Overview of Object Storage
The Oracle Cloud Infrastructure Object Storage service is an internet-scale, high-performance storage platform that offers reliable and cost-efficient data durability. The Object Storage service can store an unlimited amount of unstructured data of any content type, including analytic data and rich content, like images and videos.
With Object Storage, you can safely and securely store or retrieve data directly from the internet or from within the cloud platform. Object Storage offers multiple management interfaces that let you easily manage storage at scale. The elasticity of the platform lets you start small and scale seamlessly, without experiencing any degradation in performance or service reliability.
Object Storage is a regional service and is not tied to any specific compute instance. You can access data from anywhere inside or outside the context of the Oracle Cloud Infrastructure, as long you have internet connectivity and can access one of the Object Storage endpoints. Authorization and resource limits are discussed later in this topic.
Oracle Cloud Infrastructure supports multiple storage tiers that offer cost and performance flexibility. Standard is the default storage tier for Object Storage buckets.
Object Storage also supports private access from Oracle Cloud Infrastructure resources in a VCN through a service gateway. A service gateway allows connectivity to the Object Storage public endpoints from private IP addresses in private subnets. For example, you can back up DB systems to an Object Storage bucket over the Oracle Cloud Infrastructure backbone instead of over the internet. You can optionally use IAM policies to control which VCNs or ranges of IP addresses can access Object Storage. See Access to Oracle Services: Service Gateway for details.
Object Storage is Always Free eligible. For more information about Always Free resources, including capabilities and limitations, see Oracle Cloud Infrastructure Free Tier.
Object Storage Resources
Use the following Object Storage resources to store and manage data. Authorization and resource limits are discussed later in this topic.
Buckets are logical containers for storing objects. Users or systems create buckets as needed within a region. A bucket is associated with a single compartment that has policies that determine what actions a user can perform on a bucket and on all the objects in the bucket.
Any type of data, regardless of content type, is stored as an object. An object is composed of the object itself and metadata about the object. Each object is stored in a bucket.
namespace serves as the top-level container for all buckets and objects. At account creation time, each tenant is assigned one unique system-generated and immutable namespace name. The namespace spans all compartments within a region. You control bucket names, but those bucket names must be unique within a namespace. While the namespace is region-specific, the namespace name itself is the same in all regions. See Understanding Object Storage Namespaces for more details, including information about older tenancy names, illustrative examples of namespaces, and how to obtain your namespace string.
A compartment is the primary building block used to organize your cloud resources. When your tenancy is provisioned, a root compartment is created for you. You can then create compartments under your root compartment to organize your resources. You control access by creating policies that specify what actions groups of users can take on the resources in those compartments. An Object Storage bucket can only exist in one compartment.
Object Storage Characteristics
Object Storage provides the following features:
- STRONG CONSISTENCY
- When a read request is made, Object Storage always serves the most recent copy of the data that was written to the system.
- Object Storage is a regional service. Data is stored redundantly across multiple storage servers. Object Storage actively monitors data integrity using checksums and automatically detects and repairs corrupt data. Object Storage actively monitors and ensures data redundancy. If a redundancy loss is detected, Object Storage automatically creates more data copies. For more details about Object Storage durability, see the Object Storage FAQ.
- custom metadata
- You can define your own extensive metadata as key-value pairs for any purpose. For example, you can create descriptive tags for objects, retrieve those tags, and sort through the data. You can assign custom metadata to objects and buckets using the Oracle Cloud Infrastructure CLI or SDK. See Software Development Kits and Command Line Interface for details.
- Object Storage ensures security of the stored data using data encryption. Data encryption is a method used to protect data confidentiality. The data can be accessed using decryption keys created while uploading objects to a bucket. This is used in conjunction with IAM policies that authenticate the users performing the task. See Encrypting Data for details.
Ways to Access Object Storage
You can access Object Storage using any of the following options, based on your preference and its suitability for the task you want to complete:
- The Console is an easy-to-use, browser-based interface. To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You are prompted to enter your cloud tenant, your user name, and your password.
- The command line interface (CLI) provides both quick access and full functionality without the need for programming. For more information, see Using the CLI.
- The REST API provides the most functionality, but requires programming expertise. API Reference and Endpoints provides endpoint details and links to the available API reference documents. For general information about using the API, see REST APIs. Object Storage is accessible with the following APIs:
- Oracle Cloud Infrastructure provides SDKs that interact with Object Storage without you having to create a framework. For general information about using the SDKs, see Software Development Kits and Command Line Interface.
Using Object Storage
If you are ready to use Object Storage, you can find more information in the following topics:
- For instructions on how to create a bucket and store an object in the bucket, see Putting Data into Object Storage.
- For task documentation related to buckets, see Managing Buckets, Using Replication, and Using Retention Rules to Preserve Data.
- For task documentation related to objects, see Managing Objects, Using Object Versioning, and Copying Objects.
- For task documentation related to lifecycle management, see Using Object Lifecycle Management.
- For API reference documentation, see Object Storage Service API.
- For SDK and CLI information, see Software Development Kits and Command Line Interface.
- For more information about using Archive Storage, see Overview of Archive Storage.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API). IAM also manages user credentials for things like API signing keys, auth tokens, and customer secret keys for Amazon S3 Compatibility API. See User Credentials for details.
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create users and groups, create buckets, download objects, and manage Object Storage-related policies and rules. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see the Policy Reference. For specific details about writing policies for Object Storage, see Details for Object Storage, Archive Storage, and Data Transfer.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
In addition to creating IAM policies, follow these security best practices for Object Storage.
- Encrypt objects with a custom key, and rotate keys
- Take regular backups
- Use Oracle Cloud Guard to detect and respond to security problems
- Perform a security audit
Blocking Access to Object Storage Resources from Unauthorized IP Addresses
You can enhance the security of your Object Storage policies by restricting access only to requests that originate from an allowed IP address. First, you create a network source to specify the allowed IP addresses, then you add a condition to your policy to restrict access to the IP addresses in the network source. An example of a policy that restricts access to only IP addresses in a network source is:
allow group CorporateUsers to manage object-family in tenancy where request.networkSource.name='corpnet'
For information on creating network sources and using them in a policy, see Managing Network Sources.
Object Storage IP Addresses
The Oracle Cloud Infrastructure Object Storage service uses the CIDR block IP range 18.104.22.168/16 for all regions.
Limits on Object Storage Resources
To set tenancy or compartment-specific storage limits, administrators can use Object Storage Quotas.
Other limits include:
- Number of Object Storage namespaces per root compartment: 1
- Maximum object size: 10 TiB
- Maximum object part size in a multipart upload: 50 GiB
- Maximum number of parts in a multipart upload: 10,000
- Maximum object size allowed by PutObject API: 50 GiB
- Maximum size of object metadata: 2 K