> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access to buckets for data transfers

When you [create a data transfer](/object-storage/transfer/launch), you provide credentials that Object Storage uses to access the buckets. These credentials belong to accounts in storage services, such as [service accounts](/iam/overview#accounts-and-members) in Nebius AI Cloud. The accounts perform actions on buckets and objects during the data transfer, so these accounts must have sufficient permissions to perform these actions.

## Required permissions

Before you [launch a data transfer](/object-storage/transfer/launch), make sure that the accounts at the source and destination have sufficient permissions to perform operations on buckets and objects. In Nebius AI Cloud, you can [add a service account to a group](/iam/authorization/groups/members) and either assign this group [roles](/iam/authorization/roles) with necessary permissions or set up [bucket policies](/object-storage/buckets/bucket-policy) for the group.

The table below lists the actions that must be permitted and the minimum Nebius AI Cloud roles that contain the permissions:

| Transfer side | Actions                                                                                                         | Minimum Nebius AI Cloud roles                                                                            |
| ------------- | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| Source        | `ListObjects`,<br />`HeadObject`,<br />`GetObject`                                                              | `storage.object-lister` + `storage.object-viewer` (combination)<br />or `storage.viewer` (single role)   |
| Destination   | `HeadObject`,<br />`PutObject`,<br />`CreateMultipartUpload`,<br />`UploadPart`,<br />`CompleteMultipartUpload` | `storage.object-viewer` + `storage.uploader` (combination)<br />or `storage.object-editor` (single role) |

For more information about these actions, see [Iterations](/object-storage/transfer/overview#iterations).

## Credentials

Provide credentials when you create a data transfer. The account (such as a [service account](/iam/overview#accounts-and-members)) uses the credentials to access buckets and objects and operate with them.

### Credentials for S3-compatible storage services

For a bucket in Object Storage or another S3-compatible storage service, the required credentials are a pair of keys called *access and secret keys*, also known as *access key ID and secret access key*. Add these credentials to the transfer configuration when you [create](/object-storage/transfer/launch) or [modify](/object-storage/transfer/manage) a data transfer:

<Tabs>
  <Tab title="Web console">
    In the [web console](https://console.nebius.com/datatransfer), settings for credentials appear under **Source** and **Destination** when you create or modify a data transfer. To enter the access and secret keys, under **Credentials**, select **Access and secret keys**.
  </Tab>

  <Tab title="CLI">
    Use `.{source,destination}.{nebius,s3_compatible}.access_key` to add credentials. For example, when you're transferring data from a Nebius AI Cloud bucket (`.spec.source.nebius`) to an S3-compatible bucket (`.spec.destination.s3_compatible`), add credentials like this:

    ```json theme={null}
    {
      "spec": {
        "source": {
          "nebius": {
            "access_key": {
              "access_key_id": "<source_access_key_ID>",
              "secret_access_key": "<source_secret_access_key>"
            },
            // Other source parameters
          }
        },
        "destination": {
          "s3_compatible": {
            "access_key": {
              "access_key_id": "<destination_access_key_ID>",
              "secret_access_key": "<destination_secret_access_key>"
            },
            // Other destination parameters
          }
        },
        // Other parameters
      }
    }
    ```

    Set the values of `.spec.{source,destination}.{nebius,s3_compatible}.access_key.{access_key_id,secret_access_key}` securely, for example, by using environment variables.
  </Tab>

  <Tab title="Terraform">
    Use `{source,destination}.{nebius,s3_compatible}.access_key` to add credentials. For example, when you're transferring data from a Nebius AI Cloud bucket (`source.nebius`) to an S3-compatible bucket (`destination.s3_compatible`), add credentials like this:

    ```hcl theme={null}
    resource "nebius_storage_v1_transfer" "example" {
      source {
        nebius {
          access_key {
            access_key_id     = var.source_access_key_id
            secret_access_key = var.source_secret_access_key
          }
        }
        # Other source parameters
      }

      destination {
        s3_compatible {
          access_key {
            access_key_id     = var.destination_access_key_id
            secret_access_key = var.destination_secret_access_key
          }
        }
        # Other destination parameters
      }

      # Other parameters
    }
    ```

    Set the values of the `var.source_access_key_id`, `var.source_secret_access_key`, `var.destination_access_key_id` and `var.destination_secret_access_key` [input variables](https://developer.hashicorp.com/terraform/language/values/variables) securely, for example, by using environment variables or a secrets manager.
  </Tab>
</Tabs>

To get access and secret keys for an Object Storage bucket, [create access keys](/iam/service-accounts/access-keys) for a service account that has the [required permissions](#required-permissions).

### Credentials for source containers in Azure Blob Storage

If your source bucket ([container](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction#containers)) is in Azure Blob Storage, provide credentials of your [storage account in Azure](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview): the name and [access key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage).

Do not confuse a storage account with an Azure account. The storage account is used for data objects, such as blobs or files.

<Tabs>
  <Tab title="Web console">
    In the [web console](https://console.nebius.com/datatransfer), settings for credentials appear under **Source** when you create or modify a data transfer and select **Azure** as the source type. To enter the storage account name and access key, under **Credentials**, select **Access key**.
  </Tab>

  <Tab title="CLI">
    Use parameters in `.source.azure_blob_storage`:

    ```json theme={null}
    {
      "spec": {
        "source": {
          "azure_blob_storage": {
            "endpoint": "<storage_account_endpoint>",
            "container_name": "<container_name>",
            "azure_storage_account": {
              "account_name": "<storage_account_name>",
              "access_key": "<access_key>"
            }
          }
        },
        // Destination and other parameters
      }
    }
    ```

    * `.spec.source.azure_blob_storage.endpoint`: Endpoint of the Azure storage account in the format `https://<storage_account_name>.blob.core.windows.net`.
    * `.spec.source.azure_blob_storage.container_name`: Name of the source container in Azure Blob Storage.
    * `.spec.source.azure_blob_storage.azure_storage_account.account_name`: Name of the storage account.
    * `.spec.source.azure_blob_storage.azure_storage_account.access_key`: Access key from Azure that the storage account uses for authentication. Set this value securely, for example, by using environment variables.
  </Tab>

  <Tab title="Terraform">
    Use arguments in `source.azure_blob_storage`:

    ```hcl theme={null}
    resource "nebius_storage_v1_transfer" "example" {
      source {
        azure_blob_storage {
          endpoint       = var.source_storage_account_endpoint
          container_name = var.source_container_name

          azure_storage_account {
            account_name = var.source_storage_account_name
            access_key   = var.source_storage_account_access_key
          }
        }
      }
      # Destination and other parameters
    }
    ```

    * `source.azure_blob_storage.endpoint`: Endpoint of the Azure storage account in the format `https://<storage_account_name>.blob.core.windows.net`.
    * `source.azure_blob_storage.container_name`: Name of the source container in Azure Blob Storage.
    * `source.azure_blob_storage.azure_storage_account.account_name`: Name of the storage account.
    * `source.azure_blob_storage.azure_storage_account.access_key`: Access key from Azure that the storage account uses for authentication. Set this value (that uses an [input variable](https://developer.hashicorp.com/terraform/language/values/variables) in this example) securely, for example, by using environment variables.
  </Tab>
</Tabs>

### Anonymous access

If a bucket has anonymous access enabled, meaning that all unauthenticated users have the [required permissions](#required-permissions) in the bucket, you can skip providing credentials:

<Tabs>
  <Tab title="Web console">
    In the [web console](https://console.nebius.com/datatransfer), settings for credentials appear under **Source** when you create or modify a data transfer. To set up anonymous access, under **Credentials**, select **Anonymous**.
  </Tab>

  <Tab title="CLI">
    Use `{"anonymous": {}}` in `.spec.source.{nebius,s3_compatible,azure_blob_storage}` or `.spec.destination.s3_compatible`. For example, when you're transferring data from a Nebius AI Cloud bucket (`.spec.source.nebius`), set up anonymous access like this:

    ```json theme={null}
    {
      "spec": {
        "source": {
          "nebius": {
            "anonymous": {},
            // Other source parameters
          }
        },
        // Destination and other parameters
      }
    }
    ```
  </Tab>

  <Tab title="Terraform">
    Use `anonymous {}` in `source.{nebius,s3_compatible,azure_blob_storage}` or `destination.s3_compatible`. For example, when you're transferring data from a Nebius AI Cloud bucket (`source.nebius`), set up anonymous access like this:

    ```hcl theme={null}
    resource "nebius_storage_v1_transfer" "example" {
      source {
        nebius {
          anonymous {}
        }
      }
      # Destination and other parameters
    }
    ```
  </Tab>
</Tabs>

Destination buckets in Nebius AI Cloud don't support the anonymous access setting because Object Storage doesn't allow anonymous write access.