Edge Storage

Azion Edge Storage is a scalable and secure storage service designed to integrate object storage with the Azion Edge Platform using the S3 standard for object operations.

Edge Storage allows you to create buckets, which can be used as origins for edge applications or as directories for real-time object upload. Alongside bucket creation, you possess complete control over storage allocation, bucket and object access management, as well as the ability to upload, change, and delete objects.

ScopeResource
Manage a bucketHow to create and modify an Edge Storage bucket
Upload and download objectsHow to upload and download objects from an Edge Storage bucket
Use bucket as originHow to use an Edge Storage bucket as the origin of a static edge application
Set up the S3 protocolHow to access an Edge Storage bucket using the S3 protocol
Runtime APIEdge Storage API

Buckets are the system used to organize stored objects. Similar to folders, buckets are the top-level containers to store objects. Buckets can be created using the Azion API.

All buckets created with Azion Edge Storage are stored in the us-east cloud server.

Bucket names are exclusive between all Azion accounts. Names must range between 6 and 63 characters and must not start with azion. Alphanumeric characters and hyphen (-) are accepted.

Best practices for naming buckets include specifying what types of objects are stored and the type of permissions for the objects. For example, a bucket for an edge application Banking App in read-only mode could be named banking-app-ro.


Objects, or files, can be uploaded, modified, downloaded, and removed from buckets using the Azion API, Edge Runtime, and the S3 protocol.

An object key is a string of characters that composes a unique identifier for objects stored in Edge Storage buckets. Through the available tools, users can retrieve a file stored in a bucket by using its object key.

The object key isn’t required to match the original file path or name from the local storage from which it was retrieved, nor contain the original file extension. However, when uploading a local file to a bucket, it’s recommended to attribute the object key after the file to match local storage conventions. For example, for the local file folder/file.png, the object key should be the same.

The object key cannot be changed. Uploading a different object or modifying object contents using an existing key replaces the object. Once an object is replaced, earlier versions can’t be retrieved.

A prefix is a combination of paths that simulate a folder hierarchy. Since buckets can’t be organized into folders, you can use the forward slash (/) when creating keys to categorize objects in your bucket into a prefix.

For instance, the list of keys below represents the simulated hierarchy of an application stored in a bucket with prefixes:

Terminal window
README.md
src/index.js
src/index.html
src/assets/styles.css
src/assets/images/image.png

The object README.md is located at the root of the bucket. The src prefix corresponds to a folder and contains the objects index.js and index.html. Additionally, the src/assets prefix contains a styles.css object and the src/assets/images prefix, in turn, contains the image.png object.

When creating an edge storage origin, you can set a prefix to serve to the edge. For instance, using the example above, you can create an origin that only serves the image.png object by setting the prefix to src/assets/images.

With Edge Storage, you can use buckets as an origin in Azion Edge Application to retrieve the content of an edge application.

You can determine if the content is retrieved from the root of the bucket or from a prefix within the bucket.


An operation refers to any exchang of data between a client and Edge Storage. Any and all actions related to buckets and objects, such as create, delete, list, and update, is considered an operation. Each time one of these methods is used, either through the API or the S3 protocol, an operation is logged.

All operations are available in the Azion API documentation.

The current release of the Edge Storage offers the following operations:

ClassOperation nameHTTP methodS3 capability
AListObjectsGETlistFiles
listBuckets*
ACreateBucketPOST
AListBucketsGETlistAllBucketNames
AUpdateBucketPATCH
BGetObjectGETreadFiles
CPostObjectPOST
CPutObjectPUTwriteFiles
CDeleteObjectDELETEdeleteFiles
CDeleteBucketDELETE

* If listBuckets is enabled, when attempting to retrieve files that aren’t in the bucket using an S3 credential, the proper 404 Not Found status response returns instead of a 403 Forbidden status. Find out more about S3 capabilities in S3 protocol compatibility.

Uploads an object to a bucket.

For the Azion API, you can specify the MIME type of the object being sent in the body using the Content-Type header. For example, objects with the .txt extension should contain the Content-Type: text/plain header. If the MIME type isn’t specified, Edge Storage will attempt to interpret the file type based on the file extension. Alternatively, use the application/octet-stream MIME type to indicate that the data is a binary stream and the server should handle it as raw binary data.

Sending a new object with an object key that already exists in the bucket will replace the previous object.

Uploads an object to a bucket.

Sending a new object with an object key that already existed in the bucket will replace the previous object.

Removes an object from a bucket.

When you delete an object that is being served on the edge, it’ll immediately stop being served and will no longer be listed in the bucket.

Removes a bucket from an account.

Buckets that contain objects cannot be deleted. After removing the final object from a bucket, there is a 24-hour period before the bucket can be deleted.

Retrieves an object from a bucket.

Retrieves a list of objects loaded into a bucket.

This operation returns details of all objects in the bucket, including the size in bytes and the timestamp of the last modification.

Retrieves a list of buckets associated with an account.

Creates a new bucket for an account.

Modifies bucket information.

Use this operation to change the access permissions to the objects in the bucket. Buckets cannot be renamed with this operation.


Authentication and permissions

Section titled Authentication and permissions

Operations involving buckets, such as uploading, listing, and deleting objects, always require authentication through the Azion account.

You can manage two kinds of permissions for your buckets and objects:

  • Bucket permissions: manage access from the edge and other users to buckets and objects within buckets using the Azion REST API.
  • S3 credentials: manage access for Azion account users through capabilities and assign operation permissions exclusive to S3 protocol access.

In addition to the required authentication and necessary permissions, some API operations can be restricted by bucket permissions. The permissions available are:

  • Read-only: objects in the bucket can be read but not modified.
  • Read-write: objects in the bucket can be modified.
  • Restricted: objects in the bucket can be modified and read but can’t be accessed by the Azion Edge Platform. Buckets can’t be modified using Edge Runtime and can’t be used as an origin for edge applications.

Edge Storage offers compatibility with the S3 protocol through credentials.

Credentials can be created for any bucket that you own or for your account as a whole to manage all your buckets. With them, you can control permissions for operations associated with that credential. The permissions for the credential are exclusive to access thorugh the S3 protocol.

To create a S3 credential, you must use an Azion personal token and run a POST request via API. However, after the credential is created, it works independently from your Azion token. This way, even if the token expires, the credential remains valid.

Once a credential is created, an access key and a secret key are generated, which can be used to set up access to the bucket through the S3 protocol. For security reasons, the secret key won’t be available after the credential is created. Existing credentials can’t be modified in any way.

Once a user’s access is verified, they’re allowed to make operations depending on the capabilities and permissions set for the credential.

You can assign the following capabilities to S3 credentials:

  • listFiles: equivalent to ListObjects, returns a list of objects within the bucket.
  • readFiles: equivalent to GetObject, returns an object from the bucket through the object key.
  • writeFiles: equivalent to PutObject, allows modifying files in the bucket through the object key.
  • deleteFiles: equivalent to DeleteObject, allows object deletion through the object key.
  • listAllBucketNames: equivalent to ListBuckets, allows you to list all buckets associated with the account.
  • listBuckets: if enabled, returns the proper 404 Not Found response when attempting to retrieve files that aren’t in the bucket using the credential.

After an S3 credential is created for a bucket, you can use the S3 protocol (s3://) to execute operations according to the list of capabilities.

The S3 protocol allows you to access buckets and objects using an Edge Storage URL. This configuration facilitates file operations through command line interface (CLI) tools, such as s3cmd, database services, or functions.

You can use the access and secret keys provided by the S3 credentials API to set up a connection using the S3 protocol.

learn How to access Edge Storage using the S3 protocol

To do so, you’ll need the following information:

DataDescription
Access keyThe credential’s access key generated upon creating the S3 credential with the Azion API
Secret keyThe credential’s secret key generated upon creating the S3 credential with the Azion API. This information is confidential and will only be available at the moment of creation
RegionThe assigned server’s region, which is us-east-005
S3 endpointThe default S3 address for all operations, which is s3.us-east-005.azionstorage.net
DNS-style templateThe host name template to access the bucket and objects. Can be bucket+hostname:port/object-key or hostname:port/bucket.

For example, for a file.txt object in the my-bucket bucket, the host names could be:
    • my-bucket.s3.us-east-005.azionstorage.net/file.txt
      s3.us-east-005.azionstorage.net/my-bucket/file.txt

  • These are the default limits:

    ScopeLimit
    Buckets100 per account
    Regionus-east
    S3 credential access keys100,000 per account

    Contributors