Getting Access to CESNET S3

Obtaining a User Account

The procedure to get access to the service depends on your situation.

Access to an Existing Virtual Organisation

You may have been invited to an existing Virtual Organisation (VO) by the VO manager. In that case, follow instructions given to you by the VO manager to register.

Personal S3 Access

Provided you are seeking an S3 service that

provides just a personal S3 space for your own use,
doesn’t support sharing between users and/or groups,
has a standard quota of 2 TB (can be increased on request),
but is available just upon simple registration (you need to be an employee or a student of a Czech public university, the AS CR, or an employee of a CESNET customer; you are expected to declare your eligibility using the identity federation),

you are invited to register for a personal S3 service in Perun.

Group S3 Access, aka Virtual Organisation

In case you need access to S3 and the conditions of Personal S3 Access above don’t fit your needs, we will typically prepare a Virtual Organisation and appropriate S3 service for you individually.

Contact our support at support@cesnet.cz and we’ll discuss your expectations with you.

Once the VO is created, you will become a VO manager - please refer to user management system documentation to learn how to create, invite and manage user accounts for your team.

Note: You can also refer to common S3 use cases for inspiration about serving typical use cases.

Creating Access Keys

When you finished your registration (or your brand new VO has been set up for you and configured), you need to get credentials to access the storage itself.

Important: It takes some time to propagate your Perun registration information to other systems. Please wait at least 30 minutes before you proceed with the following steps.

The storage access credentials consist of a pair of keys (long hexadecimal numbers) - an access key and a secret key; keys are generated by every user in the access control system called Gatekeeper https://access.du.cesnet.cz.

You can generate as many key pairs as you wish to access your storage. Is is recommended to generate and use a separate access/secret key pair for each and every specific tool you access the storage with (see below).

Recommendation: It might be a good practice to record key pairs together with a description of where they are to be used in a password management aplication (like Keepass, 1Password, etc.). While you can always find the access key at the Gatekeeper, there is no way to reveal the genereated secret key - it is displayed only once at the time of generation. In you lose the secret key, you have to generate a new pair of keys (and delete the old one once you have reconfigured all clients that used it).

To generate keys, log in to Gatekeeper https://access.du.cesnet.cz, press the + New key button and enter a name for the key pair (like My WinSCP Keys). Wait until keys are genereated and copy and save them both. Also, mark down (copy and save) the S3 Storage Endpoint address displayed above the list of generated keys.

Note: You will need access key, secret key, and S3 storage endpoint address to configure access to the storage in a client application.

Kindly note that personal S3 appears as Personal Account in the system; other Virtual Organisations are listed individually.

Accessing the Storage

You will need to (install and) configure a suitable S3 client to acces your S3 storage. If in doubt, start with WinSCP or S3 Browser on Windows, Cyberduck on Mac, or rclone web interface on Linux.

Final Notes

It is useful to distinguish following systems:

Perun (https://einfra.cesnet.cz/) is a system managing which users have access to particular services (based on your membership in Virtual Organisations and groups)
Gatekeeper (https://access.du.cesnet.cz/) will give you credentials to the storage based on what Perun says
and finally, the storage itself is accessed with those credentials by a client you prefer.