Authentication overview

Storj utilizes a decentralized network architecture where data is encrypted, sharded, and distributed across independent storage nodes globally. Authentication for Storj is designed to integrate with this decentralized model, ensuring that access to user data remains secure and private. Unlike centralized cloud storage providers that might rely heavily on server-side managed identity systems, Storj emphasizes client-side control over encryption keys and permissions through Storj access grants.

The core principle behind Storj's authentication mechanism is that only the client holds the necessary decryption keys. This means that even Storj Labs, the company behind the Storj network, cannot access user data, reinforcing its privacy-focused posture. Developers can interact with Storj either through an S3-compatible Gateway, which allows the use of standard S3 client libraries and tools, or directly via native client-side libraries (libuplink) for various programming languages. Both methods require proper authentication to establish secure connections and authorize data operations.

The authentication process typically involves generating API keys and then using these keys to create access grants. These grants are cryptographically secure and define the scope of permissions (e.g., read, write, delete) and the specific buckets or prefixes a user or application can access. This granular control is a foundational element of Storj's security model, aligning with the principle of least privilege.

Supported authentication methods

Storj supports two primary authentication methods: API Keys and Access Grants. The choice between these methods largely depends on the integration point and the desired level of granularity and security for your application.

API Keys

API keys are fundamental for initiating interaction with the Storj network, particularly when using the S3-compatible Gateway. An API key typically consists of:

  • Access Key ID: A public identifier for the key.
  • Secret Access Key: A confidential key used to sign requests.

These keys are generated through the Storj Console and are used to authenticate requests to the S3 Gateway. When using the S3 Gateway, the process is similar to authenticating with AWS S3 using access keys, where requests are signed using the secret key. This method is suitable for applications that benefit from the S3 API's familiarity and existing tooling.

Access Grants

Access grants are a more advanced and secure method, especially when interacting directly with the decentralized network using native client-side libraries. An access grant is a serialized string that encapsulates:

  • API Key: For network authentication.
  • Encryption Key: For client-side data encryption/decryption.
  • Root Prefix: Defines the specific path within a bucket the grant applies to.
  • Permissions: Specifies allowed actions (e.g., read, write, list).

Access grants allow for fine-grained control over permissions and ensure that encryption keys never leave the client environment. They are designed to be shareable and revocable, providing robust security for decentralized applications. Storj recommends using access grants for direct libuplink integrations due to their enhanced security features, including built-in encryption key management.

The following table summarizes the primary authentication methods:

Method When to Use Security Level
API Keys (S3 Gateway) Integrating with S3-compatible tools and SDKs; existing S3 workflows. Standard (relies on secure key management and HTTPS).
Access Grants (libuplink) Direct integration with Storj network; client-side encryption and granular permissions required; decentralized applications. High (client-side encryption, embedded permissions, revocability).

Getting your credentials

To obtain the necessary authentication credentials for Storj, you will typically use the Storj Console:

  1. Create a Storj Account: If you don't already have one, sign up for a Storj account on their website.
  2. Log in to the Storj Console: Access your project dashboard.
  3. Generate API Keys:
    • Navigate to the 'Access' section in the console.
    • Select 'Create API Key'.
    • You will be prompted to choose a project and set permissions. For S3 Gateway access, you will generate an Access Key ID and a Secret Access Key. Ensure you save the Secret Access Key immediately, as it cannot be retrieved later.
    • These keys can then be configured in your S3 client or environment variables.
  4. Generate Access Grants:
    • In the 'Access' section, select 'Create Access Grant'.
    • Define the desired permissions (read, write, delete, list) and scope (e.g., specific bucket or path).
    • The console will generate a serialized access grant string. This string contains all necessary information, including the API key and encryption key, for client-side libraries to authenticate and interact with Storj.
    • Store this access grant securely, as it grants full access according to its embedded permissions.

For programmatic credential generation or management, Storj provides tools and SDKs that allow for automation, which is typically used in CI/CD pipelines or automated deployment scenarios. Refer to the Storj access management documentation for detailed instructions on managing credentials.

Authenticated request example

This example demonstrates an authenticated request using the S3-compatible Gateway with Python's boto3 library, a common approach for S3 interactions. For direct libuplink integrations, the process would involve initializing a client with an access grant string.

First, ensure you have boto3 installed:

pip install boto3

Next, configure your environment variables with the API keys obtained from the Storj Console. This is a common and recommended practice for managing credentials securely in development and production environments:

export AWS_ACCESS_KEY_ID="YOUR_STORJ_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="YOUR_STORJ_SECRET_ACCESS_KEY"
export S3_ENDPOINT="https://gateway.storjshare.io" # or your custom S3 gateway endpoint

Here's a Python example to list buckets using the S3-compatible Gateway:

import boto3
import os

# Retrieve credentials from environment variables
access_key_id = os.environ.get("AWS_ACCESS_KEY_ID")
secret_access_key = os.environ.get("AWS_SECRET_ACCESS_KEY")
s3_endpoint_url = os.environ.get("S3_ENDPOINT", "https://gateway.storjshare.io")

if not all([access_key_id, secret_access_key]):
    print("Error: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables not set.")
    exit(1)

# Initialize the S3 client for Storj Gateway
s3_client = boto3.client(
    's3',
    aws_access_key_id=access_key_id,
    aws_secret_access_key=secret_access_key,
    endpoint_url=s3_endpoint_url
)

try:
    # List all buckets
    response = s3_client.list_buckets()
    print("Storj Buckets:")
    for bucket in response['Buckets']:
        print(f"  - {bucket['Name']}")
except Exception as e:
    print(f"An error occurred: {e}")

This script initializes a boto3 client, configuring it with your Storj API keys and the S3 Gateway endpoint. It then attempts to list all buckets associated with your account, demonstrating a successful authenticated request. For more complex operations or different programming languages, consult the Storj S3-compatible Gateway documentation and libuplink reference.

Security best practices

Implementing robust security practices is critical when working with any cloud storage, especially decentralized systems like Storj. Adhering to these guidelines helps protect your data and prevent unauthorized access:

  • Principle of Least Privilege: Always grant the minimum necessary permissions to API keys and access grants. For example, if an application only needs to read files, do not grant it write or delete permissions. This limits the potential damage if credentials are compromised. The principle of least privilege is a foundational security concept.
  • Secure Credential Storage: Never hardcode API keys or access grants directly into your application code. Use environment variables, secret management services (e.g., AWS Secrets Manager, HashiCorp Vault), or secure configuration files. For client-side applications, ensure access grants are not exposed in client-side code that could be inspected.
  • Regular Credential Rotation: Periodically rotate your API keys and access grants. This reduces the window of opportunity for an attacker to use compromised credentials. Establish a policy for how often these credentials should be updated.
  • Monitor Access and Usage: Regularly review access logs and usage patterns for your Storj project. Unusual activity could indicate a security breach. Storj provides logging capabilities that can be integrated with external monitoring tools.
  • Use Access Grants for Client-Side Applications: When building applications that directly interact with Storj using libuplink, leverage access grants. They embed encryption keys and granular permissions, enhancing security by keeping encryption client-side and limiting the scope of access.
  • Revoke Compromised Credentials Immediately: If you suspect an API key or access grant has been compromised, revoke it immediately through the Storj Console. This will invalidate the credential and prevent further unauthorized access.
  • Encrypt Data in Transit and At Rest: Storj inherently encrypts data at rest client-side by default when using access grants. For data in transit to the S3-compatible Gateway, ensure you are using HTTPS to protect against eavesdropping.
  • Segregate Environments: Use separate Storj projects or buckets for different environments (development, staging, production) and for different applications. This limits the blast radius if credentials for one environment are compromised.