# Permissions

## Application key restrictions <a href="#application_key_restrictions" id="application_key_restrictions"></a>

{% hint style="warning" %}
Only application keys manually created in the **Backblaze** web UI or via the **Backblaze B2** native API can be used to authenticate with the **Backblaze S3** compatible API.
{% endhint %}

{% hint style="danger" %}
Automatically created **master application key** is **not supported** in **Backblaze S3** compatible API.
{% endhint %}

\
If an app key is restricted to a bucket, the `listAllBucketNames` permission is required for compatibility with SDKs and integrations. This permission can be enabled during creation in the web UI or via the `b2_create_key` API call.

As a rule, both `writeFiles` and `deleteFiles` permissions must be assigned to any key used for deleting files in the **S3** compatible API.

{% hint style="warning" %}
**Backblaze S3** compatible API **does not support** unauthenticated `ListObject` calls on public buckets.
{% endhint %}

<figure><img src="https://desk.zoho.com/galleryDocuments/edbsnd8a23fc149ed44937c4ba90979a556d711bb4eba6153654a99eb700783f8ac3f343e40cc548f65540ef8a214f6e100e1?inline=true" alt=""><figcaption></figcaption></figure>

***

## Support for immutable storage <a href="#support_for_immutable_storage" id="support_for_immutable_storage"></a>

{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}

{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored. It is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}

If you want to use immutable storage, the following permissions are required:

{% code title="Required to read Object Lock" overflow="wrap" %}

```json
s3:GetBucketObjectLockConfiguration
```

{% endcode %}

{% code title="Required to read the versioning configuration" overflow="wrap" %}

```json
configuration.s3:GetBucketVersioning
```

{% endcode %}

It must be added to the **Action** section, and after the changes, the section should look as shown below:

```json
"Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
		    "s3:GetBucketVersioning",
	            "s3:GetBucketObjectLockConfiguration"
               ],
```

***

## Useful links and items

{% embed url="<https://www.backblaze.com/b2/docs/b2_create_bucket.html>" %}

{% embed url="<https://www.backblaze.com/blog/five-ways-to-use-object-lock-immutability/>" %}