Skip to main content

Create another user's S3 access keys

Contributors netapp-madkat netapp-perveilerk ssantho3 netapp-lhalbert

If you are using an S3 tenant and you have the appropriate permission, you can create S3 access keys for other users, such as applications that need access to buckets and objects.

Before you begin
About this task

You can create one or more S3 access keys for other users so they can create and manage buckets for their tenant account. After you create a new access key, update the application with the new access key ID and secret access key. For security, don't create more keys than the user needs, and delete the keys that aren't being used. If you have only one key and it is about to expire, create a new key before the old one expires, and then delete the old one.

Each key can have a specific expiration time or no expiration. Follow these guidelines for expiration time:

  • Set an expiration time for the keys to limit the user's access to a certain time period. Setting a short expiration time can help reduce risk if the access key ID and secret access key are accidentally exposed. Expired keys are removed automatically.

  • If the security risk in your environment is low and you don't need to periodically create new keys, you don't have to set an expiration time for the keys. If you decide later to create new keys, delete the old keys manually.

Important The S3 buckets and objects belonging to a user can be accessed using the access key ID and secret access key displayed for that user in the Tenant Manager. For this reason, protect access keys as you would a password. Rotate access keys on a regular basis, remove any unused keys from the account, and never share them with other users.
  1. Select ACCESS MANAGEMENT > Users.

  2. Select the user whose S3 access keys you want to manage.

    The user detail page appears.

  3. Select Access keys, then select Create key.

  4. Do one of the following:

    • Select Don't set an expiration time to create a key that does not expire. (Default)

    • Select Set an expiration time, and set the expiration date and time.

      Note The expiration date can be a maximum of five years from the current date. The expiration time can be a minimum of one minute from the current time.
  5. Select Create access key.

    The Download access key dialog box appears, listing the access key ID and secret access key.

  6. Copy the access key ID and the secret access key to a safe location, or select Download .csv to save a spreadsheet file containing the access key ID and secret access key.

    Important Don't close this dialog box until you have copied or downloaded this information. You can't copy or download keys after the dialog box has been closed.
  7. Select Finish.

    The new key is listed on the Access keys tab of the user details page.

  8. If your tenant account has the Use grid federation connection permission, optionally use the Tenant Management API to manually clone S3 access keys from the tenant on the source grid to the tenant on the destination grid. See Clone S3 access keys using the API.