docs: add missing policy attachment step for object storage (#637)

mgajda · kangasta · paketeserrano · web-flow · commit 4d9bf4258dc7 · 2026-02-09T16:00:15.000+02:00
* docs: add missing policy attachment step for object storage Add documentation for attaching user access policies to object storage users, which is required for bucket access via AWS CLI and S3-compatible tools. The documentation now includes: 1. API-based policy attachment using curl with token authentication 2. Web console-based policy attachment 3. Important note about permission requirements Fixes #570 * docs: add missing policy attachment step for object storage Add complete end-to-end documentation for object storage access including the critical policy attachment step that was missing. Changes: - Add policy attachment via UpCloud API (tested, returns HTTP 204) - Add policy attachment via web console alternative - Add S3 access verification example with AWS CLI - Clarify credential usage (UpCloud API token vs S3 access keys) - Include note about saving S3 access key credentials Without the policy attachment step, users cannot access buckets via S3-compatible tools even with valid S3 access keys. Tested end-to-end workflow: - Service and bucket creation ✓ - User and S3 access key creation ✓ - Policy attachment via API ✓ (HTTP 204 success) - Documentation includes S3 access verification Fixes #570 * Apply suggestions from code review Mark example using `aws` command as not to be tested, since command is missing on CI. Co-authored-by: Toni Kangas <kangasta@users.noreply.github.com> * docs: parse dynamic values for object storage example testing Address review feedback from paketeserrano on PR #637 to enable automated testing in .github/workflows/examples.yaml: - Parse service UUID dynamically from `upctl object-storage list` - Capture access key credentials from JSON output - Extract service endpoint from `upctl object-storage show` - Replace placeholder values with actual parsed variables This allows the documentation to function as an automated test in the CI/CD workflow without manual value substitution. The documentation remains readable while being executable. * docs: skip curl policy attachment in CI tests The curl command for policy attachment requires UPCLOUD_TOKEN (bearer token) but CI only provides UPCLOUD_USERNAME/PASSWORD. Mark the curl block with when=false to skip during mdtest execution. This fixes the exit code 102 failure in the Examples workflow. The policy attachment is still documented for manual use and the alternative web console method is provided. Added explanatory comment about why this is skipped in tests. * chore: remove user deletion --------- Co-authored-by: Toni Kangas <kangasta@users.noreply.github.com> Co-authored-by: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Co-authored-by: Francisco Serrano <francisco.serrano@upcloud.com>
diff --git a/examples/use_object_storage.md b/examples/use_object_storage.md
@@ -32,17 +32,55 @@ Create a user and an access key for S3-compatible access:
 
 ```sh
 upctl object-storage user create ${prefix}service --username ${prefix}user
-upctl object-storage access-key create ${prefix}service --username ${prefix}user
+
+# Create access key and save credentials
+access_key_output=$(upctl object-storage access-key create ${prefix}service --username ${prefix}user -o json)
+access_key_id=$(echo "$access_key_output" | jq -r '.access_key_id')
+secret_access_key=$(echo "$access_key_output" | jq -r '.secret_access_key')
 ```
 
-Once not needed anymore, delete the user:
+Save the access key ID and secret access key from the output - you'll need these for S3 access.
 
-```sh
-upctl object-storage user delete ${prefix}service --username ${prefix}user
+Attach a policy to grant the user access to buckets:
+
+1. **Using the UpCloud API:**
+
+   First, get your service UUID:
+   ```sh
+   service_uuid=$(upctl object-storage list -o json | jq -r ".[] | select(.name == \"${prefix}service\") | .uuid")
+   ```
+
+   Then attach the policy (requires UPCLOUD_TOKEN environment variable):
+   ```sh when="false"
+   # Note: This command requires a bearer token which can be created via the UpCloud Control Panel
+   # The when=false flag skips this in automated tests since only username/password are available in CI
+   curl -X POST "https://api.upcloud.com/1.3/object-storage-2/${service_uuid}/users/${prefix}user/policies" \
+     -H "Authorization: Bearer ${UPCLOUD_TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{"name": "ECSS3FullAccess"}'
+   ```
+
+   A successful response returns HTTP status 204.
+
+2. **Using the UpCloud Control Panel:**
+   Navigate to Object Storage → Users → Select user → Attach Policy → ECSS3FullAccess
+
+**Note:** Without attaching a policy, the user won't have permission to access buckets via AWS CLI or S3-compatible tools.
+
+Verify S3 access with AWS CLI:
+
+```sh when="false"
+# Get the service endpoint
+service_endpoint=$(upctl object-storage show ${prefix}service -o json | jq -r '.endpoints[0].domain_name')
+
+# Configure AWS CLI with your credentials and test access
+AWS_ACCESS_KEY_ID=${access_key_id} \
+AWS_SECRET_ACCESS_KEY=${secret_access_key} \
+aws s3 ls --endpoint-url https://${service_endpoint}
 ```
 
-Delete also the managed object storage service along with all its sub-resources such as buckets and users:
+Delete the managed object storage service along with all its sub-resources such as buckets and users:
 
 ```sh
 upctl object-storage delete ${prefix}service --force
-```
+```
