Skip to content

Storage

The EOCube.Ro platform provides S3-compatible object storage.

Access is authenticated via the ROCS Single Sign-On (SSO) — you do not use a static access key / secret key pair; you sign in with your EOCube.Ro account, just like the rest of the platform.

There are two S3 endpoints:

  • Primary storage — the main, project-wide object storage.
  • User storage — your personal object storage.

Primary S3 endpoint

S3 endpoint https://storage.svc.uvt-01.eocube.ro
Port 443 (HTTPS)
Region ro-west-uvt-01
Addressing path-style (the bucket name is in the path)
Authentication ROCS Single Sign-On → temporary S3 credentials (AssumeRoleWithWebIdentity)

User S3 endpoint

S3 endpoint https://s3.svc.uvt-01.eocube.ro
Port 443 (HTTPS)
Region ro-west-uvt-01
Addressing path-style (the bucket name is in the path)
Authentication ROCS Single Sign-On → temporary S3 credentials (AssumeRoleWithWebIdentity)

How authentication works

The client sends you to the ROCS Single Sign-On in the browser to sign in (EOCube.Ro account). The resulting token is then exchanged for temporary S3 credentials, which are used to sign requests. No permanent key is stored in the client; the session expires and is refreshed automatically via the refresh token.

Cyberduck

Cyberduck is a graphical S3 client (Windows / macOS). Download the connection profile for the storage you need — each one preconfigures its endpoint and the sign-in flow:

Steps

  1. Download a profile and open it (double-click) — Cyberduck creates a bookmark with the matching name (e.g. “EOCube.Ro User Storage (Single Sign-On)”).
  2. Open the bookmark. Cyberduck opens a browser window to the ROCS Single Sign-On; sign in with your EOCube.Ro account.
  3. Once authorized you are connected. No username or password fields need to be filled in — they are obtained automatically from the sign-in flow.

Command-line access

For the aws CLI, rclone, s5cmd or SDKs, use the same endpoint (https://storage.svc.uvt-01.eocube.ro or https://s3.svc.uvt-01.eocube.ro) with path-style addressing. These tools cannot start the interactive sign-in flow themselves, so they need temporary S3 credentials obtained separately (AssumeRoleWithWebIdentity).

Permissions

Access to buckets and objects is governed by your ROCS Single Sign-On roles and groups, like the rest of the platform. If an operation is rejected with an Access Denied error, your account lacks the required role — contact the ROCS project administrators.