Cephyr S3: S3-compatible object storage¶

Cephyr S3 is an S3-compatible object store that is backed by Ceph Object Gateway (RGW). You can find open rounds to apply for a project in SUPR.

Experimental

This resource is currently running expreimentally in production. Documentation and related services are being actively developed. Feel free to reach out to support if you have comments or questions when using the resource.

Getting started¶

Once your project is approved and active, project members need to:

apply for an account at SUPR Accounts page for the Cephyr S3 resource
get a personal access key at C3SE's self-service desk: https://desk.c3se.chalmers.se

Save the key in a safe place and do not share it with anyone. The access key is scoped to each project (so if you have different projects, you need to generate access key for each of them).

You can use the object store with any client that supports S3, a few useful options are demonstrated below:

awscli (CLI)Cyberduck (GUI)

To set up access with the aws command line tool, install awscli and put your access keys in ~/.aws/config. You can set up multiple identities for multiple resources.

[profile default]
aws_access_key_id = <YOUR-ACCESS-KEY>
aws_secret_access_key = <YOUR-SECRET-KEY>
region = c3se
endpoint_url = https://s3.c3se.chalmers.se

[profile bot]
aws_access_key_id = <BOT-ACCESS-KEY>
aws_secret_access_key = <BOT-SECRET-KEY>
region = c3se
endpoint_url = https://s3.c3se.chalmers.se

aws s3 mb s3://test-bucket
aws cp test-data.txt s3://test-bucket/

aws s3 lb --profile bot

For Windows or MacOS you can for example use Cyberduck to access your storage. Simply add your credentials and the connection details in the S3 connections page.

Cyperduck S3 connection setting

Access management¶

By default, buckets are owned by the project and any user can read and write to any bucket. The PI of the project can alter this by attaching different policies at the help desk page.

Project members with IAM access (only PI by default) can create extra (non-SUPR) users in a project as well, for example, to grant access to an automatic workflow. This can be done at the help desk page or through the IAM API.

Bucket policy¶

Warning

The S3 API implemented in Ceph might not support all that is implemented by AWS. Be careful when using advanced feature like this and always check that the policy works as intended. Also consult Ceph's official documentation for details: https://docs.ceph.com/en/squid/radosgw/bucketpolicy/

At the time of writing (January 2026), Cephyr S3 is running Ceph Squid.

You can set more fine-grained access control with bucket policies. For instance, suppose you creates a bot user called mybot and wants to limit its access to the s3://published bucket.

You start by getting the ARN (Amazon Resource Name) of the user:

aws iam get-user --user-name mybot

# one should get something like
# {
#    "User": {
#        "Path": "/",
#        "UserName": "mybot",
#        "UserId": "c3se2026_1_3$56d2c937-f320-4664-b7f8-acf515c17376",
#        "Arn": "arn:aws:iam::RGW00000000001002745:user/mybot",
#        "CreateDate": "2026-01-27T19:49:16.100661+00:00"
#    }
# }

You then needs to create a policy file, say policy.json, as:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam::RGW00000000001002745:user/mybot"]},
    "Action": "s3:*",
    "Resource": [
    "arn:aws:s3:::published/*",
    "arn:aws:s3:::published"
    ]
  }]
}

Attach the policy to the bucket:

aws s3api put-bucket-policy --bucket published --policy file://policy.json

Validate that the policy is indeed working as intended:

aws s3 ls s3://published --profile bot
# gives:
# 2026-01-27 16:54:03       1034 .bashrc

aws s3 ls s3://secret --profile bot
# gives:
# argument of type 'NoneType' is not iterable