Cellar, a S3-like object storage service

Cellar, a S3-like object storage service

Cellar is a S3-compatible online file storage web service. Use it with your favorite S3 client, or download the s3cmd configuration file from the add-on dashboard in Clever Cloud console.

Creating a bucket

Cellar stores files in buckets. When you create a Cellar add-on, no bucket exists yet.

From Clever Cloud Console

Go to Cellar options

Click on your Cellar add-on in your deployed services list to see its menu.

Name your bucket

From Addon Dashboard, insert the name of your bucket.

Buckets’ names are global for every region. You can’t give the same name to two different buckets in the same region, because the URL already exists in the Cellar cluster on this region. bucket names can’t use underscores (_).

Create bucket

Click on Create bucket. Your new bucket should appear in the list below.

With s3cmd

Install s3cmd

Install s3cmd on your machine following these recommendations.

Download the configuration file

Go to your add-on menu in the Clever Cloud console. Under the Addon Dashboard, click the Download a pre-filled s3cfg file. link. This provides you a configuration file that you need to add to your home on your machine.

Create a bucket

To create a bucket, you can use this s3cmd command:

s3cmd mb s3://bucket-name

The bucket is now be available at https://<bucket-name>.cellar-c2.services.clever-cloud.com/.

ws-* and cf* commands aren’t available with a Cellar add-on.


You can use the official AWS cli with Cellar. Configure the aws_access_key_id, aws_secret_access_key and endpoint.

aws configure set aws_access_key_id $CELLAR_ADDON_KEY_ID
aws configure set aws_secret_access_key $CELLAR_ADDON_KEY_SECRET

Global endpoint configuration isn’t available, so include the parameter each time you use the aws cli. Here’s an example to create a bucket:

aws s3api create-bucket --bucket myBucket --acl public-read --endpoint-url https://cellar-c2.services.clever-cloud.com

To simplify this, you may want to configure an alias like so:

alias aws="aws --endpoint-url https://cellar-c2.services.clever-cloud.com"

Managing your buckets

There are several ways to manage your buckets, find in this section a list of options.

Using S3 clients

Some clients allows you to upload files, list them, delete them, etc, like:

This list isn’t exhaustive. Feel free to suggest other clients that you would like to see in this documentation.

Using s3cmd command line tools

s3cmd allows you to manage your buckets using its commands, after configuring it on your machine

Custom domain

If you want to use a custom domain, for example cdn.example.com, you need to create a bucket named exactly like your domain:

s3cmd --host-bucket=cellar-c2.services.clever-cloud.com mb s3://cdn.example.com

Then, create a CNAME record on your domain pointing to cellar-c2.services.clever-cloud.com..


To use cellar from your applications, you can use the AWS SDK. You only need to specify a custom endpoint (eg cellar-c2.services.clever-cloud.com).


Cellar allows you to create policies to control the actions on your buckets. Find below two policies examples, and further documentation here.

Public bucket policy

You can upload all your objects with a public ACL, but you can also make your whole bucket publicly available in read mode. No one can access the write permission without authentication.

This makes all of your bucket’s objects publicly readable. Be careful that there aren’t objects you don’t want publicly exposed.

To set your bucket as public, you have to apply the following policy which you can save in a file named policy.json:

  "Id": "Policy1587216857769",
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Stmt1587216727444",
      "Action": [
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Principal": "*"

Replace the <bucket-name> with your bucket name in the policy file. Don’t change the Version field to the current date, keep it as is.

Now, you can set the policy to your bucket using s3cmd:

s3cmd setpolicy ./policy.json s3://<bucket-name>

💡 If you encounter errors, you might need to specify the configuration file path:

s3cmd setpolicy ./policy.json -c path/to/s3cfg.txt s3://<bucket-name>

All of your objects should now be publicly accessible.

If needed, you can delete this policy by using:

s3cmd delpolicy s3://<bucket-name>

The original ACL should apply to all of your objects after that.

User access

Cellar doesn’t natively support creating different user accesses for the same add-on. Granting access to your Cellar add-on grants full access to all of your buckets. To grant limited access to a bucket, do the following:

  1. Create your main Cellar add-on (we’ll call it Cellar-1)
  2. Download Cellar 1 s3cfg file
  3. Create a second Cellar add-on (we’ll call it Cellar-2)
  4. Get the ADDON ID from Cellar-2 dashboard (it should look like cellar_xxx)
  5. Create a policy for Cellar-1 and inject the ADDON ID from Cellar-2 as the user.

Now, you can pass Cellar-2 credentials to a third party to grant read-only access to Cellar-1 buckets.

Read-only policy example

This policy example grants read-only access to a bucket for another user, using the preceding procedure.

    "Version": "2012-10-17",
    "Statement": [
        "Action": [
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::<bucket-name>/*",
        "Principal": {"AWS": "arn:aws:iam::cellar_xxx"}


Replace the <bucket-name> with your bucket name in the policy file.

Set the policy to your bucket using s3cmd:

s3cmd --config=<path/to/s3cfg-file> setpolicy ./policy.json s3://<bucket-name>

💡Download the configuration file from Clever Cloud:

s3cmd setpolicy ./policy.json -c path/to/s3cfg.txt s3://<bucket-name>

CORS Configuration

You can set a CORS configuration on your buckets if you need to share resources on websites that don’t have the same origin as the one you are using.

Each CORS configuration can contain multiple rules, defined in an XML document:


Here this configuration has two CORS rules:

  • The first rule allows cross-origin requests from the console.clever-cloud.com origin. Allowed cross-origin request methods are PUT, POST and DELETE. Using AllowedHeaders * allows all headers specified in the preflight OPTIONS request in the Access-Control-Request-Headers header. At the end, the ExposeHeader allows the client to access the ETag header in the response it received.
  • The second one allows cross-origin GET requests for all origins. The MaxAgeSeconds directive tells the browser how much time (in seconds) it should cache the response of a preflight OPTIONS request for this particular resource.
Updating the CORS configuration replaces the old one
If you update your CORS configuration, the new configuration replaces the old one. Be sure to save it before you update it if you ever need to rollback.

View and save your current CORS configuration

To view and save your current CORS configuration, you can use s3cmd info:

s3cmd -c s3cfg -s info s3://your-bucket

Set the CORS configuration

You can then set this CORS configuration using s3cmd:

s3cmd -c s3cfg -s setcors ./cors.xml s3://your-bucket

If you need to rollback, you can either set the old configuration or completely drop it:

s3cmd -c s3cfg -s delcors s3://your-bucket

Static hosting

You can use a bucket to host your static website, this blog post describes how to. Be aware that SPA applications won’t work because Clever Cloud proxy serving the bucket needs to find an HTML file that match the route.

For example if your path is /login you need to have a file login.html because the index.html isn’t the default entrypoint to handle the path.

You may use SSG (Static Site Generated) to dynamically generate your content during your build.


SSL error with s3cmd

If you created a bucket with a custom domain name and use s3cmd to manipulate it, you will experience this error:

[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1125)

The error comes from the host used to make the request, which is build like this %s.cellar-c2.services.clever-cloud.com.

For example with a bucket named blog.mycompany.com:

Clever Cloud certificate covers *.cellar-c2.services.clever-cloud.com but not blog.mycompany.com.cellar-c2.services.clever-cloud.com, which triggers the error.

Solve it by forcing s3cmd to use path style endpoint with the option --host-bucket=cellar-c2.services.clever-cloud.com.

I can’t delete a bucket/Cellar add-on
The buckets need to be empty before you can delete them. Solve this error by deleting the content of your bucket using a bucket management option.
Last updated on

Did this documentation help you ?