Connecting
Endpoints, regions, path-style addressing, and per-bucket credentials.
Connecting
Three things must line up for an S3 client to talk to Hep.gg storage: the endpoint, the region, and path-style addressing. Get any one wrong and the request fails before it reaches your objects.
Endpoints and regions
Each bucket lives on one instance, fixed at create time. Use the endpoint and region for the instance your bucket is on, both shown on the bucket's page in the dashboard.
| Instance | Endpoint | Region |
|---|---|---|
| Primary | https://s3.hep.gg | ca-central-hydra-1 |
| Secondary | https://ca-east-hydra-1.s3.hep.gg | ca-east-hydra-1 |
Path-style addressing
Hep.gg storage addresses buckets in the path, not as a subdomain of the endpoint:
https://s3.hep.gg/<bucket>/<object-key>
Virtual-hosted-style (https://<bucket>.s3.hep.gg/...) is not used. You must enable path-style in your client:
| Client | Flag |
|---|---|
| AWS SDK v3 | forcePathStyle: true |
| boto3 | Config(s3={"addressing_style": "path"}) |
| rclone | force_path_style = true |
| aws-cli | path-style is used automatically with --endpoint-url |
See Examples for full client configs.
Where the key comes from
Credentials are minted and managed in the dashboard, there is no public API to create them.
- Create a bucket in the dashboard and pick its instance (primary or secondary). The instance cannot be changed later.
- On creation, the bucket gets its own S3 service account: an access key and a secret key, scoped to that one bucket.
- View both keys at any time on the bucket's key page. The secret is not hidden after creation, you can copy it again whenever you need it.
- If a key leaks, rotate it from the dashboard. Rotation revokes the old pair and issues a new one, so update any client that used the old secret.
Authentication model
Requests use AWS Signature V4, signed with the bucket's access key and secret key. Any compliant S3 client handles the signing for you once you give it the credentials, endpoint, and region.
Anonymous access is also possible for public buckets, with no credentials at all. See Public objects.
Bucket naming and limits
Bucket names are validated at create time in the dashboard. The same rules govern what a client can address:
lengthcharsetedgesBucket count is capped per account: 3 buckets on the free tier, 10 on Premium (summed across both instances). The free tier provides 10 GB on the secondary (best-effort) instance; Premium provides 10 GB on the primary (backed-up) instance. Purchased storage stacks on the primary instance. A PUT that would exceed your effective quota returns 403. See Public objects for error semantics.