Concepts
Access Management
Access Grant

Access Grant

To gain a deeper understanding of this section, it's recommended to first refer to the sections on encryption and permissions, as these components are closely interconnected.

The information regarding encryption is encapsulated within the encryption key (eKey), while permissions are held within the authorization key (zKey). Both of these keys are created on the client-side and combined into what's called an access grant. Using this access grant, users generate a pair of S3 credentials for utilizing the S3 API. During the process of generating S3 credentials, the access grant is subjected to encryption using the S3 Access Key ID and subsequently stored on the server. The decryption of this access grant only becomes feasible when the user provides the corresponding Access Key ID.

The process to create an access grant unfolds as follows:

  1. Creating the zKey: The user initiates a request for a random ID from the server. This ID becomes the macaroon's ID, serving the purpose of verifying the macaroon's validity and supporting revocation processes. Users can impose limits by adding caveats to the macaroon, such as time restrictions and access rights over specific buckets.
  2. Generating the eKey: Users provide a passphrase to create the eKey, utilizing the mechanism as described in the encryption section.
  3. Crafting the Access Grant: Combining these two keys produces the access grant.

By meticulously following this procedure, users ensure that their access grant contains the necessary encrypted information for both encryption and permissions. This integration of encryption and permissions within a single access grant underscores W3S's commitment to security and ease of use for its users.