Object Lifecycles

Object Lock and TTL are Mutually Exclusive

You cannot apply a TTL to a locked object, and you cannot lock an object that already has an active TTL. Attempting to combine these features will result in an error. For more information on Object Lock, see the Object Lock documentation.

Setting Object TTL with Custom HTTP Header

It's possible to specify TTL for the object by sending the X-Amz-Meta-Object-Expires header (see S3 Compatibility) with one of the following:

  • a signed, positive sequence of decimal numbers, each with an optional fraction and a unit suffix, such as +300ms, +1.5h, or +2h45m
    • valid time units are ns, us (or µs), ms, s, m, h
    • +2h means the object expires 2 hours from now
  • full RFC3339-formatted date
$
rclone copy storj-tree.png storj:my-bucket --header-upload "x-amz-meta-object-expires:+5m"
$
rclone copy storj-tree.png storj:my-bucket --header-upload "x-amz-meta-object-expires:+5m"

Setting Object TTL in the Access Grant / S3 Credentials

If the S3 client cannot send custom HTTP headers, it is possible to restrict an access grant with the MaxObjectTTL permission. Uploaded objects get a TTL that reflects the configured MaxObjectTTL period.

The following instructions cannot be executed entirely in the Satellite Console and require to be completed with the Uplink CLI (v1.88 or later).

  1. Log in to the Satellite Console and follow the steps to Create Access Grant.

  2. Switch to your command terminal and execute the access restrict command.

    ./uplink.exe access restrict --access 18k...TAY --readonly=false --max-object-ttl 720h
    ./uplink.exe access restrict --access 18k...TAY --readonly=false --max-object-ttl 720h

    Use the --max-object-ttl flag to set the Object TTL period to set on the uploaded objects. The period is set in hours, e.g. set 720h for one month.

    Make sure to set the --readonly=false flag. Otherwise, the restricted access grant will be read-only, making uploading objects impossible.

    Executing the command will print the new restricted access grant:

    1AW...V3B
    1AW...V3B

  3. Execute the access inspect command to ensure the MaxObjectTTL was configured properly.

    ./uplink.exe access inspect 1AW...V3B
    ./uplink.exe access inspect 1AW...V3B

    You should see a new caveat added to the macaroon with a max_object_ttl field set to the configured period (the value is displayed in nanoseconds).

    "macaroon": {
        "head": "GBo...eg=",
        "caveats": [
          {
            "not_before": "2023-09-14T11:43:29.185Z",
            "nonce": "M4VAag=="
          },
          {
            "max_object_ttl": 2592000000000000,
            "nonce": "HF4OHg=="
          }
        ],
        "tail": "rV_...RQ="
      }
    "macaroon": {
        "head": "GBo...eg=",
        "caveats": [
          {
            "not_before": "2023-09-14T11:43:29.185Z",
            "nonce": "M4VAag=="
          },
          {
            "max_object_ttl": 2592000000000000,
            "nonce": "HF4OHg=="
          }
        ],
        "tail": "rV_...RQ="
      }

  4. Register the new access grant as S3 credentials with access register the command.

    ./uplink.exe access register 1AW...V3B
    ./uplink.exe access register 1AW...V3B
    ========== CREDENTIALS ===================================================================
    Access Key ID: jw7w7n2...
    Secret Key   : jycbodr...
    Endpoint     : https://gateway.storjshare.io
    ========== CREDENTIALS ===================================================================
    Access Key ID: jw7w7n2...
    Secret Key   : jycbodr...
    Endpoint     : https://gateway.storjshare.io

  5. Configure the S3 credentials in your S3 client.

Previous
Data Location
Next
Bucket Logging (Available Upon Request)