Access Keys

An access key is an (access_key_id, secret_access_key) pair that the S3 endpoint (https://<org-id>.buckets.excloud.in) authenticates against. Use access keys for anything that doesn’t know how to mint an Excloud bearer token: aws s3, boto3, rclone, the AWS SDKs, third-party backup tools.

Access keys are org-scoped — every key you create can address every bucket in the org.

Create#

exc buckets keys create laptop

Output:

ACCESS_KEY_ID:     AKIAEXCLOUDEXAMPLE
SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Give each key a --name you’ll recognise later (laptop, ci-deploy, backup-agent). Otherwise rotation becomes guesswork.

List#

exc buckets keys list

Returns the access key IDs and names — never the secrets.

Delete (revoke)#

exc buckets keys delete AKIAEXCLOUDEXAMPLE

Effective immediately. Any in-flight requests using the deleted key get 403.

Rotation#

There is no in-place rotate today — create a new key, deploy it everywhere, then delete the old one:

# 1. Create the replacement
exc buckets keys create ci-deploy-v2

# 2. Update your secret store with the new pair (vault, k8s secret, .env, ...)

# 3. Redeploy / restart consumers so they pick up the new key

# 4. Delete the old key
exc buckets keys delete AKIAOLDKEY

For automation, Secrets is a good place to keep the active pair.

Quickly configure the AWS CLI#

exc buckets keys configure AKIAEXCLOUDEXAMPLE --profile excloud

Writes (or updates) ~/.aws/config and ~/.aws/credentials with the right endpoint, region, and the access key whose ID you passed. Pass --secret <secret> if you didn’t capture the secret at create time and need to set it now, or --set-default to also write the endpoint into the default profile.

Scope#

Today an access key has full read-write on every bucket in the org. Per-bucket or read-only keys are on the roadmap; until then, model that boundary at the org level (separate org per environment) or in front of the bucket via presigned URLs.