Stash Documentation

Cybernethicc Stash

stash.cybernethicc.com

Cybernethicc Stash is a fully managed, S3-compatible object storage service. Store and retrieve any amount of data -- from backups and media assets to application data and static website content.

Stash is compatible with the Amazon S3 API, which means you can use any existing S3 tool or SDK with zero code changes. Simply point your client to the Cybernethicc Stash endpoint and authenticate with your access credentials.

S3-Compatible

Works with AWS CLI, rclone, Cyberduck, boto3, and all S3 SDKs.

Secure by Default

TLS encryption in transit, server-side encryption at rest.

Simple Pricing

Fixed per-GB monthly rate with optional elastic overflow.

Portal Integration

Browse, upload, and manage files directly from the Cybernethicc portal.

Getting Started

Create a Stash instance and get your access credentials.

Create a Stash Instance

Navigate to Services > Cybernethicc Stash in the portal and click "Create Instance". Select a region, choose your storage allocation (in GB), and link a billing account.

Save Your Credentials

After creation, you will receive an Access Key (starting with STASHK-) and a Secret Key. The secret key is shown only once -- save it immediately in a secure location.

Create a Bucket

From the instance detail page, go to the "Buckets" tab and create your first bucket. Bucket names must be 3-63 characters, lowercase alphanumeric, with hyphens and dots allowed.

Configure Your Client

Use the auto-generated config snippets from the portal (rclone, AWS CLI, s3cmd, Cyberduck) or configure any S3-compatible client manually using the endpoint and credentials below.

Additional Credentials

You can create multiple access credentials per instance from the portal. Each credential has its own Access Key and Secret Key. Revoke any credential at any time without affecting others.

Endpoint

The S3 endpoint URL for connecting your tools and applications.

S3 Endpoint URL

https://stash.cybernethicc.com

Parameter	Value
Endpoint URL	https://stash.cybernethicc.com
Region	Your instance region code (e.g. `sg1`)
Access Key	Starts with `STASHK-`
Secret Key	40-character key (shown once at creation)
Protocol	HTTPS (TLS 1.3)
Signature Version	AWS Signature V4
Max Upload Size	100 MB per object

S3 API Compatibility

Stash implements the core S3 API operations required for most use cases. The following operations are fully supported:

ListBuckets

List all buckets in your instance

CreateBucket

Create a new bucket (PUT Bucket)

DeleteBucket

Remove an empty bucket

ListObjectsV2

List objects with prefix filtering

PutObject

Upload an object (up to 100 MB)

GetObject

Download an object

DeleteObject

Delete an object

HeadObject

Get object metadata

HeadBucket

Check if a bucket exists

CopyObject

Copy an object within the instance

CreateFolder

Create a folder (zero-byte prefix)

PutBucketAcl

Bucket-level ACL (public-read)

PutBucketPolicy

Grant s3:GetObject to Principal *

DeleteBucketPolicy

Revert bucket to private

Presigned GET (SigV4)

Query-string signature via X-Amz-Signature

Current Limitations

Single-part PutObject only (up to 100 MB). Multipart uploads not yet supported — use regular PutObject for large files.
Bucket versioning, object locking, and lifecycle rules are not supported.
ACLs operate at the bucket level only — per-object ACLs are ignored (the flag on the bucket applies to all of its objects).
SigV4 chunked payload (STREAMING-AWS4-HMAC-SHA256-PAYLOAD) not supported. Use non-chunked SigV4, or set --payload-signing-enabled false in the AWS CLI.
Virtual-hosted style (bucket.stash.cybernethicc.com) is not available. Use path-style only.

Configuration

Set up your preferred S3 client to work with Cybernethicc Stash. The portal automatically generates ready-to-use config files for each credential.

AWS CLI

Configure the AWS CLI with a named profile for Cybernethicc Stash.

bash

# Configure a named profile
aws configure set aws_access_key_id STASHK-XXXXXXXXXXXXXXXXXXXX --profile cybernethicc-stash
aws configure set aws_secret_access_key YOUR_SECRET_KEY_HERE --profile cybernethicc-stash
aws configure set region sg1 --profile cybernethicc-stash

# Verify connection
aws s3 ls --endpoint-url https://stash.cybernethicc.com --profile cybernethicc-stash

rclone

Add the following block to your rclone configuration file (typically ~/.config/rclone/rclone.conf).

ini

[cybernethicc-stash]
type = s3
provider = Other
env_auth = false
access_key_id = STASHK-XXXXXXXXXXXXXXXXXXXX
secret_access_key = YOUR_SECRET_KEY_HERE
endpoint = https://stash.cybernethicc.com
region = sg1
acl = private

s3cmd

Save this as a .s3cfg file and reference it with s3cmd -c your-file.s3cfg.

ini

[default]
access_key = STASHK-XXXXXXXXXXXXXXXXXXXX
secret_key = YOUR_SECRET_KEY_HERE
host_base = stash.cybernethicc.com
host_bucket = stash.cybernethicc.com
use_https = True
signature_v2 = False

Cyberduck

Open Cyberduck and create a new connection with these settings:

Protocol	Amazon S3
Server	stash.cybernethicc.com
Port	443
Access Key	Your STASHK-... key
Secret Key	Your secret key

Alternatively, download the .duck bookmark file from the portal to auto-configure Cyberduck.

Any S3 SDK

For any S3-compatible SDK (Go, Java, .NET, Ruby, etc.), configure these parameters:

text

Endpoint:          https://stash.cybernethicc.com
Region:            sg1  (your instance region)
Access Key:        STASHK-XXXXXXXXXXXXXXXXXXXX
Secret Key:        YOUR_SECRET_KEY_HERE
Force Path Style:  true
Signature Version: v4

Operations

Common storage operations. All examples below use the cybernethicc-stash AWS CLI profile configured in the previous section. Replace my-bucket with your actual bucket name.

List Buckets

bash

aws s3 ls \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Create a Bucket

bash

aws s3 mb s3://my-bucket \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Upload a File

bash

# Upload a single file
aws s3 cp ./report.pdf s3://my-bucket/documents/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Sync an entire directory
aws s3 sync ./local-folder s3://my-bucket/backup/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Download a File

bash

# Download a single file
aws s3 cp s3://my-bucket/documents/report.pdf ./downloads/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Download an entire folder
aws s3 sync s3://my-bucket/backup/ ./restored/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

List Objects

bash

# List all objects in a bucket
aws s3 ls s3://my-bucket/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# List with recursive (all sub-folders)
aws s3 ls s3://my-bucket/ --recursive \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Delete Objects

bash

# Delete a single object
aws s3 rm s3://my-bucket/documents/old-file.pdf \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Delete all objects in a folder
aws s3 rm s3://my-bucket/temp/ --recursive \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Mount as Filesystem (rclone)

bash

rclone mount cybernethicc-stash:my-bucket /mnt/stash --daemon

Public Buckets & CDN

Stash can serve publicly-readable buckets without any authentication, turning the gateway into a simple CDN for websites, image hosts, or static asset delivery. All objects in a public bucket become accessible via direct URL.

How it works

Mark a bucket as public (via header, policy, or the portal toggle).
Anyone can GET or HEAD an object with a direct URL — no credentials required.
PUT/DELETE/LIST still require your signed credentials.

Method 1 — ACL Header at Bucket Creation

Send x-amz-acl: public-read on the PUT Bucket request. Stash will flag the bucket public on success.

bash

aws s3api create-bucket \
  --bucket my-cdn-bucket \
  --acl public-read \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Method 2 — PutBucketPolicy

Attach a policy granting s3:GetObject to Principal: "*". Deleting the policy reverts the bucket to private.

json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "PublicReadGetObject",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-cdn-bucket/*"
  }]
}

bash

aws s3api put-bucket-policy \
  --bucket my-cdn-bucket \
  --policy file://policy.json \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# To revert back to private
aws s3api delete-bucket-policy \
  --bucket my-cdn-bucket \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Method 3 — Portal UI (Admin)

The portal offers a PATCH endpoint for toggling visibility without touching any S3 client:

bash

curl -X PATCH \
  -H "Authorization: Bearer <PORTAL_JWT>" \
  -H "Content-Type: application/json" \
  -d '{"is_public": true}' \
  https://portal.cybernethicc.com/api/v1/storage/instances/<INSTANCE_ID>/buckets/<BUCKET_ID>/visibility

Serving Public Objects

Once public, objects are served via direct URL. Use this form in an <img> tag, Next.js next/image, a CSS background-image, or any HTTP client:

text

https://stash.cybernethicc.com/{bucket}/{object-key}

# Example
https://stash.cybernethicc.com/my-cdn-bucket/logo.svg
https://stash.cybernethicc.com/my-cdn-bucket/assets/hero.jpg

Important

Once a bucket is public, every object inside it is publicly readable. Do not mix sensitive files with public assets in the same bucket.
Public reads count toward bandwidth usage but not per-request billing.
For access-controlled sharing use presigned URLs instead.

Presigned URLs

Presigned URLs let you grant temporary, authenticated access to a single object without sharing credentials. The signature is embedded in the query string and expires after a configurable interval (max 7 days).

When to use

Time-limited downloads (e.g. invoice PDFs, report exports)
Private media previews inside a web app (generate server-side, embed in HTML)
Upload slots (presigned PUT) for browser uploads without exposing keys
Any scenario where you don't want to make a bucket fully public

Generating Presigned GET (AWS CLI)

bash

aws s3 presign s3://my-bucket/private/report.pdf \
  --expires-in 3600 \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Output:
# https://stash.cybernethicc.com/my-bucket/private/report.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...&X-Amz-Expires=3600&X-Amz-Signature=...

rust-s3

rust

use s3::{Bucket, Region, creds::Credentials};

let bucket = Bucket::new(
    "my-bucket",
    Region::Custom {
        region: "sg1".to_string(),
        endpoint: "https://stash.cybernethicc.com".to_string(),
    },
    Credentials::new(
        Some("STASHK-XXXXXXXXXXXXXXXXXXXX"),
        Some("YOUR_SECRET_KEY_HERE"),
        None, None, None,
    )?,
)?.with_path_style();

// 1-hour download URL
let url = bucket.presign_get("private/report.pdf", 3600, None)?;
println!("{url}");

Python (boto3)

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    region_name="sg1",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    config=boto3.session.Config(s3={"addressing_style": "path"}),
)

# 1-hour download URL
url = s3.generate_presigned_url(
    "get_object",
    Params={"Bucket": "my-bucket", "Key": "private/report.pdf"},
    ExpiresIn=3600,
)
print(url)

Node.js (AWS SDK v3)

javascript

import { S3Client, GetObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const s3 = new S3Client({
  region: "sg1",
  endpoint: "https://stash.cybernethicc.com",
  forcePathStyle: true,
  credentials: {
    accessKeyId: "STASHK-XXXXXXXXXXXXXXXXXXXX",
    secretAccessKey: "YOUR_SECRET_KEY_HERE",
  },
});

const url = await getSignedUrl(
  s3,
  new GetObjectCommand({ Bucket: "my-bucket", Key: "private/report.pdf" }),
  { expiresIn: 3600 },
);
console.log(url);

Expiry limits

Minimum: 1 second
Maximum: 604800 seconds (7 days) — SigV4 standard
Recommended: 3600 (1 hour) for user downloads, 300 (5 min) for upload slots

Code Examples

Integrate Stash into your applications with these SDK examples.

Create Client & List Buckets

python

import boto3

# Create an S3 client for Cybernethicc Stash
s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# List buckets
response = s3.list_buckets()
for bucket in response["Buckets"]:
    print(f"  {bucket['Name']}")

Upload & Download Files

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# Upload a file
s3.upload_file("./photo.jpg", "my-bucket", "images/photo.jpg")

# Download a file
s3.download_file("my-bucket", "images/photo.jpg", "./downloaded.jpg")

# Generate a presigned URL (valid for 1 hour)
url = s3.generate_presigned_url(
    "get_object",
    Params={"Bucket": "my-bucket", "Key": "images/photo.jpg"},
    ExpiresIn=3600,
)
print(f"Presigned URL: {url}")

List & Delete Objects

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# List objects with prefix
response = s3.list_objects_v2(Bucket="my-bucket", Prefix="images/")
for obj in response.get("Contents", []):
    print(f"  {obj['Key']} ({obj['Size']} bytes)")

# Delete an object
s3.delete_object(Bucket="my-bucket", Key="images/old-photo.jpg")

Troubleshooting

Common issues and how to resolve them.

401 AccessDenied: Missing Authorization header

The request arrived without a SigV4 signature and the bucket isn't public. Make sure your S3 client has valid credentials loaded, or attach a bucket policy / set the bucket public if it's serving public assets.

403 SignatureDoesNotMatch

The computed signature didn't match what the client sent. Most common causes:

Chunked payload encoding — set payload_signing_enabled = false or pass --payload-signing-enabled false to the AWS CLI.
Wrong region — use sg1, not us-east-1.
Virtual-hosted addressing — force path-style (force_path_style=true or rust-s3 .with_path_style()).
Clock skew — verify your local clock is within ±15 minutes of UTC.

403 Request has expired

Only applies to presigned URLs — the X-Amz-Expires window has passed. Regenerate the URL with a fresh timestamp.

404 NoSuchKey / NoSuchBucket

The object or bucket wasn't found in your instance. Double-check the bucket name is correct and that the object was actually uploaded (you may be hitting a different instance if you're using multiple credentials).

PUT succeeds but GET returns 500 / empty

This was a bug in Stash v1.0 caused by missing "," handling in Authorization header parsing. Fixed in v1.1. If you still see this, upgrade your SDK or report via support.

Next.js next/image not loading public objects

Add the Stash hostname to next.config.js so the image optimizer trusts it:

javascript

module.exports = {
  images: {
    remotePatterns: [{
      protocol: "https",
      hostname: "stash.cybernethicc.com",
      pathname: "/**",
    }],
  },
};

Multipart upload error

Stash currently only supports single-part PutObject up to 100 MB. Disable multipart threshold in your client, or upload large files via a different mechanism. Multipart support is on the roadmap.

bash

# AWS CLI — bump the threshold so multipart is effectively never used
aws configure set default.s3.multipart_threshold 4GB --profile cybernethicc-stash
aws configure set default.s3.multipart_chunksize 4GB --profile cybernethicc-stash

Pricing

Simple, predictable storage pricing in IDR.

Tier	Rate	Description
Fixed	Rp 1.600/GB/month	Pre-allocated storage. Billed monthly regardless of actual usage.
Elastic	Rp 2.200/GB/month	Overflow storage when you exceed your fixed allocation. Billed per GB used.

How billing works

Each instance has a monthly billing cycle starting from the creation date.
Fixed cost is calculated as fixed_gb x Rp 1.600. This is charged regardless of actual usage.
Elastic overage is calculated as ceil(used_gb - fixed_gb) x Rp 2.200, only when usage exceeds your fixed allocation.
Charges are deducted from your billing account balance automatically. If the balance is insufficient, the system retries for 3 days before suspending the instance.

Pricing Example

An instance with 50 GB fixed storage and elastic enabled, using 63 GB total:

Fixed: 50 GB x Rp 1.600 = Rp 80.000

Elastic: 13 GB x Rp 2.200 = Rp 28.600

Total: Rp 108.600/month

Back to Documentation

Cybernethicc Stash - S3-Compatible Object Storage

cybernethicc-terminal

Booting neural core...

Cybernethicc Stash

stash.cybernethicc.com

Cybernethicc Stash is a fully managed, S3-compatible object storage service. Store and retrieve any amount of data -- from backups and media assets to application data and static website content.

S3-Compatible

Works with AWS CLI, rclone, Cyberduck, boto3, and all S3 SDKs.

Secure by Default

TLS encryption in transit, server-side encryption at rest.

Simple Pricing

Fixed per-GB monthly rate with optional elastic overflow.

Portal Integration

Browse, upload, and manage files directly from the Cybernethicc portal.

Getting Started

Create a Stash instance and get your access credentials.

Create a Stash Instance

Navigate to Services > Cybernethicc Stash in the portal and click "Create Instance". Select a region, choose your storage allocation (in GB), and link a billing account.

Save Your Credentials

After creation, you will receive an Access Key (starting with STASHK-) and a Secret Key. The secret key is shown only once -- save it immediately in a secure location.

Create a Bucket

From the instance detail page, go to the "Buckets" tab and create your first bucket. Bucket names must be 3-63 characters, lowercase alphanumeric, with hyphens and dots allowed.

Configure Your Client

Use the auto-generated config snippets from the portal (rclone, AWS CLI, s3cmd, Cyberduck) or configure any S3-compatible client manually using the endpoint and credentials below.

Additional Credentials

You can create multiple access credentials per instance from the portal. Each credential has its own Access Key and Secret Key. Revoke any credential at any time without affecting others.

Endpoint

The S3 endpoint URL for connecting your tools and applications.

S3 Endpoint URL

https://stash.cybernethicc.com

Parameter	Value
Endpoint URL	https://stash.cybernethicc.com
Region	Your instance region code (e.g. `sg1`)
Access Key	Starts with `STASHK-`
Secret Key	40-character key (shown once at creation)
Protocol	HTTPS (TLS 1.3)
Signature Version	AWS Signature V4
Max Upload Size	100 MB per object

S3 API Compatibility

Stash implements the core S3 API operations required for most use cases. The following operations are fully supported:

ListBuckets

List all buckets in your instance

CreateBucket

Create a new bucket (PUT Bucket)

DeleteBucket

Remove an empty bucket

ListObjectsV2

List objects with prefix filtering

PutObject

Upload an object (up to 100 MB)

GetObject

Download an object

DeleteObject

Delete an object

HeadObject

Get object metadata

HeadBucket

Check if a bucket exists

CopyObject

Copy an object within the instance

CreateFolder

Create a folder (zero-byte prefix)

PutBucketAcl

Bucket-level ACL (public-read)

PutBucketPolicy

Grant s3:GetObject to Principal *

DeleteBucketPolicy

Revert bucket to private

Presigned GET (SigV4)

Query-string signature via X-Amz-Signature

Current Limitations

Single-part PutObject only (up to 100 MB). Multipart uploads not yet supported — use regular PutObject for large files.
Bucket versioning, object locking, and lifecycle rules are not supported.
ACLs operate at the bucket level only — per-object ACLs are ignored (the flag on the bucket applies to all of its objects).
SigV4 chunked payload (STREAMING-AWS4-HMAC-SHA256-PAYLOAD) not supported. Use non-chunked SigV4, or set --payload-signing-enabled false in the AWS CLI.
Virtual-hosted style (bucket.stash.cybernethicc.com) is not available. Use path-style only.

Configuration

Set up your preferred S3 client to work with Cybernethicc Stash. The portal automatically generates ready-to-use config files for each credential.

AWS CLI

Configure the AWS CLI with a named profile for Cybernethicc Stash.

bash

# Configure a named profile
aws configure set aws_access_key_id STASHK-XXXXXXXXXXXXXXXXXXXX --profile cybernethicc-stash
aws configure set aws_secret_access_key YOUR_SECRET_KEY_HERE --profile cybernethicc-stash
aws configure set region sg1 --profile cybernethicc-stash

# Verify connection
aws s3 ls --endpoint-url https://stash.cybernethicc.com --profile cybernethicc-stash

rclone

Add the following block to your rclone configuration file (typically ~/.config/rclone/rclone.conf).

ini

[cybernethicc-stash]
type = s3
provider = Other
env_auth = false
access_key_id = STASHK-XXXXXXXXXXXXXXXXXXXX
secret_access_key = YOUR_SECRET_KEY_HERE
endpoint = https://stash.cybernethicc.com
region = sg1
acl = private

s3cmd

Save this as a .s3cfg file and reference it with s3cmd -c your-file.s3cfg.

ini

[default]
access_key = STASHK-XXXXXXXXXXXXXXXXXXXX
secret_key = YOUR_SECRET_KEY_HERE
host_base = stash.cybernethicc.com
host_bucket = stash.cybernethicc.com
use_https = True
signature_v2 = False

Cyberduck

Open Cyberduck and create a new connection with these settings:

Protocol	Amazon S3
Server	stash.cybernethicc.com
Port	443
Access Key	Your STASHK-... key
Secret Key	Your secret key

Alternatively, download the .duck bookmark file from the portal to auto-configure Cyberduck.

Any S3 SDK

For any S3-compatible SDK (Go, Java, .NET, Ruby, etc.), configure these parameters:

text

Endpoint:          https://stash.cybernethicc.com
Region:            sg1  (your instance region)
Access Key:        STASHK-XXXXXXXXXXXXXXXXXXXX
Secret Key:        YOUR_SECRET_KEY_HERE
Force Path Style:  true
Signature Version: v4

Operations

Common storage operations. All examples below use the cybernethicc-stash AWS CLI profile configured in the previous section. Replace my-bucket with your actual bucket name.

List Buckets

bash

aws s3 ls \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Create a Bucket

bash

aws s3 mb s3://my-bucket \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Upload a File

bash

# Upload a single file
aws s3 cp ./report.pdf s3://my-bucket/documents/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Sync an entire directory
aws s3 sync ./local-folder s3://my-bucket/backup/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Download a File

bash

# Download a single file
aws s3 cp s3://my-bucket/documents/report.pdf ./downloads/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Download an entire folder
aws s3 sync s3://my-bucket/backup/ ./restored/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

List Objects

bash

# List all objects in a bucket
aws s3 ls s3://my-bucket/ \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# List with recursive (all sub-folders)
aws s3 ls s3://my-bucket/ --recursive \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Delete Objects

bash

# Delete a single object
aws s3 rm s3://my-bucket/documents/old-file.pdf \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Delete all objects in a folder
aws s3 rm s3://my-bucket/temp/ --recursive \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Mount as Filesystem (rclone)

bash

rclone mount cybernethicc-stash:my-bucket /mnt/stash --daemon

Public Buckets & CDN

How it works

Mark a bucket as public (via header, policy, or the portal toggle).
Anyone can GET or HEAD an object with a direct URL — no credentials required.
PUT/DELETE/LIST still require your signed credentials.

Method 1 — ACL Header at Bucket Creation

Send x-amz-acl: public-read on the PUT Bucket request. Stash will flag the bucket public on success.

bash

aws s3api create-bucket \
  --bucket my-cdn-bucket \
  --acl public-read \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Method 2 — PutBucketPolicy

Attach a policy granting s3:GetObject to Principal: "*". Deleting the policy reverts the bucket to private.

json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "PublicReadGetObject",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-cdn-bucket/*"
  }]
}

bash

aws s3api put-bucket-policy \
  --bucket my-cdn-bucket \
  --policy file://policy.json \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# To revert back to private
aws s3api delete-bucket-policy \
  --bucket my-cdn-bucket \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

Method 3 — Portal UI (Admin)

The portal offers a PATCH endpoint for toggling visibility without touching any S3 client:

bash

curl -X PATCH \
  -H "Authorization: Bearer <PORTAL_JWT>" \
  -H "Content-Type: application/json" \
  -d '{"is_public": true}' \
  https://portal.cybernethicc.com/api/v1/storage/instances/<INSTANCE_ID>/buckets/<BUCKET_ID>/visibility

Serving Public Objects

Once public, objects are served via direct URL. Use this form in an <img> tag, Next.js next/image, a CSS background-image, or any HTTP client:

text

https://stash.cybernethicc.com/{bucket}/{object-key}

# Example
https://stash.cybernethicc.com/my-cdn-bucket/logo.svg
https://stash.cybernethicc.com/my-cdn-bucket/assets/hero.jpg

Important

Once a bucket is public, every object inside it is publicly readable. Do not mix sensitive files with public assets in the same bucket.
Public reads count toward bandwidth usage but not per-request billing.
For access-controlled sharing use presigned URLs instead.

Presigned URLs

When to use

Time-limited downloads (e.g. invoice PDFs, report exports)
Private media previews inside a web app (generate server-side, embed in HTML)
Upload slots (presigned PUT) for browser uploads without exposing keys
Any scenario where you don't want to make a bucket fully public

Generating Presigned GET (AWS CLI)

bash

aws s3 presign s3://my-bucket/private/report.pdf \
  --expires-in 3600 \
  --endpoint-url https://stash.cybernethicc.com \
  --profile cybernethicc-stash

# Output:
# https://stash.cybernethicc.com/my-bucket/private/report.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...&X-Amz-Expires=3600&X-Amz-Signature=...

rust-s3

rust

use s3::{Bucket, Region, creds::Credentials};

let bucket = Bucket::new(
    "my-bucket",
    Region::Custom {
        region: "sg1".to_string(),
        endpoint: "https://stash.cybernethicc.com".to_string(),
    },
    Credentials::new(
        Some("STASHK-XXXXXXXXXXXXXXXXXXXX"),
        Some("YOUR_SECRET_KEY_HERE"),
        None, None, None,
    )?,
)?.with_path_style();

// 1-hour download URL
let url = bucket.presign_get("private/report.pdf", 3600, None)?;
println!("{url}");

Python (boto3)

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    region_name="sg1",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    config=boto3.session.Config(s3={"addressing_style": "path"}),
)

# 1-hour download URL
url = s3.generate_presigned_url(
    "get_object",
    Params={"Bucket": "my-bucket", "Key": "private/report.pdf"},
    ExpiresIn=3600,
)
print(url)

Node.js (AWS SDK v3)

javascript

import { S3Client, GetObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const s3 = new S3Client({
  region: "sg1",
  endpoint: "https://stash.cybernethicc.com",
  forcePathStyle: true,
  credentials: {
    accessKeyId: "STASHK-XXXXXXXXXXXXXXXXXXXX",
    secretAccessKey: "YOUR_SECRET_KEY_HERE",
  },
});

const url = await getSignedUrl(
  s3,
  new GetObjectCommand({ Bucket: "my-bucket", Key: "private/report.pdf" }),
  { expiresIn: 3600 },
);
console.log(url);

Expiry limits

Minimum: 1 second
Maximum: 604800 seconds (7 days) — SigV4 standard
Recommended: 3600 (1 hour) for user downloads, 300 (5 min) for upload slots

Code Examples

Integrate Stash into your applications with these SDK examples.

Create Client & List Buckets

python

import boto3

# Create an S3 client for Cybernethicc Stash
s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# List buckets
response = s3.list_buckets()
for bucket in response["Buckets"]:
    print(f"  {bucket['Name']}")

Upload & Download Files

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# Upload a file
s3.upload_file("./photo.jpg", "my-bucket", "images/photo.jpg")

# Download a file
s3.download_file("my-bucket", "images/photo.jpg", "./downloaded.jpg")

# Generate a presigned URL (valid for 1 hour)
url = s3.generate_presigned_url(
    "get_object",
    Params={"Bucket": "my-bucket", "Key": "images/photo.jpg"},
    ExpiresIn=3600,
)
print(f"Presigned URL: {url}")

List & Delete Objects

python

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="https://stash.cybernethicc.com",
    aws_access_key_id="STASHK-XXXXXXXXXXXXXXXXXXXX",
    aws_secret_access_key="YOUR_SECRET_KEY_HERE",
    region_name="sg1",
)

# List objects with prefix
response = s3.list_objects_v2(Bucket="my-bucket", Prefix="images/")
for obj in response.get("Contents", []):
    print(f"  {obj['Key']} ({obj['Size']} bytes)")

# Delete an object
s3.delete_object(Bucket="my-bucket", Key="images/old-photo.jpg")

Troubleshooting

Common issues and how to resolve them.

401 AccessDenied: Missing Authorization header

403 SignatureDoesNotMatch

The computed signature didn't match what the client sent. Most common causes:

Chunked payload encoding — set payload_signing_enabled = false or pass --payload-signing-enabled false to the AWS CLI.
Wrong region — use sg1, not us-east-1.
Virtual-hosted addressing — force path-style (force_path_style=true or rust-s3 .with_path_style()).
Clock skew — verify your local clock is within ±15 minutes of UTC.

403 Request has expired

Only applies to presigned URLs — the X-Amz-Expires window has passed. Regenerate the URL with a fresh timestamp.

404 NoSuchKey / NoSuchBucket

PUT succeeds but GET returns 500 / empty

This was a bug in Stash v1.0 caused by missing "," handling in Authorization header parsing. Fixed in v1.1. If you still see this, upgrade your SDK or report via support.

Next.js next/image not loading public objects

Add the Stash hostname to next.config.js so the image optimizer trusts it:

javascript

module.exports = {
  images: {
    remotePatterns: [{
      protocol: "https",
      hostname: "stash.cybernethicc.com",
      pathname: "/**",
    }],
  },
};

Multipart upload error

Stash currently only supports single-part PutObject up to 100 MB. Disable multipart threshold in your client, or upload large files via a different mechanism. Multipart support is on the roadmap.

bash

# AWS CLI — bump the threshold so multipart is effectively never used
aws configure set default.s3.multipart_threshold 4GB --profile cybernethicc-stash
aws configure set default.s3.multipart_chunksize 4GB --profile cybernethicc-stash

Pricing

Simple, predictable storage pricing in IDR.

Tier	Rate	Description
Fixed	Rp 1.600/GB/month	Pre-allocated storage. Billed monthly regardless of actual usage.
Elastic	Rp 2.200/GB/month	Overflow storage when you exceed your fixed allocation. Billed per GB used.

How billing works

Each instance has a monthly billing cycle starting from the creation date.
Fixed cost is calculated as fixed_gb x Rp 1.600. This is charged regardless of actual usage.
Elastic overage is calculated as ceil(used_gb - fixed_gb) x Rp 2.200, only when usage exceeds your fixed allocation.
Charges are deducted from your billing account balance automatically. If the balance is insufficient, the system retries for 3 days before suspending the instance.

Pricing Example

An instance with 50 GB fixed storage and elastic enabled, using 63 GB total:

Fixed: 50 GB x Rp 1.600 = Rp 80.000

Elastic: 13 GB x Rp 2.200 = Rp 28.600

Total: Rp 108.600/month

Back to Documentation

Cybernethicc Stash - S3-Compatible Object Storage