20. Managed Object Storage
Object Storage is a computer data storage architecture that manages data as objects as opposed to block storage which manages data as blocks within sectors and tracks. Managed Object storage is commonly used to manage large amounts of unstructured data for example storing large datasets like photos, music, or files in online collaboration services. All customers data is encrypted by default using encryption at rest.
Managed Object Storage API commands allow creation, management and deletion of Object Storage devices as well as viewing Object Storage network data usage. Managed Object Storage is fully S3-compliant allowing file and bucket management using existing S3 clients.
API follows JSON Merge Patch semantics. Note when modifying nested structures payload should contain entire array, which in a sense is PUT within PATCH for them.
JSON Merge Patch uses null to explicitly indicate property deletion while absent properties are ignored, i.e. not modified.
List regions
Returns a list of available managed object storage regions.
Request
Normal response
[
{
"name": "europe-1",
"primary_zone": "fi-hel1",
"zones": [
{
"name": "fi-hel1"
},
{
"name": "de-fra1"
}
]
}
]
Get region details
Returns object storage region details by given {name}.
Request
Normal response
{
"name": "europe-1",
"primary_zone": "fi-hel1",
"zones": [
{
"name": "fi-hel1"
},
{
"name": "de-fra1"
}
]
}
Create service
Creates a new object storage service.
Request
{
"name": "example-service",
"region": "example",
"configured_status": "started",
"termination_protection": false,
"networks": [
{
"name": "example-public-network",
"type": "public",
"family": "IPv4"
},
{
"name": "example-private-network",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4",
"type": "private",
"family": "IPv4"
}
]
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | 1-64 characters, regexp pattern ^[a-zA-Z0-9_-]+$ |
yes | The name of the service must be unique within customer account. |
| region | A valid region identifier, e.g. europe-1 |
yes | Region in which the service will be hosted, see regions. |
| configured_status | started / stopped |
yes | Service status managed by the customer. |
| termination_protection | true / false |
no | Prevents the service from being deleted or shut down when set to true. |
| networks | An array of 0-8 network objects | no | Attached networks from where object storage can be used. Private networks must reside in object storage region. |
| labels | An array of 0-255 labels objects | no | Labels used for service filtering, see labels usage |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List services
Returns a list of object storage services.
Request
Query parameters
| Attribute | Accepted value | Default value | Required | Description |
|---|---|---|---|---|
| limit | 0-100 | 10 | no | Number of entries to receive at most. |
| offset | >= 0 | 0 | no | Offset for retrieved results. |
| sort | created_at, service_name, operational_state, region_name (prefix with - for descending) |
-created_at |
no | Order of returned results. |
Normal response
[
{
"configured_status": "started",
"created_at": "2023-05-07T15:55:24.655776Z",
"custom_domains": [
{
"domain_name": "objects.example-company.com",
"mode": "api",
"type": "public"
},
{
"domain_name": "static.example-company.com",
"mode": "static-website",
"type": "public"
}
],
"endpoints": [
{
"domain_name": "7mf5k.upcloudobjects.com",
"iam_url": "https://7mf5k.upcloudobjects.com:4443/iam",
"mode": "api",
"sts_url": "https://7mf5k.upcloudobjects.com:4443/sts",
"type": "public"
},
{
"domain_name": "7mf5k-private.upcloudobjects.com",
"iam_url": "https://7mf5k-private.upcloudobjects.com:4443/iam",
"mode": "api",
"sts_url": "https://7mf5k-private.upcloudobjects.com:4443/sts",
"type": "private"
},
{
"domain_name": "7mf5k-static.upcloudobjects.com",
"mode": "static-website",
"type": "public"
}
],
"labels": [
{
"key": "example-key",
"value": "example-value"
}
],
"name": "example-service",
"networks": [
{
"family": "IPv4",
"name": "example-public-network",
"type": "public"
},
{
"family": "IPv4",
"name": "example-private-network",
"type": "private",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4"
}
],
"operational_state": "running",
"region": "europe-1",
"state_messages": [],
"static_websites": [
{
"bucket_name": "my-website",
"bucket_prefix": "",
"created_at": "2023-05-07T16:00:00.000000Z",
"domain_name": "7mf5k-static.upcloudobjects.com",
"enabled": true,
"error_pages": [],
"index_document": "index.html",
"spa_mode": false,
"updated_at": "2023-05-07T16:00:00.000000Z"
}
],
"termination_protection": false,
"updated_at": "2023-05-07T21:38:15.757405Z",
"usage": {
"total_objects": 310499,
"total_size_bytes": 32414921734
},
"uuid": "1200ecde-db95-4d1c-9133-6508f3232567"
}
]
Notes:
- Please see service configured statuses and operational states description.
- Static website endpoints (
mode: static-website) only serve static content and do not provide S3 API access, soiam_urlandsts_urlfields are omitted from their response.
Get service details
Returns object storage service details by given {service_uuid}.
Request
Normal response
{
"configured_status": "started",
"created_at": "2023-05-07T15:55:24.655776Z",
"custom_domains": [],
"endpoints": [
{
"domain_name": "7mf5k.upcloudobjects.com",
"iam_url": "https://7mf5k.upcloudobjects.com:4443/iam",
"mode": "api",
"sts_url": "https://7mf5k.upcloudobjects.com:4443/sts",
"type": "public"
},
{
"domain_name": "7mf5k-private.upcloudobjects.com",
"iam_url": "https://7mf5k-private.upcloudobjects.com:4443/iam",
"mode": "api",
"sts_url": "https://7mf5k-private.upcloudobjects.com:4443/sts",
"type": "private"
},
{
"domain_name": "7mf5k-static.upcloudobjects.com",
"mode": "static-website",
"type": "public"
}
],
"labels": [
{
"key": "example-key",
"value": "example-value"
}
],
"name": "example-service",
"networks": [
{
"family": "IPv4",
"name": "example-public-network",
"type": "public"
},
{
"family": "IPv4",
"name": "example-private-network",
"type": "private",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4"
}
],
"operational_state": "setup-checkup",
"region": "europe-1",
"state_messages": [
{
"code": "waiting_certificate_issuing",
"created_at": "2025-01-16T11:20:40.372611Z",
"message": "Certificate issuing is in progress for domains: 7mf5k-private.upbucket.com, *.7mf5k-private.upbucket.com.",
"operational_state": "setup-checkup",
"updated_at": "2025-01-16T11:20:40.372611Z"
}
],
"static_websites": [
{
"bucket_name": "my-website",
"bucket_prefix": "",
"created_at": "2023-05-07T16:00:00.000000Z",
"domain_name": "7mf5k-static.upcloudobjects.com",
"enabled": true,
"error_pages": [],
"index_document": "index.html",
"spa_mode": false,
"updated_at": "2023-05-07T16:00:00.000000Z"
}
],
"termination_protection": false,
"updated_at": "2023-05-07T21:38:15.757405Z",
"usage": {
"total_objects": 310499,
"total_size_bytes": 32414921734
},
"users": [
{
"access_keys": [
{
"access_key_id": "AKIA63F41D01345BB477",
"created_at": "2023-05-07T20:52:19.705405Z",
"last_used_at": "2023-05-07T20:52:17Z",
"status": "Active"
}
],
"arn": "urn:ecs:iam::123bbb5c6a4240409e07f7d89fe28891:user/example_user",
"created_at": "2023-05-07T15:55:24.655776Z",
"policies": [
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"name": "ECSS3FullAccess"
},
{
"arn": "urn:ecs:iam:::policy/IAMFullAccess",
"name": "IAMFullAccess"
}
],
"username": "example_user"
}
],
"uuid": "1200ecde-db95-4d1c-9133-6508f3232567"
}
Notes:
- Please see service configured statuses and operational states description.
Replace service
Replaces existing object storage service by given {service_uuid}.
Request
{
"name": "example-service",
"configured_status": "started",
"termination_protection": false,
"networks": [
{
"name": "example-public-network",
"type": "public",
"family": "IPv4"
},
{
"name": "example-private-network",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4",
"type": "private",
"family": "IPv4"
}
],
"labels": [
{
"key": "example-label-key",
"value": "example-label-value"
}
]
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | 1-64 characters, regexp pattern ^[a-zA-Z0-9_-]+$ |
yes | The name of the service must be unique within customer account. |
| configured_status | started / stopped |
yes | Service status managed by the customer. |
| termination_protection | true / false |
no | Prevents the service from being deleted or shut down when set to true. |
| networks | An array of 0-8 network objects | no | Attached networks from where object storage can be used. Private networks must reside in object storage region. |
| labels | An array of 0-255 labels objects | no | Labels used for service filtering, see labels usage |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
| 404 Not Found | RESOURCE_NOT_FOUND | Service with provided UUID not found. |
Modify service
Modifies existing object storage service by given {service_uuid}.
Request
{
"name": "example-service",
"configured_status": "started",
"termination_protection": false,
"networks": [
{
"name": "example-private-network",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4",
"type": "private",
"family": "IPv4"
}
],
"labels": null
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | 1-64 characters, regexp pattern ^[a-zA-Z0-9_-]+$ |
no | The name of the service must be unique within customer account. |
| configured_status | started / stopped |
no | Service status managed by the customer. |
| termination_protection | true / false |
no | Prevents the service from being deleted or shut down when set to true. |
| networks | An array of 0-8 network objects | no | Attached networks from where object storage can be used. Private networks must reside in object storage region. |
| labels | An array of 0-255 labels objects | no | Labels used for service filtering, see labels usage |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
| 404 Not Found | RESOURCE_NOT_FOUND | Service with provided UUID not found. |
Delete service
Deletes existing object storage service by given {service_uuid}. By default, the deletion of a service is permitted only after
all buckets and IAM resource (users, policies) within the service have been successfully deleted.
Request
Query parameters
| Attribute | Accepted value | Default value | Required | Description |
|---|---|---|---|---|
| force | true / false |
false | no | If the parameter provided the deletion process starts even if service is not empty, e.g. contains buckets with objects or IAM entities. Be careful, once deletion process was started the objects cannot be restored. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | SERVICE_ERROR | Service is protected against termination and shutdown. Remove termination protection first. |
| 404 Not Found | RESOURCE_NOT_FOUND | Service with provided UUID not found. |
Create bucket
Creates a new service bucket by the given {service_uuid}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-254 characters | true | Must be unique within the service, and should contain only alphanumeric, .,- and _. |
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete bucket
Deletes an existing bucket by given {service_uuid} and {bucket_name}.
This API call will remove all objects from the bucket permanently and cannot be reversed.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Get service metrics
Returns object storage metrics by given {service_uuid}.
Request
Normal response
Attributes
| Attribute | Description |
|---|---|
| total_objects | Total amount of uploaded objects. |
| total_size_bytes | Total size of uploaded objects in bytes. |
List bucket metrics
Request
Query parameters
| Attribute | Accepted value | Default value | Required | Description |
|---|---|---|---|---|
| limit | 0-100 | 10 | no | Number of entries to receive at most. |
| offset | >= 0 | 0 | no | Offset for retrieved results. |
Normal response
[
{
"name": "example-bucket-1",
"total_objects": 157,
"total_size_bytes": 5293771
},
{
"name": "example-bucket-2",
"total_objects": 12,
"total_size_bytes": 832226
}
]
List service metrics series
Returns Object Storage instance metrics series by a given {service_uuid}.
Request
Query parameters
| Attribute | Accepted value | Default value | Required | Description |
|---|---|---|---|---|
| from | RFC 3339 timestamp | 24 hours ago | no | Beginning of the time range for which to return metrics. |
| to | RFC 3339 timestamp | Current time | no | End of the time range for which to return metrics. |
| interval | 1h-24h string |
1h |
no | Metrics aggregation interval. |
| sort | start_at,-start_at |
-start_at |
no | Order of returned results. |
| limit | 0-100 | 10 |
no | Number of entries to receive at most. |
| offset | >=0 | 0 |
no | Offset for retrieved results. |
Normal response
[
{
"bytes_created": 530000,
"bytes_deleted": 244000,
"bytes_received": 530000,
"bytes_total": 7502000,
"bytes_transmitted": 0,
"end_at": "2023-10-31T12:00:00Z",
"objects_created": 79,
"objects_deleted": 40,
"objects_total": 1237,
"start_at": "2023-10-31T11:00:00Z"
},
{
"bytes_created": 490000,
"bytes_deleted": 248000,
"bytes_received": 490000,
"bytes_total": 7216000,
"bytes_transmitted": 0,
"end_at": "2023-10-31T11:00:00Z",
"objects_created": 79,
"objects_deleted": 40,
"objects_total": 1198,
"start_at": "2023-10-31T10:00:00Z"
},
{
"bytes_created": 494000,
"bytes_deleted": 190000,
"bytes_received": 494000,
"bytes_total": 6974000,
"bytes_transmitted": 0,
"end_at": "2023-10-31T10:00:00Z",
"objects_created": 82,
"objects_deleted": 36,
"objects_total": 1159,
"start_at": "2023-10-31T09:00:00Z"
}
]
Attributes
| Attribute | Description |
|---|---|
| bytes_total | Total size of data stored as of end_at, in bytes. |
| bytes_created | Bytes created within the time interval marked by start_at and end_at. |
| bytes_deleted | Bytes deleted within the time interval marked by start_at and end_at. |
| bytes_received | Bytes received within the time interval marked by start_at and end_at. |
| bytes_transmitted | Bytes transmitted within the time interval marked by start_at and end_at. |
| objects_total | Total number of objects as of end_at. |
| objects_created | Number of objects created within the time interval marked by start_at and end_at. |
| objects_deleted | Number of objects deleted within the time interval marked by start_at and end_at. |
| start_at | The timestamp marking the start of the data aggregation interval, inclusive. |
| end_at | The timestamp marking the end of the data aggregation interval, exclusive. |
Create network
Creates a new service network by given {service_uuid}.
Request
public network:
or private network:
{
"name": "example-private-network",
"uuid": "03bec0ad-85c3-459e-824d-710f8f24f740",
"type": "private",
"family": "IPv4"
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | 1-64 characters, regexp pattern ^[a-zA-Z0-9_-]+$ |
yes | The name of the network must be unique within the service. |
| uuid | A valid network uuid | yes | Private network uuid. For public networks the field should be omitted. |
| type | public / private |
yes | The type of the network. |
| family | IPv4 |
yes | Network family. IPv6 currently not supported. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List networks
Returns a list of available service networks by given {service_uuid}.
Request
Normal response
[
{
"family": "IPv4",
"name": "example-public-network",
"type": "public"
},
{
"family": "IPv4",
"name": "example-private-network",
"type": "private",
"uuid": "03aa7245-2ff9-49c8-9f0e-7ca0270d71a4"
}
]
Get network details
Returns service network details by given {service_uuid} and {network_name}.
Request
Normal response
{
"family": "IPv4",
"name": "example-private-network",
"type": "private",
"uuid": "03bec0ad-85c3-459e-824d-710f8f24f740"
}
Delete network
Deletes existing network by given {service_uuid} and {network_name}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
List groups
Returns a list of available service groups by given {service_uuid}.
Request
Normal response
[
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:group/test-group",
"created_at": "2024-04-15T16:28:45Z",
"name": "test-group"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get group
Get a single group identified by {service_uuid}, and {group_name}.
Request
Normal response
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:group/test-data",
"created_at": "2024-04-15T16:28:45Z",
"name": "test-data"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create group
Creates an iam group.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. |
Normal response
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:group/new-group",
"created_at": "2024-04-16T13:25:56Z",
"name": "new-group"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Attach user to group
Attaches an iam user to a group identified by {group_name}, and {username}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Remove user from group
Removes an iam user from the group identified by {group_name}, and {username}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete group
Deletes a group identified by {group_name}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List group inline policies
Lists the group inline policies by the given {service_uuid}, and {group_name}.
Request
Normal response
[
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "sample-policy"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get group inline policy
Get the group inline policy by the given {service_uuid}, {group_name} and {policy_name}.
Request
Normal response
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "sample-policy"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create group inline policy
Creates a group inline policy by the given {service_uuid}, and {group_name}.
Request
{
"name": "sample-policy",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Attributes
| Attribute | Accepted Value | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. | |
| document | 1-6144 characters | yes | A valid policy document, URL-encoded compliant with RFC 3986. |
Normal response
{
"name": "sample-policy",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete group inline policy
Deletes the group inline policy by the given {service_uuid}, {group_name}, and {policy_name}.
Request
DELETE /1.3/object-storage-2/{service_uuid}/groups/{group_name}/inline-policies/{policy_name} HTTP/1.1
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List Roles
Lists the roles.
Request
Normal response
[
{
"arn": "urn:ecs:iam::12e8c7066c0445c284c1381f899bcee7:role/example",
"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":[\"urn:ecs:iam::12442a2fbc06434889edb631be2d0968:user/user1\"]},\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"created_at": "2024-09-19T12:43:24Z",
"description": "An example role",
"inline_policies": [
{
"name": "InlinePolicy"
}
],
"max_session_duration": 36000,
"name": "example",
"permissions_boundary": "SamplePolicy",
"policies": [
{
"arn": "urn:ecs:iam::12e8c7066c0445c284c1381f899bcee7:policy/SamplePolicy",
"name": "SamplePolicy"
}
]
}
]
Get Role
Get a single role identified by {service_uuid}, and {role_name}.
Request
Normal response
{
"arn": "urn:ecs:iam::12e8c7066c0445c284c1381f899bcee7:role/example",
"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":[\"urn:ecs:iam::12442a2fbc06434889edb631be2d0968:user/user1\"]},\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"created_at": "2024-09-19T12:43:24Z",
"description": "An example role",
"inline_policies": [
{
"name": "InlinePolicy"
}
],
"max_session_duration": 36000,
"name": "example",
"permissions_boundary": "SamplePolicy",
"policies": [
{
"arn": "urn:ecs:iam::12e8c7066c0445c284c1381f899bcee7:policy/SamplePolicy",
"name": "SamplePolicy"
}
],
"tags": [
{
"key": "tag1",
"value": "key1"
},
{
"key": "tag2",
"value": "key2"
}
]
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Not found. |
Create Role
Creates a service IAM role.
Request
{
"name": "test-role",
"assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":[\"urn:ecs:iam::ns1:user/test-user\"]},\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"description": "A test role.",
"max_session_duration": 3600,
"permissions_boundary": "test-policy",
"tags": [
{
"key": "department",
"value": "Finance"
},
{
"key": "school",
"value": "University of Helsinki"
}
]
}
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-64 characters | true | A valid string to represent the name of the IAM role. Please note that _upcloud-internal-role is reserved for internal use and cannot be created. |
|
| assume_role_policy_document | Max of 131072 characters | true | A valid string to represent the policy document that grants an entity permission to assume the role. | |
| description | 1-1000 characters | false | A valid string representing the description of the role. | |
| max_session_duration | Range: 900-43200 | 3600 | false | The maximum session duration (in seconds) for the specified role. |
| permissions_boundary | 1-128 characters | false | The policy name that is used to set the permissions boundary for the role. | |
| tags | A valid JSON document. | false | The tags to attach to the role (array of tag items), with a maximum of 50 tags. |
Normal response
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:role/test-role",
"assume_role_policy_document": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": \"sts:AssumeRole\",\"Principal\": {\"AWS\": [\"urn:ecs:iam::ns1:user/Demby\"]},\"Effect\": \"Allow\",\"Resource\": \"*\"}]}",
"created_at": "2024-05-07T09:18:17Z",
"description": "A test role.",
"max_session_duration": 3600,
"name": "test-role",
"policies": [],
"inline_policies": [],
"permissions_boundary": "test-policy",
"tags": [
{
"key": "department",
"value": "Finance"
},
{
"key": "school",
"value": "University of Helsinki"
}
]
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Update Role
Updates a service's IAM role.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| description | 1-1000 characters | false | A valid string representing the description of the role. | |
| max_session_duration | Range: 900-43200 | 3600 | false | The maximum session duration (in seconds) for the specified role. |
Normal response
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:role/test-role",
"assume_role_policy_document": "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": \"sts:AssumeRole\",\"Principal\": {\"AWS\": [\"urn:ecs:iam::ns1:user/Demby\"]},\"Effect\": \"Allow\",\"Resource\": \"*\"}]}",
"created_at": "2024-05-07T09:18:17Z",
"description": "New Description",
"max_session_duration": 3900,
"name": "test-role",
"permissions_boundary": {
"permissions_boundary_arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:policy/test-policy",
"permissions_boundary_type": "Policy"
},
"tags": [
{
"key": "department",
"value": "Finance"
},
{
"key": "school",
"value": "University of Helsinki"
}
]
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 404 Not found | RESOURCE_NOT_FOUND | Not found. |
Delete Role
Deletes a service's IAM role.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Not found. |
List Attached Role Policies
Lists all policies attached to a service's IAM role.
Request
Normal response
[
{
"policy_name": "test-policy",
"policy_arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:policy/test-policy"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Not found. |
Attach Policy To Role
Attaches a policy to a service's IAM role.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM policy. |
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Detach Policy From Role
Detaches a policy from a service's IAM role.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Not found. |
Create policy
Creates a new service policy by given {service_uuid}.
Request
{
"name": "example-policy",
"description": "example-description",
"document": "%7B%22Version%22%3A%20%222012-10-17%22%2C%20%20%22Statement%22%3A%20%5B%7B%22Action%22%3A%20%5B%22iam%3AGetUser%22%5D%2C%20%22Resource%22%3A%20%22%2A%22%2C%20%22Effect%22%3A%20%22Allow%22%2C%20%22Sid%22%3A%20%22editor%22%7D%5D%7D"
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | 1-128 characters, regexp pattern [\\w+=,.@-]+ |
yes | The name of the policy must be unique within the service. |
| description | 1-1000 characters | no | The policy description. |
| document | 1-6144 characters | yes | A valid policy document, URL-encoded compliant with RFC 3986. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List policies
Returns a list of available service policies by given {service_uuid}.
Request
Normal response
[
{
"arn": "urn:ecs:iam:::policy/ECSDenyAll",
"attachment_count": 0,
"created_at": "2024-02-05T11:06:17Z",
"default_version_id": "v1",
"description": "Deny all access.",
"name": "ECSDenyAll",
"system": true,
"updated_at": "2024-02-05T11:06:17Z"
},
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"attachment_count": 1,
"created_at": "2024-02-05T11:06:16Z",
"default_version_id": "v1",
"description": "Provides full access to all buckets.",
"name": "ECSS3FullAccess",
"system": true,
"updated_at": "2024-02-05T11:06:16Z"
},
{
"arn": "urn:ecs:iam:::policy/ECSS3ReadOnlyAccess",
"attachment_count": 0,
"created_at": "2024-02-05T11:06:16Z",
"default_version_id": "v1",
"description": "Provides read only access to all buckets.",
"name": "ECSS3ReadOnlyAccess",
"system": true,
"updated_at": "2024-02-05T11:06:16Z"
},
{
"arn": "urn:ecs:iam:::policy/IAMFullAccess",
"attachment_count": 1,
"created_at": "2024-02-05T11:06:16Z",
"default_version_id": "v1",
"description": "Provides full access to IAM.",
"name": "IAMFullAccess",
"system": true,
"updated_at": "2024-02-05T11:06:16Z"
},
{
"arn": "urn:ecs:iam:::policy/IAMReadOnlyAccess",
"attachment_count": 0,
"created_at": "2024-02-05T11:06:16Z",
"default_version_id": "v1",
"description": "Provides read only access to IAM.",
"name": "IAMReadOnlyAccess",
"system": true,
"updated_at": "2024-02-05T11:06:16Z"
}
]
Get policy details
Returns service policy details by given {service_uuid} and {policy_name}.
Request
Normal response
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"attachment_count": 0,
"created_at": "2024-02-05T11:06:16Z",
"default_version_id": "v1",
"description": "Provides full access to all buckets.",
"document": "%7B%0A++++%22Version%22%3A+%222012-10-17%22%2C%0A++++%22Statement%22%3A+%5B%0A++++++++%7B%0A++++++++++++%22Effect%22%3A+%22Allow%22%2C%0A++++++++++++%22Action%22%3A+%22s3%3A*%22%2C%0A++++++++++++%22Resource%22%3A+%22*%22%0A++++++++%7D%0A++++%5D%0A%7D",
"name": "ECSS3FullAccess",
"system": true,
"updated_at": "2024-02-05T11:06:16Z"
}
Note: The policy document, URL-encoded compliant with RFC 3986.
Delete policy
Deletes existing policy by given {service_uuid} and {policy_name}.
Request
List IAM Group Policies
Lists IAM policies attached to a group, identified by {service_uuid}, and {group_name}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. |
Normal response
[
{
"arn": "urn:ecs:iam::1263b59181cc4841969358b08ed70026:policy/test-policy",
"name": "test-policy"
}
]
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Attach IAM Group Policy
Attaches a policy to a group, identified by {service_uuid}, and {group_name}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Detach IAM Group Policy
Detaches a policy from a group, identified by {service_uuid}, and {group_name}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Create policy version
Creates a policy version by the given {service_uuid}, and {policy_name}.
Request
{
"document": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22%2A%22%5D%2C%22Effect%22%3A%22Deny%22%2C%22Resource%22%3A%22%2A%22%7D%5D%7D",
"is_default": true
}
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"*\"],\"Effect\":\"Deny\",\"Resource\":\"*\"}]}",
"is_default": true
}
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| document | 1-6144 characters | true | A valid policy document, URL-encoded compliant with RFC 3986. | |
| is_default | true / false |
false |
false | Determines if the newly created policy version will be set as the default. |
Normal response
{
"create_date": "2024-03-27T17:24:38.000071+02:00",
"document": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22%2A%22%5D%2C%22Effect%22%3A%22Deny%22%2C%22Resource%22%3A%22%2A%22%7D%5D%7D",
"is_default": true,
"version_id": "v2"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List policy versions
Lists policy versions given by {service_uuid}, and {policy_name}.
Request
Normal response
[
{
"create_date": "2024-03-25T12:47:40Z",
"document": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22*%22%5D%2C%22Resource%22%3A%22*%22%2C%22Effect%22%3A%22Deny%22%7D%5D%7D",
"is_default": false,
"version_id": "v4"
},
{
"create_date": "2024-03-25T12:47:38Z",
"document": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22*%22%5D%2C%22Resource%22%3A%22*%22%2C%22Effect%22%3A%22Deny%22%7D%5D%7D",
"is_default": false,
"version_id": "v3"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get policy version
Get a single policy version by the given {service_uuid}, {policy_name}, and {policy_version}.
Request
Normal response
{
"create_date": "2024-03-27T17:24:38.000071+02:00",
"document": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Action%22%3A%5B%22%2A%22%5D%2C%22Effect%22%3A%22Deny%22%2C%22Resource%22%3A%22%2A%22%7D%5D%7D",
"is_default": true,
"version_id": "v2"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete a policy version
Deletes a policy version by the given {service_uuid}, {policy_name}, and {policy_version}.
Request
DELETE /1.3/object-storage-2/{service_uuid}/policies/{policy_name}/versions/{policy_version} HTTP/1.1
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create user
Creates a new service user by given {service_uuid}.
Request
Response
{
"access_keys": [],
"created_at": "2023-05-07T18:19:16.507681Z",
"policies": [],
"username": "example_user"
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| username | 1-64 characters, regexp pattern [\\w+=,.@-]+ |
yes | The name of the user to create. Please note that _upcloud-internal-user is reserved for internal use and cannot be created. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List users
Returns a list of available service users by given {service_uuid}.
Request
Normal response
[
{
"access_keys": [
{
"access_key_id": "AKIA63F41D01345BB477",
"created_at": "2023-05-07T20:52:19.705405Z",
"last_used_at": "2023-05-07T20:52:17Z",
"status": "Active"
}
],
"arn": "urn:ecs:iam::123bbb5c6a4240409e07f7d89fe28891:user/example_user",
"created_at": "2023-05-07T15:55:24.655776Z",
"policies": [
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"name": "ECSS3FullAccess"
},
{
"arn": "urn:ecs:iam:::policy/IAMFullAccess",
"name": "IAMFullAccess"
}
],
"username": "example_user"
}
]
Get user details
Returns service user details by given {service_uuid} and {username}.
Request
Normal response
{
"access_keys": [
{
"access_key_id": "AKIA63F41D01345BB477",
"created_at": "2023-05-07T20:52:19.705405Z",
"last_used_at": "2023-05-07T20:52:17Z",
"status": "Active"
}
],
"arn": "urn:ecs:iam::123bbb5c6a4240409e07f7d89fe28891:user/example_user",
"created_at": "2023-05-07T15:55:24.655776Z",
"policies": [
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"name": "ECSS3FullAccess"
},
{
"arn": "urn:ecs:iam:::policy/IAMFullAccess",
"name": "IAMFullAccess"
}
],
"username": "example_user"
}
Delete user
Deletes existing user by given {service_uuid} and {username}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Get user tags
Returns a user's tags by the given {service_uuid}, and {username}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Replace user tags
Replaces a user's tags by the given {service_uuid}, and {username}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete user tags
Deletes a user's tag by the given {service_uuid}, {username}, and {tag_key}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create user permissions boundary
Creates a user's permissions boundary by the given {service_uuid}, and {username}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| policy_name | 1-128 characters | true | A valid string to represent the name of the IAM policy. |
Normal response
Delete user permissions boundary
Deletes a user's permissions boundary by the given {service_uuid}, and {username}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List user inline policies
Lists the user inline policies by the given {service_uuid}, and {username}.
Request
Normal response
[
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "ECSS3FullAccess"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get user inline policy
Get the user inline policy by the given {service_uuid}, {username} and {policy_name}.
Request
Normal response
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "ECSS3FullAccess"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create user inline policy
Creates a user inline policy by the given {service_uuid}, and {username}.
Request
{
"name": "ECSS3FullAccess",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Attributes
| Attribute | Accepted Value | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. | |
| document | 1-6144 characters | yes | A valid policy document, URL-encoded compliant with RFC 3986. |
Normal response
{
"name": "ECSS3FullAccess",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete user inline policy
Deletes the user inline policy by the given {service_uuid}, {username}, and {policy_name}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create access key
Creates a new access key by given {service_uuid} and {username}.
Request
Normal response
{
"access_key_id": "AKIA589142A152F5E423",
"created_at": "2023-05-07T22:58:26.239729Z",
"last_used_at": "2023-05-07T22:58:26.239729Z",
"secret_access_key": "xbINHFALkXjFjmxhAYL8mJnODRDX91OM7cCd2+1Y",
"status": "Active"
}
Note: customer can get secret_access_key only once on access key creation. UpCloud doesn't store customers secret keys.
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List access keys
Returns a list of available access keys by given {service_uuid} or {username}.
Request
Normal response
[
{
"access_key_id": "AKIA63F41D01345BB477",
"created_at": "2023-05-07T20:52:19.705405Z",
"last_used_at": "2023-05-07T20:52:17Z",
"status": "Active"
}
]
Get access key details
Returns access key details by given {service_uuid} and {username} and {access-key-id}.
Request
Normal response
{
"access_key_id": "AKIA63F41D01345BB477",
"created_at": "2023-05-07T20:52:19.705405Z",
"last_used_at": "2023-05-07T20:52:17Z",
"status": "Active"
}
Modify access key details
Modifies access key details by given {service_uuid} and {username} and {access-key-id}.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| status | Active/Inactive |
no | Indicates is the key active or inactive. |
Normal response
Delete access key
Deletes existing access key by given {service_uuid} and {username} and {access-key-id}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
List attached user policies
Returns a list of attached user policies by given {service_uuid} or {username}.
Request
Normal response
[
{
"arn": "urn:ecs:iam:::policy/ECSS3FullAccess",
"name": "ECSS3FullAccess"
},
{
"arn": "urn:ecs:iam:::policy/IAMFullAccess",
"name": "IAMFullAccess"
}
]
Attach user policy
Attach a policy by given {service_uuid} and {username}.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| name | Policy name | yes | A valid policy name. |
Normal response
Detach user policy
Detach a policy by given {service_uuid}, {username} and {policy_name}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Create label
Creates a new label by given {service_uuid}.
Labels used for service filtering.
Labels usage examples
Below are some examples of what certain GET requests might look like.
- exact match:
GET /1.3/object-storage-2?label=env%3Dstaging - existence:
GET /1.3/object-storage-2?label=env - multiple:
GET /1.3/object-storage-2?label=env&label=foo%3Dbar
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| key | 2-32 printable ASCII characters (range 0x20-0x7E), must not start with _ |
yes | Represents the label identifier. The key is unique within a service. |
| value | 0-255 characters, regexp pattern \A[\p{L}\p{N}\p{P}\p{S}\p{M}\p{Z}]*\z |
yes | Represents the label value. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List labels
Returns a list of available service labels by given {service_uuid}.
Request
Normal response
Get label details
Returns label details by given {service_uuid} and {key}.
Request
Normal response
Modify label
Modifies existing label by given {service_uuid} and {key}.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| key | 2-32 printable ASCII characters (range 0x20-0x7E), must not start with _ |
no | Represents the label identifier. The key is unique within a service. |
| value | 0-255 characters, regexp pattern \A[\p{L}\p{N}\p{P}\p{S}\p{M}\p{Z}]*\z / null |
no | Represents the label value. |
Normal response
Delete label
Deletes existing label by given {service_uuid} and {key}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Service configured status
The service configured status indicates the service's current intended status. Managed by the customer.
| Status | Description |
|---|---|
| started | The service is running. |
| stopped | The service is stopped. |
Service operational state
The service operational state indicates the service's current operational, effective state. Managed by the system.
| State | Description |
|---|---|
| pending | Indicates newly created service or started reconfiguration. |
| setup-service | Configuring service. |
| setup-network | Configuring network. |
| setup-tls | Configuring TLS certificates. |
| setup-public-endpoint | Configuring public endpoint. |
| setup-private-endpoint | Configuring private endpoint. |
| setup-dns | Updating DNS records. |
| setup-iam | Configuring IAM entities. |
| cleanup-deleted-buckets | Cleaning up buckets in deletion state. |
| setup-checkup | Verifying object storage correctly configured and running. |
| running | Indicates service up and running. |
| stopped | Indicates service is down. |
| delete-private-endpoint | Removing private endpoint. |
| delete-public-endpoint | Removing public endpoint. |
| delete-buckets | Deleting service buckets. |
| delete-iam | Removing IAM entities. |
| delete-namespace | Removing service namespace. |
| delete-dns | Removing DNS records. |
| delete-tls | Removing TLS certificates. |
| delete-network | Removing network configuration. |
| delete-service | Deleting the service. |
Attach custom domain
Attaches a new custom domain to the service identified by {service_uuid}.
A maximum of 5 custom domains can be added per service.
Custom domains support two modes:
api(default) — Routes traffic to the S3 API storage backend. The domain can be used as an S3 endpoint for bucket and object operations.static-website— Routes traffic through static website hosting rules. The domain serves static content from a configured S3 bucket. Requires a static website configuration to be created for the domain.
DNS records setup
To attach a custom domain, public access to the service must be enabled and DNS records must be configured. The same DNS setup applies to both api and static-website mode domains.
Assume the service has public endpoint zzzzz.upcloudobjects.com and custom domain to be attached is objects.example.com, these are the expected records under example.com domain:
| Type | Host | Target |
|---|---|---|
| CNAME | objects |
zzzzz.upcloudobjects.com |
| CNAME | *.objects |
zzzzz.upcloudobjects.com |
| CNAME | _acme-challenge.objects |
Domain obtained from DNS challenge request e.g. _acme-challenge.xxxxx.upcloudlb.com or such |
Apex domains (e.g., example.com) cannot use standard CNAME records per the DNS specification, as CNAME records cannot coexist with other record types at the zone root. To use an apex domain as a custom domain, configure an ALIAS or CNAME flattening record instead, pointing to the service's public endpoint. Note that not all DNS providers support ALIAS or CNAME flattening — check with your provider before using an apex domain.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| domain_name | Must consist of 2 to 5 parts, e.g. example.com or objects.example.com. Apex domains (2-part) require ALIAS or CNAME flattening, see DNS records setup. |
yes | Custom domain to be added. |
| mode | api / static-website |
no | Routing mode for the domain. Defaults to api. Cannot be changed after creation. See static website. |
| type | At the moment only public is accepted. |
yes | Type of the custom domain. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get custom domain details
Returns custom domain details by given {service_uuid} and {domain_name}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
List custom domains
Returns a list of custom domains attached to a service by given {service_uuid}.
Request
Normal response
[
{
"domain_name": "objects.example.com",
"mode": "api",
"type": "public"
},
{
"domain_name": "static.example.com",
"mode": "static-website",
"type": "public"
}
]
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Delete custom domain
Deletes existing custom domain by given {service_uuid} and {domain_name}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Modify custom domain
Modifies existing custom domain by given {service_uuid} and {domain_name}.
Note: The mode field is immutable and cannot be changed after creation. To change the mode, delete and recreate the custom domain.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| domain_name | Must consist of 2 to 5 parts, e.g. example.com or objects.example.com. Apex domains (2-part) require ALIAS or CNAME flattening, see DNS records setup. |
yes | New modified custom domain. |
| type | At the moment only public is accepted. |
yes | Type of the custom domain. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
Static website hosting
Static website hosting enables serving static content (HTML, CSS, JS, images) directly from S3 buckets via dedicated domains.
Each service with a public endpoint automatically gets a primary static domain derived from the API domain by inserting -static after the first DNS label (e.g., 7mf5k.upcloudobjects.com becomes 7mf5k-static.upcloudobjects.com). Custom domains attached in static-website mode can also be used for static hosting.
Static websites only serve GET and HEAD requests. All other HTTP methods return 405 Method Not Allowed. The S3 bucket used for static hosting must have a public read policy configured for content to be accessible.
SPA mode
When spa_mode is enabled, all requests for paths without a file extension are served the configured index_document (default index.html). Requests for paths with file extensions (e.g., .css, .js, .png) are served directly from the bucket. This allows client-side routing frameworks (React, Vue, Angular) to handle URL paths.
When spa_mode is disabled (default), directory paths serve index.html from the corresponding bucket path, and extensionless paths attempt to serve a .html file with the same name.
List static website configs
Returns a list of static website configurations for the service identified by {service_uuid}.
Request
Normal response
[
{
"bucket_name": "my-website",
"bucket_prefix": "",
"created_at": "2026-02-12T10:00:00.000000Z",
"domain_name": "7mf5k-static.upcloudobjects.com",
"enabled": true,
"error_pages": [],
"index_document": "index.html",
"spa_mode": false,
"updated_at": "2026-02-12T10:00:00.000000Z"
}
]
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Service not found. |
Create static website config
Creates a new static website configuration for the service identified by {service_uuid}.
The domain_name field is optional. If omitted, the configuration targets the service's primary static domain (e.g., 7mf5k-static.upcloudobjects.com) which is automatically provisioned for each service with a public endpoint. To configure a custom domain instead, provide the domain_name of a custom domain that was attached in static-website mode.
Request
{
"domain_name": "static.example.com",
"bucket_name": "my-website",
"bucket_prefix": "public/",
"index_document": "index.html",
"spa_mode": false,
"enabled": true,
"error_pages": [
{
"status_code": 404,
"error_document": "errors/404.html"
}
]
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| domain_name | A custom domain in static-website mode attached to the service. |
no | Domain to configure. If omitted, configures the primary static domain automatically provisioned for the service. |
| bucket_name | 1-254 characters, pattern ^[a-zA-Z0-9.\-_]+$ |
yes | S3 bucket from which static content is served. Must have a public read policy. |
| bucket_prefix | 0-1024 characters, pattern ^[a-zA-Z0-9/.\-_]*$ |
no | Path prefix within the bucket. For example, dist/ serves content from the dist/ folder. Defaults to empty string (bucket root). |
| index_document | 1-255 characters, pattern ^[a-zA-Z0-9/.\-_]+$ |
no | Default document served for directory paths. Defaults to index.html. |
| spa_mode | true / false |
no | Enable single-page application mode. See SPA mode. Defaults to false. |
| enabled | true / false |
no | Enable or disable serving content on this domain. Defaults to true. |
| error_pages | An array of 0-25 error page objects | no | Custom error pages served when the storage backend returns an error status. See error pages. |
Error pages
Each error page object must contain an error_document and either a status_code or a status_range:
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| status_code | Integer, 400-599 | yes* | Exact HTTP status code to match. Mutually exclusive with status_range. |
| status_range.start | Integer, 400-599 | yes* | Start of the status code range (inclusive). |
| status_range.end | Integer, 400-599 | yes* | End of the status code range (inclusive). Must be greater than start. |
| error_document | 1-255 characters, no leading / |
yes | Path to the error page document within the bucket. |
* Either status_code or both status_range.start and status_range.end must be provided, but not both.
Normal response
{
"bucket_name": "my-website",
"bucket_prefix": "public/",
"created_at": "2026-02-12T10:00:00.000000Z",
"domain_name": "static.example.com",
"enabled": true,
"error_pages": [
{
"error_document": "errors/404.html",
"status_code": 404
}
],
"index_document": "index.html",
"spa_mode": false,
"updated_at": "2026-02-12T10:00:00.000000Z"
}
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
| 404 Not Found | RESOURCE_NOT_FOUND | Service or domain not found. |
| 409 Conflict | CONFLICT | Static website config already exists for this domain. |
Get static website config
Returns the static website configuration for a specific domain by given {service_uuid} and {domain_name}.
Request
Normal response
{
"bucket_name": "my-website",
"bucket_prefix": "",
"created_at": "2026-02-12T10:00:00.000000Z",
"domain_name": "7mf5k-static.upcloudobjects.com",
"enabled": true,
"error_pages": [],
"index_document": "index.html",
"spa_mode": false,
"updated_at": "2026-02-12T10:00:00.000000Z"
}
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Service or config not found. |
Modify static website config
Modifies the static website configuration for a specific domain by given {service_uuid} and {domain_name}.
The domain_name is immutable and cannot be changed. To serve content on a different domain, delete the existing config and create a new one.
Request
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| bucket_name | 1-254 characters, pattern ^[a-zA-Z0-9.\-_]+$ |
no | S3 bucket from which static content is served. |
| bucket_prefix | 0-1024 characters, pattern ^[a-zA-Z0-9/.\-_]*$ |
no | Path prefix within the bucket. |
| index_document | 1-255 characters, pattern ^[a-zA-Z0-9/.\-_]+$ |
no | Default document served for directory paths. |
| spa_mode | true / false |
no | Enable or disable single-page application mode. |
| enabled | true / false |
no | Enable or disable serving content on this domain. |
| error_pages | An array of 0-25 error page objects | no | Custom error pages. Replaces any existing error pages. |
Normal response
{
"bucket_name": "my-website-v2",
"bucket_prefix": "",
"created_at": "2026-02-12T10:00:00.000000Z",
"domain_name": "7mf5k-static.upcloudobjects.com",
"enabled": true,
"error_pages": [],
"index_document": "index.html",
"spa_mode": true,
"updated_at": "2026-02-12T12:00:00.000000Z"
}
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
| 404 Not Found | RESOURCE_NOT_FOUND | Service or config not found. |
Delete static website config
Deletes the static website configuration for a specific domain by given {service_uuid} and {domain_name}.
After deletion, requests to the domain will receive a "Site Not Configured" page until a new configuration is created.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Service or config not found. |
List Role Inline Policies
Returns a list of role inline policies by the given {service_uuid}, and {role_name}.
Request
Normal response
[
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "sample-policy"
}
]
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get Role Inline Policies
Returns a role's inline policies by the given {service_uuid}, {role_name}, and {policy_name}.
Request
Normal response
{
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}",
"name": "sample-policy"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create role inline policy
Creates a role inline policy by the given {service_uuid}, and {role_name}.
Request
{
"name": "sample-policy",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| name | 1-128 characters | true | A valid string to represent the name of the IAM group. | |
| document | 1-6144 characters | yes | A valid policy document, URL-encoded compliant with RFC 3986. |
Normal response
{
"name": "sample-policy",
"document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Delete role inline policy
Delete a role inline policy by the given {service_uuid}, {role_name} and {policy_name}.
Request
DELETE /1.3/object-storage-2/{service_uuid}/roles/{role_name}/inline-policies/{policy_name} HTTP/1.1
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Create role permissions boundary
Creates a role policy's permissions boundary by the given {service_uuid}, and {role_name}.
Request
Attributes
| Attribute | AcceptedValue | Default value | Required | Description |
|---|---|---|---|---|
| policy_name | 1-128 characters | true | A valid string to represent the name of the IAM policy. |
Normal response
Delete role permissions boundary
Deletes a role permissions boundary by the given {service_uuid}, and {role_name}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Get role tags
Returns a role's tags by the given {service_uuid}, and {role_name}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Replace role tags
Replaces a role's tags by the given {service_uuid}, and {role_name}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Delete role tags
Deletes a role's tag by the given {service_uuid}, {role_name}, and {tag_key}.
Request
Normal response
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Assume Role Policy
Assume a role policy by the given {service_uuid}, and {role_name}.
Request
{
"document":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":[\"{{iamuser}}\"]},\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Normal response
{
"document":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":[\"{{iamuser}}\"]},\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
}
Error response
| Http status | Accepted Values | Default AcceptedValue |
|---|---|---|
| 400 Bad Request | INVALID_REQUEST | Validation error. |
List jobs
Returns a list of jobs. Jobs are used to sync S3-compatible object storages with UpCloud managed object storages.
Request
Normal response
[
{
"created_at": "2024-08-27T13:05:26.382642Z",
"input": {
"source": {
"access_key_id": "source-access-key-id",
"bucket": "source-bucket",
"endpoint_url": "https://example.source.com"
},
"target": {
"access_key_id": "target-access-key-id",
"bucket": "target-bucket",
"endpoint_url": "https://example.target.com"
},
"type": "copy"
},
"operational_state": "running",
"output": {
"bytes": 209715200,
"error": "",
"total_bytes": 209715200,
"transfer_time": "2.278435087"
},
"updated_at": "2024-08-27T13:06:46.386309Z",
"uuid": "12f73f4d-e6ed-4ac0-b9b5-2b40ca3b2de2"
}
]
Notes:
- operational states description.
Get job details
Returns object storage job details by given {uuid}.
Request
Normal response
{
"created_at": "2024-08-27T13:05:26.382642Z",
"input": {
"source": {
"access_key_id": "source-access-key-id",
"bucket": "source-bucket",
"endpoint_url": "https://example.source.com"
},
"target": {
"access_key_id": "target-access-key-id",
"bucket": "example-target-bucket",
"endpoint_url": "https://example.target.com"
},
"type": "copy"
},
"operational_state": "running",
"output": {
"bytes": 209715200,
"error": "",
"total_bytes": 209715200,
"transfer_time": "2.278435087"
},
"updated_at": "2024-08-27T13:06:46.386309Z",
"uuid": "12f73f4d-e6ed-4ac0-b9b5-2b40ca3b2de2"
}
Create job
Creates a new job.
Request
{
"type": "copy",
"source": {
"access_key_id": "source-access-key-id",
"secret_access_key": "source-secret-key",
"endpoint_url": "https://example.source.com",
"bucket": "source-bucket"
},
"target": {
"access_key_id": "target-access-key-id",
"secret_access_key": "target-secret-key",
"endpoint_url": "https://example.target.com",
"bucket": "target-bucket"
}
}
Attributes
| Attribute | Accepted value | Required | Description |
|---|---|---|---|
| type | copy |
yes | The type of the job. |
| source | Source object | yes | Embedded Job Source. |
| target | Target object | yes | Embedded Job Target. |
Source Attributes
| Attribute | Accepted value | Required | Default | Description |
|---|---|---|---|---|
| access_key_id | 1-128 characters | yes | Source storage access key id. | |
| secret_access_key | 1-128 characters | yes | Source storage secret key. | |
| endpoint_url | 1-255 characters | yes | Source endpoint URL can belong to any s3 compatible object storage. | |
| bucket | 1-255 characters | no | The job will be created for particular bucket if provided. If the field is empty or missing, then the job will be created for entire object storage. |
Target Attributes
| Attribute | Accepted value | Required | Default | Description |
|---|---|---|---|---|
| access_key_id | 1-128 characters | yes | Target storage access key id. | |
| secret_access_key | 1-128 characters | yes | Target storage secret key. | |
| endpoint_url | 1-255 characters | yes | Target endpoint URL must be UpCloud managed object storage URL. | |
| bucket | 1-255 characters | no | The job will be created for particular bucket if provided. If the field is empty or missing, then the job will be created for entire object storage. |
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 402 Payment required | INSUFFICIENT_CREDITS | Customer account does not have enough credits for the requested action. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Cancel job
Cancels ongoing job by given {job-uuid}.
Request
Normal response
Error response
| HTTP status | Error code | Description |
|---|---|---|
| 404 Not Found | RESOURCE_NOT_FOUND | Resource not found. |
| 400 Bad Request | INVALID_REQUEST | Validation error. |
Job operational state
The job operational state indicates the job's current operational, effective state. Managed by the system.
| State | Description |
|---|---|
| pending | Indicates newly created job. |
| configuring | The job enqueued for configuration. |
| running | Indicates the job is running. |
| completed | The job successfully completed. |
| failed | The job failed. |
| canceled | The job canceled by the user. |
State Message Codes
| Code | Description |
|---|---|
| waiting_certificate_issuing | Indicates that TLS certificate issuing for the service endpoints is in progress. The process is pretty fast, but in some cases it could take up to 10 minutes. |
| failed_domain_verification | Indicates failed domain verification for TLS certificate. In case of custom domains please double check your DNS configuration, see attaching custom domain. |
| failed_custom_domain_verification | Indicates failed domain verification for a custom domain TLS certificate. Please verify CNAME records are correctly configured, see DNS records setup. |
| buckets_stuck_in_deletion | Indicates that the service has buckets stuck in the deletion stage. Please contact support for assistance. |
| namespace_stuck_in_deletion | Indicates that the service is stuck in the deletion stage. Please contact support for assistance. |