Skip to main content

Retrieve API credential for object storage

If your cloud service provider supports configuring bucket access policy for virtual machines, and achieve access to object storage without credentials (like AWS IAM), you can omit those keys during juicefs auth or juicefs mount (provide empty value), see juicefs auth for details.

We recommend granting full read/write and CreateBucket permission to the API keys, but for now, minimum permission requirements are GetObject, PutObject and DeleteObject, when running with minimum permissions, JuiceFS will not be able to create object storage bucket for you, you'll need to create them manually, and some commands (such as juicefs sync) may not work properly.

Amazon Web Service

Refer to "AWS security credentials". Moreover, if you have used an IAM role to grant permissions to applications running on Amazon EC2 instances, you can omit credentials during juicefs mount.

Google Cloud Platform

First, you should create a project in the console of Google Cloud Platform, remember your Project ID:


Download and install Cloud SDK:

curl | bash

Run the following command after installation:

gcloud auth application-default login

Congratulation, you have done the authentication job that would be executed only once.

Finally, you could run juicefs mount to mount your JuiceFS file system, the Project ID will be requested (you could set it as GOOGLE_CLOUD_PROJECT in environment variable).

When you mount a file system with sudo, you also should run gcloud auth with sudo. Otherwise, the JuiceFS may not load the credential.

If JuiceFS is used inside Compute Engine, it's recommended to grant the virtual machines full access to Storage API.

Microsoft Azure

Currently, service is only available at Microsoft Azure Chinese Region, contact us and other regions can be supported.

When the JuiceFS use the Azure Blob Storage as the underlying storage, you should create a storage account. Find Storage Accounts from the navigation of left panel.


Create a new account in Storage accounts, the name will be requested at mounting the JuiceFS file system, the account kind should be "Blob storage".


Enter the Access key from your storage account, there're two keys available.


Alibaba Cloud

Obtain Access Key in the object storage console:


Create a key for JuiceFS mount:


Tencent Cloud

When using Tencent Cloud COS, mounting JuiceFS requires a Tencent APPID in addition, so we recommend fill in the APPID into Bucket when creating the file system, using format {bucket}-{APPID}. If you didn't specify an APPID when creating the file system, JuiceFS will ask for APPID interactively during mount. Moreover, you can specify APPID in juicefs auth, by the --bucket parameter, using the same format {bucket}-{APPID}.

APPID is in the Account Info.


Secret ID and Secret Key are managed in the API Key Management, you need to create a pair if it's empty.



Login the UCloud console, you'll find your API key in UAPI in the Monitoring management of Product and service.



Login the Qingcloud Console, you'll find Access Keys in the dropdown menu of your account at the right corner.



Refer to User Access Key Management.


Refer to How to get Access Key and Secret Key.

Baidu Cloud

Login the Baidu Cloud Console, enter the Security Authentication in the dropdown menu of the account at the right-upper corner of the page.


Huawei Cloud

Refer to How Do I Manage Access Keys?.


Ceph provides two sets of APIs: RADOS and RGW. RADOS is the underlying protocol provided by Ceph, while RGW is a S3 gateway, exposing standard S3 APIs. Connecting via RADOS is recommended as it bypasses RGW and achieves better latency. If you decide to use Ceph via S3, use it like any other S3 object storage services.

If the RADOS client protocol is used, JuiceFS uses librados2, which supports Ceph >= 12.2. You'll need to provide the cluster name (e.g. ceph), and a user name (e.g. client.admin).


Refer to How To Create a DigitalOcean Space and API Key.


Create an application key with read and write permission on Application Keys.

The master application key is required to create a bucket by JuiceFS. It's recommended to create a bucket manually, using a name like juicefs-NAME, then create an application key with read-write access for JuiceFS.


Refer to Creating a Root Access Key and Secret Key.

IBM Cloud Object Storage

It requires API Key and Resource Instance ID to access Cloud Object Storage, refer to Retrieving your instance ID.