> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nscale.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Object Storage

Object Storage provides S3-compatible storage for buckets and objects. It is project-scoped and region-bound. Use it when you need an S3 endpoint for datasets, application assets, backups, artifacts, or other object-based workloads.

<Note>
  **Prerequisites:** You need an existing project, an available region, and permissions to create object storage endpoints and access keys before you can use Object Storage.
</Note>

## Summary

This page explains how to create and use **Object Storage** in the Nscale Console.

By following the steps, you will:

* Create a **project-scoped**, **region-bound** S3-compatible endpoint
* Find and filter Object Storage endpoints by **region** and **status**
* Manage endpoint **access keys** and **identity policies** from the endpoint details page
* Retrieve the endpoint URL after provisioning completes and use it with an S3-compatible client

**Who should use this:** console users who need S3-compatible object storage that can be accessed from applications, instances, clusters, CI jobs, or data tooling.

## Availability

This feature is currently only available for the reserved cloud service environment.

<Warning>
  **One endpoint per project and region:** Each project can have only one Object Storage endpoint in a given region. If a project already has an endpoint in that region, choose another region or delete the existing endpoint first.
</Warning>

<Warning>
  **Access key secrets are shown once:** The secret access key is only returned when the access key is created. Copy it immediately and store it securely. If you lose it, create a new access key and delete the old one.
</Warning>

## Requirements

* Permissions to **create and manage object storage resources**
* A target **project** and **region** selected for the object storage endpoint
* An **identity policy** that allows the S3 actions your workload needs
* An S3-compatible client or SDK, such as the AWS CLI

<Info>
  The endpoint URL is available only after the endpoint finishes provisioning.
</Info>

## Object Storage Lifecycle

| Action                          | Details                                                                                            |
| ------------------------------- | -------------------------------------------------------------------------------------------------- |
| **Create endpoint**             | Provide a name, project, and region                                                                |
| **Configure identity policies** | Use the `system-default-admin` policy or add custom S3 policy documents for least-privilege access |
| **Create access key**           | Create credentials tied to an identity policy. The secret is returned only once                    |
| **Use S3 client**               | Use the endpoint URL with your access key ID and secret to create buckets and manage objects       |
| **Delete access key**           | Revoke a credential without deleting the endpoint or stored objects                                |
| **Delete endpoint**             | Permanently remove the endpoint and the object storage resources associated with it                |

<Warning>
  **Deleting an Object Storage endpoint permanently removes the endpoint and associated buckets/objects.** This action cannot be undone. Ensure data has been backed up or migrated before deleting.
</Warning>

## Identity Policies

Identity policies define which S3 actions an access key can perform. Policies use AWS-style JSON policy documents with `Version`, `Statement`, `Effect`, `Action`, and `Resource` fields.

If you create an endpoint without custom policies, Object Storage seeds a default `system-default-admin` policy that allows `s3:*` on all resources. For production workloads, create narrower policies for each workload or team.

In the console, identity policies are managed from the **Identity Policies** tab. New policies are added by providing a policy name and uploading a `.json` policy document.

Example read/write policy for all buckets:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "*"
    }
  ]
}
```

## S3 API Compatibility

Object Storage is S3-compatible for common bucket and object workflows, but it does not implement every AWS S3 feature. See the unsupported features bellow:

| Unsupported feature              | Description                                                                                                                                                                                                                                                  |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Bucket CORS configuration**    | Bucket-level CORS rules are not supported through the S3 API. Requests such as `PutBucketCors` return `NotImplemented`.                                                                                                                                      |
| **IAM API**                      | AWS IAM-compatible APIs for users, roles, and policies are not available on the Object Storage endpoint. Manage Object Storage access through identity policies and access keys.                                                                             |
| **Lifecycle rules**              | S3 lifecycle configuration is not supported through `PutBucketLifecycleConfiguration`. This includes expiration rules, aborting incomplete multipart uploads, and noncurrent version cleanup. Implement lifecycle cleanup in your application or automation. |
| **Bucket metrics configuration** | S3 bucket metrics configuration APIs are not supported.                                                                                                                                                                                                      |
| **Bucket replication**           | S3 replication configuration, including cross-region replication and same-region replication, is not supported through `PutBucketReplication` or related APIs.                                                                                               |
| **SSE-C**                        | Server-side encryption with customer-provided keys using `x-amz-server-side-encryption-customer-*` headers is not supported.                                                                                                                                 |
| **Signature Version 2**          | Legacy SigV2 authentication is not supported. Use Signature Version 4 for all S3 requests.                                                                                                                                                                   |
| **Static website hosting**       | S3 static website hosting configuration is not supported. Serve static content through an application, web server, or CDN layer instead.                                                                                                                     |
| **Suspend versioning**           | Enabling bucket versioning is supported, but suspending versioning after it has been enabled is not supported.                                                                                                                                               |

## Step-by-Step

1. **Open Object Storage**

   * Go to **Storage → Object Storage** in the console
   * Use the search field to find an existing endpoint by name
   * Use the **Region** and **Status** filters to narrow the list

   <img src="https://mintcdn.com/nscale/nb6MvZzHGaqDMUUZ/images/object-storage-list.png?fit=max&auto=format&n=nb6MvZzHGaqDMUUZ&q=85&s=fff48ea07eec5a7206c7feb5e95e319e" alt="Object Storage endpoint list" width="1920" height="993" data-path="images/object-storage-list.png" />
2. **Create the Object Storage endpoint**
   * Click **Create Object Storage**
   * Enter an **Object Storage Name**
   * Select the **Project**
   * Select an available **Region** from the region picker
   * Click **Create Object Storage** and wait for the endpoint to reach **Provisioned**
3. **Open the endpoint details page**

   * Select the endpoint from the Object Storage list
   * Confirm the header shows the endpoint name and a **Provisioned** status badge
   * Use the **Overview**, **Access Keys**, and **Identity Policies** tabs to manage the endpoint

   <img src="https://mintcdn.com/nscale/nb6MvZzHGaqDMUUZ/images/object-storage-details.png?fit=max&auto=format&n=nb6MvZzHGaqDMUUZ&q=85&s=2904ed14e6f0fe7d739df668b21774f8" alt="Object Storage endpoint details" width="1920" height="993" data-path="images/object-storage-details.png" />
4. **Add or review identity policies**

   * Open the **Identity Policies** tab
   * To add a policy, click **Add Policy**
   * Provide a **Policy Name** and upload a `.json` custom policy document
   * Click **Add Policy**

   <img src="https://mintcdn.com/nscale/nb6MvZzHGaqDMUUZ/images/object-storage-identity-policies.png?fit=max&auto=format&n=nb6MvZzHGaqDMUUZ&q=85&s=00410f8695ae13778f595ae40bc0d830" alt="Identity Policies tab" width="1920" height="993" data-path="images/object-storage-identity-policies.png" />
5. **Create an access key**

   * Open the **Access Keys** tab
   * Click **Add Access Key**
   * Enter an access key name
   * Click **Next: Select Policy**
   * Select an existing identity policy, or upload a custom `.json` policy document and give it a policy name
   * Click **Add Access Key**
   * Copy the **Access Key ID** and **Secret Access Key** immediately from the creation dialog

   <img src="https://mintcdn.com/nscale/nb6MvZzHGaqDMUUZ/images/object-storage-access-keys.png?fit=max&auto=format&n=nb6MvZzHGaqDMUUZ&q=85&s=b03122d275b39f810575ab54d36fe6d9" alt="Access Keys tab" width="1920" height="993" data-path="images/object-storage-access-keys.png" />
6. **Configure your S3 client**
   * Set the endpoint URL, access key ID, and secret access key in your S3 client
   * Use any S3-compatible workflow to create buckets and manage objects

Example AWS CLI configuration:

```bash theme={null}
export AWS_ACCESS_KEY_ID="<access-key-id>"
export AWS_SECRET_ACCESS_KEY="<secret-access-key>"
export AWS_DEFAULT_REGION="<region-name>"
export EP="https://<endpoint-dns-name>"

aws --endpoint-url "$EP" s3api list-buckets
aws --endpoint-url "$EP" s3 mb s3://example-bucket
aws --endpoint-url "$EP" s3 cp ./data.csv s3://example-bucket/data.csv
```

## Terraform Example

If you provision infrastructure with Terraform, use the Object Storage example in the public `terraform-provider-nscale` repository as a starting point:

<Card title="Object Storage Terraform Example" icon="code" href="https://github.com/nscaledev/terraform-provider-nscale/blob/main/examples/object-storage/main.tf">
  Create an Object Storage endpoint, identity policy, and access key with the nscale Terraform provider
</Card>

## Common Issues / Troubleshooting

1. **Symptom:** You can't select a region when creating Object Storage

   **Likely cause:** The selected project already has an endpoint in that region.

   **Fix:** Choose another project, or delete the existing endpoint for that project/region if it is no longer needed.
2. **Symptom:** No endpoint URL is shown

   **Likely cause:** The endpoint is still provisioning or has not published its public exposure details yet.

   **Fix:** Wait for the endpoint status to become ready/provisioned. If the URL still does not appear, check the endpoint health status or contact support.
3. **Symptom:** You can't retrieve an access key secret later

   **Likely cause:** Secrets are returned only once, when the access key is created.

   **Fix:** Create a new access key, update your workload with the new credentials, then delete the old access key.
4. **Symptom:** S3 requests fail with access denied

   **Likely cause:** The access key is attached to an identity policy that does not allow the requested S3 action or bucket/object resource.

   **Fix:** Review the policy attached to the access key. Confirm it includes the required `s3:` actions and the correct bucket/object resources.
5. **Symptom:** You can't remove an identity policy

   **Likely cause:** One or more access keys still reference that policy.

   **Fix:** In the **Identity Policies** tab, check **Keys Using**. Delete or recreate the access keys that use the policy, then remove the policy.

***

## Related Resources

<CardGroup cols={2}>
  <Card title="Filesystem" icon="files" href="/docs/storage/file-storage">
    Use shared NFS storage when workloads need a mounted filesystem
  </Card>

  <Card title="Instances" icon="rectangle-history-circle-plus" href="/docs/compute/create-new-instances">
    Run S3-compatible clients from your compute instances
  </Card>

  <Card title="Managed Kubernetes" icon="cloud" href="/docs/compute/managed-kubernetes">
    Use Object Storage from applications running in Kubernetes clusters
  </Card>

  <Card title="API Reference" icon="code" href="/api-reference/object-storage/list-endpoints">
    Manage object storage endpoints and access keys programmatically via the Storage Service API
  </Card>
</CardGroup>
