1. Home
  2. Guides
  3. Full-Site Delivery
  4. Object Storage

Object Storage quick start

Welcome! This guide helps new Object Storage users like you get started with Fastly Object Storage as quickly as possible. Fastly Object Store is an S3-compatible storage solution that can be used as a private origin for your Fastly services.

Before you begin

Make sure to review all prerequisites, limitations, and considerations for using Fastly Object Storage.

Create an access key and secret key

Follow the instructions below to use the Fastly web interface or CLI to create an access key and secret key:

HINT: You can also create an access key and secret key using the Fastly API.

  1. Fastly control panel
  2. Fastly CLI

  1. Log in to the Fastly control panel.

  2. Go to Resources > Object Storage.
  3. Click Create key.
  4. In the Description field, enter a description of the key.
  5. In the Bucket access field, select Full access
  6. In the Scope field, select Read and write.
  7. Click Create.
  8. Note the access key and secret key details. Record the secret key in a secure location because you won't be able to see it again.

Install and configure the AWS CLI

WARNING: The following steps will store your Fastly Object Storage credentials in plaintext in a file on disk. This is not recommended in a production environment. Instead, use one of the methods supported by AWS CLI for providing credentials such as through environment variables or from external tooling such as a password manager.

  1. Install and configure AWS CLI v2 following the instructions in the AWS documentation.

  2. Update .aws/config by adding each Fastly Object Storage region as an individual profile for AWS CLI:

    [profile fastly-us-east]
    region = us-east
    endpoint_url = https://us-east.object.fastlystorage.app
    request_checksum_calculation = when_required
    

    [profile fastly-us-west]
    region = us-west
    endpoint_url = https://us-west.object.fastlystorage.app
    request_checksum_calculation = when_required
    

    [profile fastly-eu-central]
    region = eu-central
    endpoint_url = https://eu-central.object.fastlystorage.app
    request_checksum_calculation = when_required

  3. Update .aws/credentials with the generated keys:

    [fastly-us-east]
    aws_access_key_id = <YOUR FASTLY OBJECT STORAGE ACCESS KEY ID HERE>
    aws_secret_access_key = <YOUR FASTLY OBJECT STORAGE SECRET KEY HERE>
    

    [fastly-us-west]
    aws_access_key_id = <YOUR FASTLY OBJECT STORAGE ACCESS KEY ID HERE>
    aws_secret_access_key = <YOUR FASTLY OBJECT STORAGE SECRET KEY HERE>
    

    [fastly-eu-central]
    aws_access_key_id = <YOUR FASTLY OBJECT STORAGE ACCESS KEY ID HERE>
    aws_secret_access_key = <YOUR FASTLY OBJECT STORAGE SECRET KEY HERE>

Create buckets and upload content

With the AWS CLI configured, you can now create buckets and upload files. Both commands require the use of the --profile flag to choose which Fastly Object Storage region to perform commands against.

The following command creates a bucket named my-bucket in the us-east region:

aws s3 mb s3://my-bucket --profile fastly-us-east

IMPORTANT: Bucket names must be unique.

The following command uploads a file called my-photo.jpg to the bucket:

aws s3 cp my-photo.jpg s3://my-bucket/my-photo.jpg --profile fastly-us-east

Configure your Fastly service

Now that you've created your buckets and uploaded files, you can create and configure a Fastly service to serve content from the bucket:

  1. Follow the steps to create a Fastly CDN service and add a domain.

  2. From the Fastly service configuration, go to Origins > Hosts.

  3. In the Hostname field, enter the name of the Fastly Object Storage regional endpoint (e.g., us-east.object.fastlystorage.app).

  4. Click Add.

  5. Click the pencil Pencil icon to edit the host.

  6. In the Override host field, enter the same Fastly Object Storage regional endpoint (e.g., us-east.object.fastlystorage.app).

  7. Click Update.

  8. Go to VCL snippets and click Create your first VCL snippet.

  9. Enter a name for the VCL snippet.

  10. In the Type field, select within subroutine and use the menu to select within vcl_miss.

  11. In the VCL text box, past the following code, which generates the required AWS V4 signature to authenticate requests to your private Fastly Object Storage origin.

    IMPORTANT: Be sure to replace the placeholder variables var.fosAccessKey, var.fosSecretKey, var.fosBucket, and var.fosRegion with your own values.

    # vcl_miss
    # This snippet signs the backend request to your private Fastly Object Store.
    

    declare local var.fosAccessKey STRING;
    declare local var.fosSecretKey STRING;
    declare local var.fosBucket STRING;
    declare local var.fosRegion STRING;
    declare local var.fosHost STRING;
    declare local var.canonicalHeaders STRING;
    declare local var.signedHeaders STRING;
    declare local var.canonicalRequest STRING;
    declare local var.canonicalQuery STRING;
    declare local var.stringToSign STRING;
    declare local var.dateStamp STRING;
    declare local var.signature STRING;
    declare local var.scope STRING;
    

    # --- UPDATE THESE VALUES ---
    set var.fosAccessKey = "YOUR_FOS_ACCESS_KEY";
    set var.fosSecretKey = "YOUR_FOS_SECRET_KEY";
    set var.fosBucket = "my-fos-bucket"; # The name of your bucket
    set var.fosRegion = "us-east"; # The Fastly Object Storage region to send requests
    

    # --------------------------
    

    set var.fosHost = var.fosRegion ".object.fastlystorage.app";
    

    if (req.method == "GET" && !req.backend.is_shield) {
      set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
      set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
      set bereq.http.host = var.fosHost;
    

      # The request to FOS must include the bucket name in the path.
      set bereq.url = "/" var.fosBucket bereq.url;
      set bereq.url = querystring.remove(bereq.url);
      set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
    

      set var.dateStamp = strftime({"%Y%m%d"}, now);
      set var.canonicalHeaders = ""
        "host:" bereq.http.host LF
        "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
        "x-amz-date:" bereq.http.x-amz-date LF
      ;
      set var.canonicalQuery = "";
      set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
      set var.canonicalRequest = ""
        "GET" LF
        bereq.url.path LF
        var.canonicalQuery LF
        var.canonicalHeaders LF
        var.signedHeaders LF
        digest.hash_sha256("")
      ;
    

      set var.scope = var.dateStamp "/" var.fosRegion "/s3/aws4_request";
    

      set var.stringToSign = ""
        "AWS4-HMAC-SHA256" LF
        bereq.http.x-amz-date LF
        var.scope LF
        regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
      ;
    

      set var.signature = digest.awsv4_hmac(
        var.fosSecretKey,
        var.dateStamp,
        var.fosRegion,
        "s3",
        var.stringToSign
      );
    

      set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
        "Credential=" var.fosAccessKey "/" var.scope ", "
        "SignedHeaders=" var.signedHeaders ", "
        "Signature=" + regsub(var.signature,"^0x", "")
      ;
    

      # Unset headers not needed by the origin
      unset bereq.http.Accept;
      unset bereq.http.Accept-Language;
      unset bereq.http.User-Agent;
      unset bereq.http.Fastly-Client-IP;
    }

Activate and Test 🚀

Once you've configured your service with the VCL snippet, Activate your service and test that you can retrieve your object through the Fastly CDN by opening a web browser and navigating to the URL for your object. The path for the object should be https://<your-domain>/<object-name>. For example, https://example.com/my-photo.jpg.

If successful, you'll see your image served from the Fastly edge.

Fastly
© Fastly 2025