Summary
When you enable Object Lock on a Container, you'll receive a notice informing you that Versioning will also be enabled. This is because Object Lock applies to versions of objects.
This can cause some confusion as you can still do an un-versioned delete on an object—a delete operation where no version of an object is specified—which will create a delete-marker on top of the object. It's important to understand that this will still leave the locked version unchanged.
Delete-Markers
A delete-marker is created when an un-versioned delete is performed on an Object in a bucket that has Versioning enabled. It's used to indicate that the "latest" version of an Object is "deleted" without actually deleting any of the previous versions.
The VPSA Object Store Console will show you the "latest" version of an Object and if the latest version is a delete-marker, it will not appear in the list of Objects in the Console window.
To view all versions of objects—including objects which are not showing up in the list in Console due to their most recent version being a delete-marker—you must navigate to the Versions tab of the Container itself (as opposed to the Versions tab of a specific Object):
Example
For example, if you use the AWS CLI to put an object with a retention date that is some time in the future:
$ aws --endpoint-url https://vsa-00000029-example.zadarazios.com \
--profile exampleprofile \
s3api put-object \
--object-lock-mode COMPLIANCE \
--object-lock-retain-until-date 2024-08-06T20:00:00 \
--bucket object-lock-demo \
--key testobject --body testobject
{
"ETag": "\"9c83d783146b72aaf9f710d582c05d08\"",
"VersionId": "1722951842.23112"
}
You'll see the command returns a Version ID, and that same ID can be seen in the Versions tab of the VPSA Object Store Console:
If you try to delete this specific Object Version, you'll receive an error as the retention date has not yet elapsed:
$ aws --endpoint-url https://vsa-00000029-example.zadarazios.com \
--profile exampleprofile \
s3api delete-object \
--version-id 1722951842.23112 \
--bucket object-lock-demo \
--key testobject
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied.
However, if we issue a delete via the VPSA Object Store Console—which only supports un-versioned deletes—or we omit the --version-id
parameter from the above command, the operation will succeed, as that operation does not delete or alter the locked object version.
Importantly, the original object with Version ID 1722951842.23112
is still present and cannot be deleted until the retention date has elapsed:
Related Topics
Checking Object Retention Date