Cephyr S3: S3-compatible storage¶

Cephyr S3 is an S3-compatible object store is backed by Ceph Objcet Gateway (RGW). You can find open rounds to access resource at SUPR.

Experimental

This resource is currently running expreimentally in production. Documentation and related services are being actively developed. Feel free to reach out to support if you have comments or questions when using the resource.

Getting started¶

Once your project is active, project members need to:

apply for an account at SUPR Accounts page the Cephyr S3 resource;
get personal access key at C3SE's self-service desk: https://desk.c3se.chalmers.se.

Save the key in a safe place and do not share it with anyone. The access key is scoped to each project (so if you have different projects, you need to generate access key for each of them).

You can use the object store with any client that supports S3, a few useful options are demonstrated below:

awscli (CLI)Cyberduck (GUI)

To set up access with the aws command line tool, install awscli and put your access keys in ~/.aws/config. You can set up multiple identities for multiple resources.

[profile default]
aws_access_key_id = <YOUR-ACCESS-KEY>
aws_secret_access_key = <YOUR-SECRET-KEY>
region = c3se
endpoint_url = https://s3.c3se.chalmers.se

[profile bot]
aws_access_key_id = <BOT-ACCESS-KEY>
aws_secret_access_key = <BOT-SECRET-KEY>
region = c3se
endpoint_url = https://s3.c3se.chalmers.se

aws s3 mb s3://test-bucket
aws cp test-data.txt s3://test-bucket/

aws s3 lb --profile bot

Screenshot placeholder

Access management¶

By default, buckets are owned by the project and any user can read and write to any bucket. PI of a project can alter this by attaching different policies at the help desk.

Project members with IAM access (only PI by default) can create extra users in a project to, for example, grant access to an automatic workflow. This can be done in the help desk or through the IAM API.

Bucket policy¶

Warning

The S3 API implemented in Ceph might not support all that is implemented by AWS. Be careful when using advanced feature like this and always check that the policy works as intended. Also consult Ceph's official documentation for details: https://docs.ceph.com/en/squid/radosgw/bucketpolicy/

At the time of writing (2026 Jan.), Cephyr S3 is running Ceph Squid.

One can set more fine-grained access control with bucket policies. For instance, suppose one creates a bot user called mybot and wants to limit its access to the s3://published bucket.

One start by getting the ARN of the user:

aws iam get-user --user-name mybot

# one should get something like
# {
#    "User": {
#        "Path": "/",
#        "UserName": "mybot",
#        "UserId": "c3se2026_1_3$56d2c937-f320-4664-b7f8-acf515c17376",
#        "Arn": "arn:aws:iam::RGW00000000001002745:user/mybot",
#        "CreateDate": "2026-01-27T19:49:16.100661+00:00"
#    }
# }

One then needs to define a policy file, say policy.json, as:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::RGW00000000001002745:user/mybot"]},
    "Action": "s3:*",
    "Resource": [
    "arn:aws:s3:::published/*",
    "arn:aws:s3:::published"
    ]
  }]
}

Attach the policy to the bucket:

aws s3api put-bucket-policy --bucket published --policy file://policy.json

Validate that the policy is indeed work as intended:

aws s3 ls s3://published --profile bot
# gives:
# 2026-01-27 16:54:03       1034 .bashrc

aws s3 ls s3://secret --profile bot
# gives:
# argument of type 'NoneType' is not iterable