StorageObject Storage

Permissions and policies

All access controls for a bucket are managed under the bucket Settings page. Open a bucket and click Settings to access tabs for General, Lifecycle Policies, CORS, Lock Settings, Event Notifications, and Custom Domains.

Before you begin

General settings

The General tab shows bucket metadata and controls two access settings: Public Access and Object Lock.

FieldDescription
NameBucket name
SiteAssociated site (N/A if not linked)
CreatedCreation date
Total ObjectsNumber of objects in the bucket
Storage UsedTotal storage consumed
Public AccessToggle — Disabled by default
Object LockToggle — Disabled by default

Public access

Enabling Public Access exposes all objects in the bucket to the internet via a Public Access URL.

1

Open General settings

Open your bucket → click Settings → click the General tab.

2

Enable Public Access

Toggle Public Access from Disabled to Enabled.

3

Copy the Public Access URL

Once enabled, the Public Access URL section appears below the General card:

“Expose the contents of this bucket to the internet through the Public Access URL when enabled.”

Copy the URL. Objects are accessible at:

https://<public-access-url>/<object-key>

Enabling Public Access makes all objects in the bucket readable without authentication. Only enable this for buckets intended for public content.

If Public Access is disabled, the Public Access URL section shows: “Please enable public access in General to use the Public Access URL.”

Object Lock

Object Lock prevents objects from being deleted or overwritten. It is configured from the same General tab.

1

Open General settings

Open your bucket → click Settings → click the Lock Settings tab.

2

Enable Object Lock

Toggle Object Lock from Disabled to Enabled and set a retention period.

3

Save

Click Save to apply.

Object Lock applies to objects uploaded after it is enabled. It cannot be applied to existing objects retroactively.

CORS

The CORS tab lets you allow browser applications from specific domains to access bucket files.

Changes may take up to 5 minutes to propagate. Wait at least 5 minutes after saving before testing.

Add a CORS rule

1

Open CORS settings

Open your bucket → click Settings → click the CORS tab.

2

Add a rule

Click + Add Rule. If no rules exist yet, click + Create Your First Rule.

3

Configure the rule

Fill in the ADD CORS RULE panel:

Allowed Origins (required) — domains that can access the bucket from a browser (e.g. https://myapp.com or *.myapp.com). Click + Add Origin to add more. Use * to allow all origins.

Allowed Methods (required):

MethodDefault
GET✅ Enabled
PUT
POST
DELETE
HEAD

Allowed Headers (optional) — comma-separated list of headers browsers can send. Defaults to *.

4

Save

Click Save Rule.

CORS troubleshooting

Rule not taking effect — Wait at least 5 minutes after saving. CORS configuration is cached.

Browser still blocked — Ensure the origin exactly matches the request origin including protocol (https://) and no trailing slash.

Method blocked — Ensure the HTTP method your app uses (e.g. PUT for uploads) is checked under Allowed Methods.

API token access

For programmatic access via the REST API, AWS CLI, rclone, or any S3-compatible tool, use an API token. A token provides:

  • Bearer Token — for the IBEE REST API
  • Access Key ID + Secret Access Key — for S3-compatible tools
  • S3 Endpointhttps://{project_id}.blob.ibeestorage.com

Create an API token →

Delete a bucket

The Delete Bucket section is at the bottom of the General tab.

All objects must be deleted before the bucket can be deleted. If the bucket contains objects, the portal shows: “This bucket contains X objects. You must delete all objects before deleting the bucket.”