Object Lock

Object Lock allows you to protect objects from being deleted or overwritten for a specified period or indefinitely. Object Lock operates in three modes:

  • Governance Mode: Protects objects against accidental deletion but allows authorized users to bypass the lock.
  • Compliance Mode: Provides immutable protection; no user can delete or modify the object until the retention period expires.
  • Legal Hold: Prevents an object from being deleted until the legal hold is explicitly removed, regardless of retention settings.

Governance Mode Override Permissions

By default, the account owner and any user with default project access have Governance Mode override permissions due to Storj's macaroon-based access system, which restricts capabilities rather than explicitly granting permissions.

To avoid unintentionally granting Governance Mode override permissions, use S3 credentials that explicitly restrict this capability for any operations involving Object Lock.

Note: Storj does not currently support role-based access controls (RBAC) for default restrictions by roles. This functionality may be added in the future.

Enabling Object Lock on a Bucket

For New Buckets

aws s3api create-bucket \
  --bucket my-object-lock-bucket \
  --object-lock-enabled-for-bucket \
  --endpoint-url https://gateway.storjshare.io
aws s3api create-bucket \
  --bucket my-object-lock-bucket \
  --object-lock-enabled-for-bucket \
  --endpoint-url https://gateway.storjshare.io

For Existing Buckets

Step 1: Enable Versioning

aws s3api put-bucket-versioning \
  --bucket my-existing-bucket \
  --versioning-configuration Status=Enabled \
  --endpoint-url https://gateway.storjshare.io
aws s3api put-bucket-versioning \
  --bucket my-existing-bucket \
  --versioning-configuration Status=Enabled \
  --endpoint-url https://gateway.storjshare.io

Step 2: Enable Object Lock

aws s3api put-object-lock-configuration \
  --bucket my-existing-bucket \
  --object-lock-configuration "ObjectLockEnabled=Enabled" \
  --endpoint-url https://gateway.storjshare.io
aws s3api put-object-lock-configuration \
  --bucket my-existing-bucket \
  --object-lock-configuration "ObjectLockEnabled=Enabled" \
  --endpoint-url https://gateway.storjshare.io

Adding, Updating, and Deleting a Default Object Lock Configuration

Default Object Lock configurations apply retention settings to all new objects uploaded to the bucket.

Add/Update Default Configuration

aws s3api put-object-lock-configuration \
  --bucket my-object-lock-bucket \
  --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=30}}" \
  --endpoint-url https://gateway.storjshare.io
aws s3api put-object-lock-configuration \
  --bucket my-object-lock-bucket \
  --object-lock-configuration "ObjectLockEnabled=Enabled,Rule={DefaultRetention={Mode=GOVERNANCE,Days=30}}" \
  --endpoint-url https://gateway.storjshare.io

Delete Default Configuration

aws s3api put-object-lock-configuration \
  --bucket my-object-lock-bucket \
  --object-lock-configuration 'ObjectLockEnabled=Enabled' \
  --endpoint-url https://gateway.storjshare.io
aws s3api put-object-lock-configuration \
  --bucket my-object-lock-bucket \
  --object-lock-configuration 'ObjectLockEnabled=Enabled' \
  --endpoint-url https://gateway.storjshare.io

Object Operations

Please see the docs for Locking an Object.

Important Notes

  • Object Version Required: Locking an existing object requires the version id to be specified.
  • Retention Rules: The retention period can only be extended, not reduced or removed.
  • Mutual Exclusivity with TTL: Objects with active TTL Settings cannot be locked, and locked objects cannot have TTL applied.
  • S3 Compatibility: For full S3 compatibility information please see Object Lock
Previous
Delete buckets
Next
Public Buckets