# Permissions

## Application key restrictions <a href="#application_key_restrictions" id="application_key_restrictions"></a>

{% hint style="warning" %}
Only application keys manually created in the **Backblaze** web UI or via the **Backblaze B2** native API can be used to authenticate with the **Backblaze S3** compatible API.
{% endhint %}

{% hint style="danger" %}
Automatically created **master application key** is **not supported** in **Backblaze S3** compatible API.
{% endhint %}

\
If an app key is restricted to a bucket, the `listAllBucketNames` permission is required for compatibility with SDKs and integrations. This permission can be enabled during creation in the web UI or via the `b2_create_key` API call.

As a rule, both `writeFiles` and `deleteFiles` permissions must be assigned to any key used for deleting files in the **S3** compatible API.

{% hint style="warning" %}
**Backblaze S3** compatible API **does not support** unauthenticated `ListObject` calls on public buckets.
{% endhint %}

<figure><img src="https://desk.zoho.com/galleryDocuments/edbsnd8a23fc149ed44937c4ba90979a556d711bb4eba6153654a99eb700783f8ac3f343e40cc548f65540ef8a214f6e100e1?inline=true" alt=""><figcaption></figcaption></figure>

***

## Support for immutable storage <a href="#support_for_immutable_storage" id="support_for_immutable_storage"></a>

{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}

{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored. It is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}

If you want to use immutable storage, the following permissions are required:

{% code title="Required to read Object Lock" overflow="wrap" %}

```json
s3:GetBucketObjectLockConfiguration
```

{% endcode %}

{% code title="Required to read the versioning configuration" overflow="wrap" %}

```json
configuration.s3:GetBucketVersioning
```

{% endcode %}

It must be added to the **Action** section, and after the changes, the section should look as shown below:

```json
"Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
		    "s3:GetBucketVersioning",
	            "s3:GetBucketObjectLockConfiguration"
               ],
```

***

## Useful links and items

{% embed url="<https://www.backblaze.com/b2/docs/b2_create_bucket.html>" %}

{% embed url="<https://www.backblaze.com/blog/five-ways-to-use-object-lock-immutability/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://helpcenter.gitprotect.io/storage/cloud-storage/backblaze-b2/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.