[Yandex Cloud documentation](../../index.md) > [Yandex Object Storage](../index.md) > [Tools](index.md) > Console clients > S3cmd

# S3cmd


[S3cmd](https://s3tools.org/s3cmd) is a console client (Linux, Mac) for services that support the Amazon S3 HTTP API. Learn how to run commands in the [official s3cmd documentation](https://s3tools.org/usage).

{% note info %}

S3cmd has no support for object [versions](../concepts/versioning.md). To work with object versions, use the [AWS CLI](aws-cli.md).

{% endnote %}

## Getting started {#before-you-begin}

1. [Create a service account](../../iam/operations/sa/create.md).
1. [Assign to the service account the roles](../../iam/operations/sa/assign-role-for-sa.md) required for your project, e.g., [storage.editor](../security/index.md#storage-editor) for a bucket (to work with a particular bucket) or a folder (to work with all buckets in this folder). For more information about roles, see [Access management with Yandex Identity and Access Management](../security/index.md).

          
    To work with objects in an [encrypted](../concepts/encryption.md) bucket, a user or [service account](../../iam/concepts/users/service-accounts.md) must have the following [roles for the encryption key](../../kms/operations/key-access.md) in addition to the `storage.configurer` [role](../security/index.md#storage-configurer):
    
    * `kms.keys.encrypter`: To read the key, [encrypt](../../kms/security/index.md#kms-keys-encrypter) and upload objects.
    * `kms.keys.decrypter`: To read the key, [decrypt](../../kms/security/index.md#kms-keys-decrypter) and download objects.
    * `kms.keys.encrypterDecrypter`: This role includes the `kms.keys.encrypter` and `kms.keys.decrypter` [permissions](../../kms/security/index.md#kms-keys-encrypterDecrypter).
    
    For more information, see [Key Management Service service roles](../../kms/security/index.md#service-roles).


1. [Create a static access key](../../iam/operations/authentication/manage-access-keys.md#create-access-key).

    
    As a result, you will get the static access key data. To authenticate in Object Storage, you will need the following:
    
    * `key_id`: Static access key ID
    * `secret`: Secret key
    
    Save `key_id` and `secret`: you will not be able to get the key value again.



To access the HTTP API directly, you need static key authentication, which is supported by the tools listed in [Supported tools](index.md).
  
{% note info %}

You can [disable using static keys for bucket access](../operations/buckets/disable-statickey-auth.md). Once disabled, access will be denied to all tools using this access option: the AWS CLI, SDK, and third-party applications. Access via [ephemeral keys](../security/ephemeral-keys.md), [temporary Security Token Service access keys](../security/sts.md), and [pre-signed URLs](../security/overview.md#pre-signed) will also be disabled. Only access with an [IAM token](../../iam/concepts/authorization/iam-token.md) or [anonymous access](../security/public-access.md) (if enabled) will remain.

{% endnote %}


You can use Yandex Lockbox to safely store the static key for access to Object Storage. For more information, see [Using a Yandex Lockbox secret to store a static access key](../tutorials/static-key-in-lockbox/index.md).

{% note info %}

A service account is only allowed to view a list of buckets in the folder it was created in.

A service account can perform actions with objects in buckets that are created in folders different from the service account folder. To enable this, [assign](../../iam/operations/sa/assign-role-for-sa.md) the service account [roles](../security/index.md#service-roles) for the appropriate folder or its bucket.

{% endnote %}

## Installation {#installation}

To install S3cmd, check out the [installation section](https://github.com/s3tools/s3cmd/blob/master/INSTALL.md) in the S3cmd repository on GitHub.

## Configuration {#setup}

To configure S3cmd, use the `s3cmd --configure` command. Specify values for the following parameters in the request:

* `Access Key`: Key ID you [got previously](#before-you-begin).
* `Secret Key`: Static key contents [you got previously](#before-you-begin).
* `Default Region`: `ru-central1`.

   To work with Object Storage, always specify the `ru-central1`. A different region value may lead to an authorization error.

* `S3 Endpoint`: `storage.yandexcloud.net`.
* `DNS-style bucket+hostname:port template for accessing a bucket`: `%(bucket)s.storage.yandexcloud.net`.
* Leave the other settings unchanged.

The program will try to establish a connection with Object Storage and get a list of buckets. If successful, it will display `Success. Your access key and secret key worked fine :-)`.

The `s3cmd --configure` command will save the settings in the `~/.s3cfg` file in the following format:

```text
[default]
access_key = id
secret_key = secretKey
bucket_location = ru-central1
host_base = storage.yandexcloud.net
host_bucket = %(bucket)s.storage.yandexcloud.net
```

You can change these settings directly in the file, if required. You can also specify settings when launching the program by using the appropriate parameters.

For static site hosting commands to work correctly, manually add the following parameter to the configuration file:

```text
website_endpoint = http://%(bucket)s.website.yandexcloud.net
```

## Features {#specifics}

- S3cmd treats Object Storage as a hierarchical file system and object keys look like file paths.
- S3cmd has no support for object [versions](../concepts/versioning.md). To work with object versions, use the [AWS CLI](aws-cli.md).
- By default, S3cmd uploads objects to a standard storage. To specify the [storage class](../concepts/storage-class.md) when uploading an object, use the `--storage-class` parameter.
- By default, when uploading an object, S3cmd can send the additional `X-Amz-Meta-S3cmd-Attrs` header with the attributes of your file (access permissions, file owners, timestamps). The header value is saved in the [metadata](../concepts/object.md#metadata) of the object. You can disable the sending of attributes using the `preserve_attrs = False` parameter in the `~/.s3cfg` configuration file or using the `--no-preserve` flag.

## Examples of operations {#s3cmd-examples}

{% note info %}

To enable debug output in the console, use the `--debug` flag.

{% endnote %}

### Getting a list of buckets {#listing-buckets}

{% note info %}

You can authorize in the [Amazon S3 HTTP API](../s3/index.md) and [tools that support it](index.md) using [static keys](../../iam/concepts/authorization/access-key.md) obtained for the [service account](../../iam/concepts/users/service-accounts.md).

You can only view the list of buckets in the folder in which your service account was created.

{% endnote %}

```bash
s3cmd ls
```

### Create a bucket {#creating-bucket}

```bash
s3cmd mb s3://bucket
```

When creating a bucket, follow the [naming conventions](../concepts/bucket.md#naming).

### Uploading an object to a cold storage {#uploading-object}

```bash
s3cmd --storage-class COLD put local_file s3://bucket/object
```

### Getting a list of objects {#getting-object-list}

```bash
s3cmd ls s3://bucket
```

### Getting an object {#retrieving-object}

```bash
s3cmd get s3://bucket/object local_file
```

### Deleting an object {#deleting-object}

```bash
s3cmd del s3://bucket/object
```

### Uploading an object with MIME-types specified {#mime-types}

To specify [MIME-types](https://en.wikipedia.org/wiki/Media_type) when uploading an object, use the `put` command with the following flags:

```bash
s3cmd put \
  --no-guess-mime-type \
  --no-mime-magic \
  --mime-type="application/javascript" \
  <local_file_path> \
  s3://<bucket_name>/
```

Where `--mime-type` is your object's MIME type.