Managing Object Storage API Keys

Credential and resource scoping

Object Storage API keys are user-scoped — only the user who created a key can view or manage it. You can use object storage API keys in all buckets in all projects within your organization. Buckets are project-scoped resources.

Creating an Object Storage API Key

CLI
UI
Terraform

Use the storage tokens create command to generate a new Object Storage API key:

crusoe storage tokens create --alias my-training-key

Optional parameters:

--alias <alias> — A human-readable name for the key.
--expires-at <date> — Expiration date for the key in RFC3339 format (e.g., 2021-12-03T19:58:34Z).

The command outputs an access key ID and a secret key. Save the secret key immediately — it cannot be retrieved again after creation.

Example output:

Access Key ID:  CKIAXXXXXXXXXXXXXXXX
Secret Key:     SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Alias:          my-training-key
Expires At:     2026-12-31T00:00:00Z

Creating a storage API key is required to authenticate with the S3-compatible API for Object Storage in Crusoe Cloud. The following is intended to help get you started in using Terraform to provision a storage API key.

Copy and paste the code below in a text-editor of your choice and name the file main.tf. The example below creates a storage API key:

// Crusoe Provider
terraform {
  required_providers {
    crusoe = {
      source = "registry.terraform.io/crusoecloud/crusoe"
    }
  }
}

resource "crusoe_storage_s3_key" "my_key" {
  alias = "my-storage-key"
}

output "access_key_id" {
  value = crusoe_storage_s3_key.my_key.access_key_id
}

output "secret_access_key" {
  value     = crusoe_storage_s3_key.my_key.secret_access_key
  sensitive = true
}

alias is a optional argument that provides a human-readable name for the key.

expire_at is an optional argument that specifies an expiration date for the key in RFC 3339 format (e.g., 2025-12-31T23:59:59Z).

danger

The secret_access_key is only available at creation time. Make sure to save the output of terraform apply as the secret cannot be retrieved later.

After saving the code to a main.tf file, the following commands serve as the process to create a resource in Crusoe Cloud using Terraform:

terraform init - Initializes a working directory containing Terraform configuration files.

terraform plan - the output of this command will show the resources Terraform plans on creating.

terraform apply - this command will create the resources.

To view the secret access key after creation, run terraform output secret_access_key.

Listing Object Storage API Keys

CLI
UI
Terraform

crusoe storage tokens list

To list existing storage API keys using Terraform, the following code snippet can be used to populate a Terraform data source using the Crusoe Terraform provider.

# list storage API keys
data "crusoe_storage_s3_keys" "keys" {}

output "crusoe_storage_keys" {
  value = data.crusoe_storage_s3_keys.keys
}

Deleting an Object Storage API Key

CLI
UI
Terraform

crusoe storage tokens delete <access-key>

Replace <access-key> with the access key of the key you wish to delete. For example, if the access key is CKIAXGFV74Z2FFURA9UA, then the command would be

crusoe storage tokens delete CKIAXGFV74Z2FFURA9UA

The access key can also be obtained using the list [../list/_cli.mdx] command.

A storage API key can be deleted by using the terraform destroy command provided by the Terraform CLI tool.

Warning

Deleting an Object Storage API key immediately revokes access for any clients configured with that key.

Managing Object Storage API Keys

Creating an Object Storage API Key​

Listing Object Storage API Keys​

Deleting an Object Storage API Key​

Creating an Object Storage API Key

Listing Object Storage API Keys

Deleting an Object Storage API Key