Last updated:2021-08-20 12:02:02

AccessKey and SecretKey

An AccessKey is an ASCII string of 20 characters, and a SecretKey is an ASCII string of 40 characters. An AccessKey and a SecretKey issued by KS3 are required for using KS3. The AccessKey is used to identify a customer. The SecretKey is a private key stored on the customer server and not transmitted over the network. The SecretKey is used to calculate a request signature, to ensure that the request comes from the specified customer. Application access, authentication, and authorization can be completed with the AccessKey for identification and the SecretKey for digital signature calculation. For more information about how to create an AccessKey and a SecretKey, see Activate KS3.


A region is a physical location of a KS3 data center. You can select appropriate regions for creating buckets based on fees and request sources. Generally, you can enjoy a higher access speed if the selected region is closer to you.

A region is specified when you create a bucket. It cannot be changed after the bucket is created. All objects in the bucket are stored in the corresponding data center. You cannot specify a region for a specific object.


An endpoint is an access domain name of KS3. KS3 provides external services by using HTTP RESTful API operations. Different endpoints are required for accessing different regions or accessing the same region over the internal network and the Internet. For example, the public endpoint and internal endpoint for accessing the China (Beijing) region are ks3-cn-beijing.ksyun.com and ks3-cn-beijing-internal.ksyun.com respectively. For more information, see Endpoint and Region.


A service is a virtual storage space provided by KS3. You can own one or more buckets in the virtual storage space.


A bucket is a container of objects. All objects must be stored in specific buckets. You can create up to 100 buckets and store an unlimited number of objects in each bucket. Buckets cannot be nested. To be specific, a bucket can store only objects but not other buckets. Objects in a bucket are at the same level. A bucket name is globally unique. The naming rules are the same as those of a domain name system (DNS) name.

  • The name can contain only lowercase letters, digits, periods (.), and hyphens (-).
  • The name must start with a lowercase letter or digit.
  • The name can contain 3 to 63 characters in length.
  • The name cannot be in the IP address format, such as
  • The name cannot start with kss.


An object is the basic data unit of user operations in KS3. An object can store 0–48.8 TB of data. An object contains a key and data. The key is the object name. The key is UTF-8 encoded, and the encoded key is 1 to 1024 characters in length.


A key is an object name. The key is UTF-8 encoded, and the encoded key is 1 to 1024 characters in length. The key can contain slashes (/). In this case, a directory structure is automatically organized in the console.


KS3 enables you to configure access control lists (ACLs) to manage the bucket and object access permissions. Each bucket and object have an ACL. The ACL defines the users with access permissions and the access types. After receiving a resource request, KS3 checks the corresponding ACL to verify whether the requester has the required access permission.

The following tables describe the permissions supported by KS3 in ACLs. ACL permissions for buckets and objects are the same. However, they allow different operations for buckets and objects. The following table describes the ACL permissions and their meanings for buckets and objects.

ACL permission Bucket authorization Object authorization
READ Allows the authorized entity to list the objects in the bucket. Allows the authorized entity to read the object data and metadata.
WRITE Allows the authorized entity to create, overwrite, and delete any object in the bucket. Not applicable.
FULL_CONTROL Grants the bucket-specific read/write permissions to the authorized entity. Grants the object-specific read permission to the authorized entity.

As described in the preceding table, the ACL grants limited permissions. Each permission allows one or more KS3 operations. The following table describes the mapping between each ACL permission and the corresponding access policy permission. The ACL is mainly used to grant basic read/write permissions, which are similar to file system permissions.

ACL permission Access policy used when the ACL permission is granted for a bucket Access policy used when the ACL permission is granted for an object
READ List Bucket and List Multipart Upload Get Object, Head Object, and List Parts
WRITE Put Object, Post Object, Put Object Copy, Upload Part Copy, Delete Object, Initiate Multipart Upload, Upload Part, Complete Multipart Upload, Abort Multipart Upload, and Restore Object Not applicable.
FULL_CONTROL Equivalent to the READ and WRITE ACL permissions. Equivalent to the READ ACL permission.

Preset ACL

KS3 supports a series of predefined authorization policies, called preset ACLs. Each preset ACL contains a set of predefined authorized entities and permissions. The following table describes a series of preset ACLs and associated permissions.

Preset ACL Applicable to Permission
private Buckets and objects The owner has the FULL_CONTROL permission, and other users have no access permission by default.
public-read Buckets and objects The owner has the FULL_CONTROL permission, and other users, including anonymous users, have the READ permission.
public-read-write Buckets and objects The owner has the FULL_CONTROL permission, and other users, including anonymous users, have the READ and WRITE permissions. We recommend that you do not apply this preset ACL to buckets.


You can configure logging for buckets and objects.
After you configure logging for a bucket, operations logs of the bucket are automatically uploaded to the specified bucket on a daily basis.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.