|
| 1 | +--- |
| 2 | +title: Bucket locks |
| 3 | +pcx_content_type: how-to |
| 4 | +--- |
| 5 | + |
| 6 | +Bucket locks prevent the deletion and overwriting of objects in an R2 bucket for a specified period — or indefinitely. When enabled, bucket locks enforce retention policies on your objects, helping protect them from accidental or premature deletions. |
| 7 | + |
| 8 | +## Get started with bucket locks |
| 9 | + |
| 10 | +### Prerequisites |
| 11 | + |
| 12 | +Before getting started, you will need: |
| 13 | + |
| 14 | +- An existing R2 bucket. If you do not already have an existing R2 bucket, refer to [Create buckets](/r2/buckets/create-buckets/). |
| 15 | +- An API token with [permissions](/r2/api/s3/tokens/#permissions) to edit R2 bucket configuration. |
| 16 | + |
| 17 | +:::note |
| 18 | + |
| 19 | +Currently, Bucket locks are only configurable via API. |
| 20 | +::: |
| 21 | + |
| 22 | +### Enable bucket lock via API |
| 23 | + |
| 24 | +Below is an example of setting a bucket lock configuration (a collection of rules): |
| 25 | + |
| 26 | +```bash |
| 27 | +curl -X PUT "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/r2/buckets/<BUCKET_NAME>/lock" \ |
| 28 | + -H "Authorization: Bearer <API_TOKEN>" \ |
| 29 | + -H "Content-Type: application/json" \ |
| 30 | + -d '{ |
| 31 | + "rules": [ |
| 32 | + { |
| 33 | + "id": "lock-logs-7d", |
| 34 | + "enabled": true, |
| 35 | + "prefix": "logs/", |
| 36 | + "condition": { |
| 37 | + "type": "Age", |
| 38 | + "maxAgeSeconds": 604800 |
| 39 | + } |
| 40 | + }, |
| 41 | + { |
| 42 | + "id": "lock-images-indefinite", |
| 43 | + "enabled": true, |
| 44 | + "prefix": "images/", |
| 45 | + "condition": { |
| 46 | + "type": "Indefinite" |
| 47 | + } |
| 48 | + } |
| 49 | + ] |
| 50 | + }' |
| 51 | +``` |
| 52 | + |
| 53 | +This request creates two rules: |
| 54 | + |
| 55 | +- `lock-logs-7d`: Objects under the `logs/` prefix are retained for 7 days (604800 seconds). |
| 56 | +- `lock-images-indefinite`: Objects under the `images/` prefix are locked indefinitely. |
| 57 | + |
| 58 | +For more information on required parameters and examples of how to enable bucket lock, refer to the [API documentation](/api/resources/r2/subresources/buckets/subresources/locks/methods/update/). For information about getting started with the Cloudflare API, refer to [Make API calls](/fundamentals/api/how-to/make-api-calls/). |
| 59 | + |
| 60 | +### Get bucket lock rules via API |
| 61 | + |
| 62 | +For more information on required parameters and examples of how to get bucket lock rules, refer to the [API documentation](/api/resources/r2/subresources/buckets/subresources/locks/methods/get/). |
| 63 | + |
| 64 | +## Bucket lock rules |
| 65 | + |
| 66 | +A bucket lock configuration can include up to 1,000 rules. Each rule specifies which object it covers (via prefix) and how long those objects must remain locked. You can: |
| 67 | + |
| 68 | +- Lock objects for a specific duration. For example, 90 days. |
| 69 | +- Retain objects until a certain date. For example, until January 1, 2026. |
| 70 | +- Keep objects locked indefinitely. |
| 71 | + |
| 72 | +If multiple rules apply to the same prefix or object key, the strictest (longest) retention requirement takes precedence. |
| 73 | + |
| 74 | +## Notes |
| 75 | + |
| 76 | +- Rules without prefix apply to all objects in the bucket. |
| 77 | +- Rules apply to both new and existing objects in the bucket. |
| 78 | +- Bucket lock rules take precedence over [lifecycle rules](/r2/buckets/object-lifecycles/). For example, if a lifecycle rule attempts to delete an object at 30 days but a bucket lock rule requires it be retained for 90 days, the object will not be deleted until the 90-day requirement is met. |
0 commit comments