Skip to content

Access credentials and buckets

This page explains how access credentials for the S3 storage service are managed
and how buckets are assigned to projects.

Correct handling of credentials is essential for security, data protection,
and compliance.

Project-based access model

Access to the S3 storage service is granted per project, not per individual dataset.

For each approved project:

  • One S3 bucket is created
  • Access permissions are restricted to authorized users
  • Users can only access the bucket explicitly assigned to their project

Users cannot create arbitrary buckets or access buckets belonging to other projects.

S3 credentials

What S3 credentials are

To access S3 storage, you will receive:

  • Access Key ID
  • Secret Access Key
  • a specific endpoint URL

These credentials are used by S3-compatible tools and APIs to authenticate your requests.

How credentials are provided

S3 credentials are provided after:

  • Your access request has been approved
  • S3 storage access has been explicitly enabled for your project

Credentials are typically delivered through separate emails.

Credentials must never be shared with other users.

Credential scope and permissions

S3 credentials are:

  • Limited to specific buckets
  • Restricted to approved operations (e.g. read/write)
  • Associated with a specific project

They do not grant administrative access to the storage system.

Credential handling rules

You must follow these rules when using S3 credentials:

  • Treat credentials as confidential secrets
  • Never store credentials in plain text files
  • Never commit credentials to Git repositories
  • Never embed credentials in scripts shared with others
  • Use environment variables or configuration files with restricted permissions

Failure to comply may result in suspension or revocation of access.

Most S3 tools support secure configuration files or environment variables.

Examples:

  • ~/.config/rclone/rclone.conf
  • ~/.aws/credentials
  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Ensure that configuration files are readable only by you.

Buckets

What is a bucket

A bucket is a logical container for objects (files).

  • Buckets belong to a specific project
  • Bucket names are unique within the storage system
  • Objects inside a bucket can be organized using prefixes

Bucket naming and organization

Bucket names and structure are defined by the platform administrators.

Within a bucket, users are encouraged to:

  • Use clear and consistent naming conventions
  • Organize data by project, study, or workflow
  • Avoid overly deep or complex structures

Credential rotation and expiration

For security reasons:

  • Credentials are rotated periodically (at least every three months)
  • Credentials may be revoked at project end or in case of misuse

Users are required to update their configuration when credentials are rotated.

If your credentials stop working, contact support rather than attempting workarounds.

What NOT to do

  • Do not share credentials between users
  • Do not reuse credentials across different projects
  • Do not upload credentials to external services or notebooks
  • Do not expose credentials in logs or error messages

Support and contacts

If you have issues with S3 credentials or bucket access, contact support and include:

  • Project name
  • Bucket name
  • Tool used (e.g. rclone, s3cmd)
  • Error message (if any)

Next steps