as file upload, file name change, or file movement, may fail due to these restrictions.
In Object Storage, the storage and retrieval of actual data operates in a flat structure rather than a folder-based directory hierarchy. Denoting the directory hierarchy by separating it with / is a user convenience feature; in fact, it is a structure in which data is mapped to keys regardless of hierarchy.
Object URL
To access files (values) uploaded to the bucket, you must use an object key-based URL.
The URL structure is https://objectstorage.{region-name}.kakaocloud.com/v1/{project-ID}/{bucket-name}/{object-key}. URL information for each file can be found on the bucket detail page.
For details, please refer to Check details of object.
URL structure
| Category | Description |
|---|---|
| region-name | Deployed region name |
| project-ID | ID of the deployed project |
| bucket-name | Name of the bucket you created |
| object-key | Key of uploaded object |
File management in console
You can manage files in your bucket from the console (web browser). For details, please refer to Manage object.
Metadata
You can set metadata that describes the object. Metadata is divided into System metadata, which is used to convey information about objects to the Object Storage, and user metadata, which users can register.
For details, please refer to Set metadata.
Object tag
You can classify objects by assigning tags. It is divided into an object key and a value for the key, and is a key-value pair. You can manage the life cycle of objects by using object tags in LifeCycle rules. For details, please refer to Set object tag.
Bucket
A bucket is a container that contains objects and is used as a unit of application for access rights and life cycle settings for objects. For detailed instructions on creating and managing buckets, please refer to Create and manage buckets.
Bucket type
Buckets in Object Storage support Standard buckets.
Lifecycle
Depending on the bucket life cycle policy, files in a bucket can be automatically deleted or moved to a different type of bucket after a certain period of time. The ability to move files to other types will be updated in the future. For information on how to set up the life cycle, please refer to Configure life cycle.
Bucket visibility
You can set public access for a bucket to allow external access to that bucket from an unspecified number of people. When setting up public access, public buckets are provided as read only. For details, please refer to Manage bucket permission.
Management, such as uploading and editing files, is only possible through the console or API.
Stability and scalability
In Object Storage, there is no limit to bucket capacity or number of objects, so data is distributed to different hardware or stored redundantly to ensure stability. Additionally, unlike block storage, which has a tiered directory structure, Object Storage stores data in a flat key-value structure, making it easy to expand.
Since files can be added without restrictions without any other settings, users can focus on the service without worrying about storage capacity. Since all data is stored flat without a hierarchy, there is no speed delay due to the hierarchy, and fast access is guaranteed regardless of the number of files in the bucket.
Manage permission
Currently, the IAM permission system and the Object Storage permission system are temporarily applied differently.
Each IAM project role is granted the following Object Storage role.
| IAM role | Object Storage role |
|---|---|
| Project Admin | Storage Admin (storage.admin) |
| Project Member | Storage Editor (storage.editor) |
| Project Reader | Storage Viewer (storage.viewer) |
Permission architecture
| Permission Scope | Role | Permissions | S3 Bucket ACL |
|---|---|---|---|
| bucket | Storage Admin (storage.admin) | Grants full permissions to manage buckets and objects - storage.buckets.delete - storage.buckets.get - storage.buckets.update - storage.buckets .getIamPolicy - storage.buckets.setIamPolicy - storage.objects.create - storage.objects.delete - storage.objects.list - storage.objects .get - storage.objects.update | FULL_CONTROL |
| Storage Editor (storage.editor) | Grants permission to manage buckets and objects, excluding the bucket's permission policy - storage.buckets.get - storage.buckets.update - storage.objects.create - storage.objects.delete - storage.objects.list - storage.objects.get - storage.objects.update | READ + WRITE | |
| Storage Viewer (storage.Viewer) | Grants permission to view a bucket's metadata information and object metadata - storage.buckets.get - storage.objects.list - storage.objects.get | READ | |
| Storage Object Admin (storage.objectAdmin) | Grants control over all objects, such as listing/creating/viewing/deleting objects - storage.objects.create - storage.objects.delete - storage.objects.list - storage.objects.get - storage.objects.update | READ + WRITE | |
| Storage Object Viewer (storage.objectReader) | Grants permission to list objects and view metadata, excluding the bucket's permission policy - storage.objects.list - storage.objects.get | READ | |
| Storage Object Creator (storage.objectCreator) | Grant users only permission to create objects - storage.objects.create | WRITE | |
| Storage Bucket Owner (storage.owner) | Grants permission to manage bucket lookups and permission policies except for creating buckets - storage.buckets.delete - storage.buckets.get - storage.buckets.update - storage.buckets.getIamPolicy - storage.buckets.setIamPolicy - storage.objects.create - storage.objects.delete - storage.objects.list - storage.objects.get - storage.objects.update | FULL_CONTROL | |
| Storage Bucket Editor (storage.policyEditor) | Grants permission to manage bucket view/permission policies and objects, excluding bucket creation/deletion - storage.buckets.get - storage.buckets.update - storage. buckets.getIamPolicy - storage.buckets.setIamPolicy - storage.objects.create - storage.objects.delete - storage.objects.list - storage. objects.get - storage.objects.update | FULL_CONTROL | |
| Storage Permission Policy Viewer (storage.policyReader) | Grant permission to view bucket permissions - storage.buckets.getIamPolicy | READ_ACP | |
| Storage Permission Policy Writer (storage.policyWriter) | Grants permission to add/delete buckets except for viewing permissions - storage.buckets.setIamPolicy | WRITE_ACP |
Permission type
The permission types for Object Storage are as follows:
| Permission Type | Description |
|---|---|
| Personal | A user with an assigned role |
| Group | Type of AllUserGroup (all users) |
| Service account | An account created by the user. It is not an actual IAM user account, but an account that can issue authentication tokens required for calling the KakaoCloud API |
| Role group | User group assigned to IAM role - Project Admin (Admin): {project_id} - Project Member: {project_id} - Project Reader : {project_id} - allUserGroup |
The allUserGroup role refers to all users accessing the bucket, so care must be taken when assigning the role.
Default role
The default role assignments for members are as follows:
| Scope | Members | Role |
|---|---|---|
| Bucket | Project Admin (Admin): {project_id} | Storage Admin |
Project Member: {project_id} | Storage Editor | |
Project Reader: {project_id} | Storage Viewer | |
Bucket creator: {user} | Storage Admin |
Permissions by function
Permissions and functions specific to a bucket or object include:
| range | Permission | Function |
|---|---|---|
| Bucket | storage.buckets.create | Creating a bucket |
| storage.buckets.delete | Deleting a bucket | |
| storage.buckets.list | Viewing bucket list and bucket metadata | |
| storage.buckets.get | Viewing bucket details and metadata | |
| storage.buckets.update | Editing a bucket - Example: Editing metadata | |
| storage.buckets.getIamPolicy | Viewing bucket permission policy and life cycle | |
| storage.buckets.setIamPolicy | Registering, modifying, and deleting bucket permission policies, setting life cycle | |
| Object | storage.objects.create | Registering an object - Example: uploading a file, creating a folder |
| storage.objects.delete | Deleting objects | |
| storage.objects.list | Searching for objects - Example: Searching object list and searching metadata of objects | |
| storage.objects.get | Search object detailed information - Example: Search object metadata, search object tag, search file information, download file | |
| storage.objects.update | Modifying an object - Examples: adding/editing an object's metadata, adding/deleting object tags, renaming | |
| - storage.objects.create - storage.objects.delete - storage.objects.get | Moving files | |
| - storage.objects.create - storage.objects.get | Copying files |