Object Storage¶
The Object Storage tab manages buckets — S3-compatible containers for objects of any size. Two storage classes available: Standard (hot) and Archive (cold). All data is encrypted at rest with AES-256 and stays inside Bangladesh.
Overview¶
Object Storage tab — buckets in this project with size, object count, region, and any compliance flags.
Columns:
| Column | What it shows |
|---|---|
| Bucket name | Globally unique within the org |
| Region | bd-dha-1 / bd-ctg-1 / bd-syl-1 |
| Storage class | Standard / Archive (default per bucket; per-object override possible) |
| Versioning | Enabled / Disabled / Suspended |
| Object Lock | Enabled (with mode) / Disabled |
| Size | Sum of stored bytes (recomputed daily) |
| Object count | Sum of objects (recomputed daily) |
Click a bucket row to drill into the object browser, lifecycle policies, replication, ACL, and CORS.
Administration¶
Quotas¶
Project Settings → Quota → Object Storage:
- Bucket count per project — default 100, bumpable
- Total stored capacity — soft limit; informational only (you keep paying past the soft limit)
- Cross-region replication targets — count of CRR rules
Defaults¶
- Default region for new buckets
- Default storage class — Standard (most common) or Archive (compliance-archive projects)
- Default versioning — off / on / on-with-Object-Lock
- Default encryption — always on; KMS-managed keys (cluster) or BYOK via OpenBao (preview)
Operation¶
Creating a bucket¶
+ Create Bucket:
- Name — globally unique within the org; lowercase alphanumeric + dashes; 3–63 chars
- Region
- Storage class — Standard / Archive
- Versioning — Disabled / Enabled / Enabled with Object Lock
- Object Lock (only if Versioning + Object Lock chosen at create) — mode (
Governance/Compliance) and default retention period - Default encryption — Cluster KMS (default) / BYOK key from OpenBao
- Public access — block all (default) / configure ACLs per object
- Tags
Object Lock decisions are permanent
Object Lock = Compliance cannot be relaxed after creation. Use Governance if you want admins to be able to override retention. Use Compliance only for genuinely WORM data (BB FX records, NBR audit, BFIU AML).
Browsing objects¶
Click a bucket → object browser:
- Folder navigation (synthesised from
/-delimited keys) - Search by prefix in the address bar
- Upload — drag-drop or button; multipart upload kicks in for files > 5 MiB
- Download — single object or selected set as a
.zip - Delete — gated by Object Lock if applicable
- Copy / move — between buckets in the same region (cross-region needs CRR)
- Per-object metadata view — Content-Type, custom headers, encryption status
Lifecycle policies¶
Bucket detail → Lifecycle:
- Transition Standard → Archive after N days
- Expiration after N days (skipped for objects under Object Lock)
- Multipart-upload abandon cleanup — recommended (default 7 days)
Cross-region replication (CRR)¶
Bucket detail → Replication → + Add rule:
- Source prefix (optional — replicate everything by default)
- Destination bucket (different region or different account)
- Replication tier — copies stay in
Standardor get downgraded toArchiveat the destination - Replicate metadata + tags — usually yes
CRR requires versioning on both source and destination buckets.
Pre-signed URLs¶
For sharing a single object with a third party without giving them creds, use the API or CLI:
bash aws --endpoint-url https://s3.bd-dha-1.clouddigit.ai s3 presign s3://my-bucket/report.pdf --expires-in 3600
The console doesn't yet expose a button for this — use the CLI.
ACL and bucket policy¶
Bucket detail → Access:
- ACL — quick-grants for predefined groups (
AuthenticatedUsers,AllUsers, etc.) - Bucket policy — JSON document for fine-grained per-prefix access
For multi-tenant write to a shared bucket, prefer bucket policy with explicit aws:PrincipalArn checks; ACL is legacy and limited.
S3-compatibility¶
The S3 surface is at the per-region endpoint:
| Region | Endpoint |
|---|---|
bd-dha-1 | https://s3.bd-dha-1.clouddigit.ai |
bd-ctg-1 | https://s3.bd-ctg-1.clouddigit.ai |
bd-syl-1 | https://s3.bd-syl-1.clouddigit.ai |
Use any S3-compatible client. See Object Storage (S3) for code examples and the supported API surface.
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
403 Forbidden on PUT | Bucket policy / ACL denies the principal | Check the bucket policy; confirm the IAM principal in your access keys has the action allowed |
403 Forbidden on DELETE despite full access | Object Lock retention period still active | Wait for retention to expire (cannot be bypassed for Compliance mode) |
| Bucket name "already exists" in another region | Bucket names are global within the org | Pick a unique name |
| Lifecycle transition not happening | Lifecycle rules evaluate once daily, not in real time | Wait 24 hours; or trigger via API to force immediate evaluation |
| CRR not replicating | Versioning off on source or destination; or replication rule paused | Check both buckets' versioning state; check the replication rule status |
| List objects returns empty for a bucket I just created | Object-counts are recomputed daily | Use the bucket browser directly — it lists in real time |
| Console download of large files times out | Browser download buffer; or international transit | Use the CLI for large files; or pre-sign URL and download from a closer region |
Pricing¶
- Storage — per GiB-month, by class
- Requests — per 1,000 PUT/POST/COPY; per 10,000 GET/HEAD
- Data transfer — domestic over BDIX is free; international metered per-GB
See Pricing model.
Related¶
- Object Storage (S3) — service docs + API surface
- Object Storage (Archive)
- Object Lock — WORM compliance retention
- Backup-as-a-Service — snapshots flow into Object Storage
- Snapshot Storage