โ‚น INR
Open console

storage

Access Keys

S3 access keys are how non-Excloud-aware tools (aws-cli, boto3, rclone) talk to your buckets. The secret is shown once; rotate by creating a new one and deleting the old.

Last updated ยท 10 June 2026

An access key is an (access_key_id, secret_access_key) pair that the S3 endpoint (https://buckets.excloud.dev) authenticates against. Use access keys for anything that doesnโ€™t know how to mint an Excloud bearer token: aws s3, boto3, rclone, the AWS SDKs, third-party backup tools.

Access keys are org-scoped โ€” every key you create can address every bucket in the org. The key ID identifies your org to the S3 endpoint, so you never put the org ID in the URL.

Excloud access key IDs are prefixed EXC (followed by base32 characters) โ€” thatโ€™s how you tell an Excloud key from a raw AWS AKIA... key at a glance.

Create

exc buckets keys create laptop

Output:

ACCESS_KEY_ID:     EXCEXCLOUDEXAMPLEKEY
SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Give each key a --name youโ€™ll recognise later (laptop, ci-deploy, backup-agent). Otherwise rotation becomes guesswork.

List

exc buckets keys list

Returns the access key IDs and names โ€” never the secrets.

Delete (revoke)

exc buckets keys delete EXCEXCLOUDEXAMPLEKEY

Effective immediately. Any in-flight requests using the deleted key get 403.

Rotation

There is no in-place rotate today โ€” create a new key, deploy it everywhere, then delete the old one:

# 1. Create the replacement
exc buckets keys create ci-deploy-v2

# 2. Update your secret store with the new pair (vault, k8s secret, .env, ...)

# 3. Redeploy / restart consumers so they pick up the new key

# 4. Delete the old key
exc buckets keys delete EXCOLDEXAMPLEKEY

For automation, Secrets is a good place to keep the active pair.

Quickly configure the AWS CLI

exc buckets keys configure EXCEXCLOUDEXAMPLEKEY --profile excloud

Writes (or updates) ~/.aws/config and ~/.aws/credentials with the right endpoint, region, and the access key whose ID you passed. Pass --secret <secret> if you didnโ€™t capture the secret at create time and need to set it now, or --set-default to also write the endpoint into the default profile.

Scope

Today an access key has full read-write on every bucket in the org. Per-bucket or read-only keys are on the roadmap; until then, model that boundary at the org level (separate org per environment) or in front of the bucket via presigned URLs.