Object Lock

Object Lock allows you to protect objects from being deleted or overwritten for a specified period or indefinitely. Object Lock operates in three modes:

  • Governance Mode: Protects objects against accidental deletion but allows authorized users to bypass the lock.
  • Compliance Mode: Provides immutable protection; no user can delete or modify the object until the retention period expires.
  • Legal Hold: Prevents an object from being deleted until the legal hold is explicitly removed, regardless of retention settings.

Governance Mode Override Permissions

By default, the account owner and any user with default project access have Governance Mode override permissions due to Storj's macaroon-based access system, which restricts capabilities rather than explicitly granting permissions.

To avoid unintentionally granting Governance Mode override permissions, use S3 credentials that explicitly restrict this capability for any operations involving Object Lock.

Note: Storj does not currently support role-based access controls (RBAC) for default restrictions by roles. This functionality may be added in the future.

Using Object Lock

  • For enabling object lock, and setting bucket level defaults please see Object Lock
  • For object lock related object operations please see Objects

Technical Details

New S3 Actions Supported:

ActionAPI DescriptionDescription of Change(s)

GetObjectLockConfiguration

Gets the object lock configuration for a bucket.

Will return the ObjectLockConfiguration with ObjectLockEnabled either as Enabled or empty.

Rule will not be included as a response element as specifying a bucket-level object Lock rule is initially out of scope.

PutObjectLockConfiguration

Enables Object Lock configuration on a bucket.

ObjectLockEnabled: Indicates if Object Lock is enabled on the bucket.

Rule (Optional): Specifies the Object Lock rule (mode and period) for the bucket. The period can be either Days or Years.

PutObjectRetentionPlaces an object retention configuration on an object.
GetObjectRetentionRetrieves an object's retention settings.
GetObjectLegalHoldRetrieves the Legal Hold status of an object.
PutObjectLegalHoldApplies a Legal Hold to the specified object.

Existing S3 Actions Updated

ActionAPI DescriptionDescription of Change(s)
CreateBucketCreates a new bucket.CreateBucket will now accept the following request parameter:
  • x-amz-bucket-object-lock-enabled
HeadObjectRetrieves metadata from an object without returning the object itself.HeadObject will now return:
  • Mode that is currently in place for the requested object
  • Date/time that the object's lock will expire
GetObjectRetrieves an object from a bucket.GetObject will now return:
  • Mode that is currently in place for the requested object
  • Date/time that the object's lock will expire

PutObject

Adds an object to a bucket.

PutObject will now:

  • Prevent locked object versions from being overwritten

PutObject will now accept the following request parameters:

  • x-amz-object-lock-mode
  • x-amz-object-lock-retain-until-date
CopyObjectCreates a copy of an object that is already stored on Storj.CopyObject will now accept the following request parameters:
  • x-amz-object-lock-mode
  • x-amz-object-lock-retain-until-date

CreateMultipartUpload

This action initiates a multipart upload and returns an upload ID.

CreateMultipartUpload will now accept the following request parameters:

  • x-amz-object-lock-mode
  • x-amz-object-lock-retain-until-date

Storj has a unique object level TTL. Any request that has both a TTL and a retention period will be rejected to prevent TTL's from conflicting with object lock retention periods.

DeleteBucketDeletes the specified bucket.Forced deletion of a bucket with locked objects will be prevented.
DeleteObjectRemoves an object from a bucket.Deletion of an object with a retention set will be prevented.
Previous
Multipart Part Size