quickS3.com
Back to blog
Configuring Cloudflare R2 with quickS3

Configuring Cloudflare R2 with quickS3

Cloudflare R2 is S3-compatible object storage with simple pricing. Create an R2 token, connect it to quickS3, and use auto CORS so browser uploads work.

5 min read

Cloudflare R2 is S3-compatible object storage with deliberately simple pricing, and the headline feature is that it doesn’t charge for egress. Because it speaks the S3 API, you connect it to quickS3 the same way you’d connect AWS S3: an access key, secret key, endpoint, and bucket name.

Why Cloudflare R2?

The big draw is no egress fees, which makes the bill predictable in a way S3 often isn’t, especially for anything serving a lot of downloads. On top of that it’s a normal S3 endpoint, so standard S3 tooling and SDKs work, and it pairs well with presigned URLs and browser uploads once CORS is set.

Prerequisites

Before you start, make sure you have:

  • A Cloudflare account with R2 enabled
  • An R2 bucket (or create one in Step 1)
  • Somewhere to store your Secret Access Key, since you can only view it once

Step 1: Create an R2 bucket

  1. Log in to the Cloudflare dashboard
  2. Go to R2 (R2 Object Storage)
  3. Click Create bucket
  4. Pick a bucket name (lowercase, no spaces is safest)

Step 2: Create an R2 S3 API token (Access Key + Secret Key)

Cloudflare R2 uses R2 API tokens as S3 credentials.

  1. In the Cloudflare dashboard, go to R2Manage R2 API tokens

  2. Create a token (either Account API token or User API token)

  3. Under Permissions, pick the smallest permission that works for you:

    • Admin Read & Write: bucket management plus full object access (only use if you truly need it)
    • Admin Read only: list buckets, view bucket configuration, and read/list objects (useful if you need visibility across buckets)
    • Object Read & Write (recommended): read, write, and list objects, and you can scope it to specific buckets
    • Object Read only: read and list objects, and you can scope it to specific buckets

    If you choose an Object permission, you will not be able to list buckets via the API. In that case quickS3 can’t discover buckets for you, so you’ll need to type the bucket names manually in quickS3’s provider connection form.

  4. If you chose Object Read & Write or Object Read only, scope it to your bucket(s)

  5. Leave Client IP Address Filtering empty (unless you have a known static outbound IP you want to restrict to). Setting this incorrectly can stop quickS3 from using the token.

  6. Create the token and copy both values:

    • Access Key ID
    • Secret Access Key (you will not be able to view this again)

Step 3: Find your R2 S3 endpoint (and region)

R2’s S3 endpoint is based on your Cloudflare Account ID:

  • Endpoint: https://<<ACCOUNT_ID>>.r2.cloudflarestorage.com

For most S3 clients, the bucket region is:

  • Region: auto

If a tool won’t accept auto, Cloudflare notes that a blank region (or us-east-1) usually aliases to auto for compatibility.

If you created a jurisdictional bucket, you must use the matching endpoint:

  • EU buckets: https://<<ACCOUNT_ID>>.eu.r2.cloudflarestorage.com
  • FedRAMP buckets: https://<<ACCOUNT_ID>>.fedramp.r2.cloudflarestorage.com

Step 4: Connect Cloudflare R2 to quickS3

  1. In quickS3, go to Storage Providers
  2. Click Add ProviderCloudflare R2
  3. Fill in:
    • Endpoint: https://<<ACCOUNT_ID>>.r2.cloudflarestorage.com (or jurisdiction endpoint)
    • Region: auto (or us-east-1 if needed)
    • Bucket scopes (optional): leave blank to list all buckets the token can access, or enter a comma-separated list of bucket names
    • Access Key ID / Secret Access Key: from Step 2
  4. Leave Allow quickS3 to update bucket CORS settings (recommended) on. When you save or test the connection, quickS3 adds the quicks3.com origin to your R2 bucket’s CORS policy so browser uploads work. You usually don’t need to configure CORS manually.

Once saved, quickS3 should be able to list objects right away, assuming your token is scoped correctly.

Optional: Configure CORS manually

If you turn off CORS auto-update or prefer to manage CORS yourself, you can set it in the Cloudflare dashboard or with Wrangler.

In the Cloudflare dashboard:

  1. In the Cloudflare dashboard, open R2 and select your bucket
  2. Go to Settings
  3. Under CORS Policy, click Add CORS policy
  4. In the JSON tab, paste a policy like this (adjust origins as needed):
[
  {
    "AllowedOrigins": ["https://quicks3.com"],
    "AllowedMethods": ["GET", "PUT", "HEAD", "DELETE"],
    "AllowedHeaders": ["*"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

Origins must match exactly (no path, no trailing slash). In rare cases, CORS changes can take up to ~30 seconds to propagate.

Or with npx wrangler:

  1. Install / run Wrangler and log in:
npx wrangler login
  1. Create a cors.json file (example below).
{
  "rules": [
    {
      "allowed": {
        "origins": ["https://quicks3.com"],
        "methods": ["GET", "PUT", "HEAD", "DELETE"]
      }
    }
  ]
}
  1. Apply the CORS policy to your bucket:
npx wrangler r2 bucket cors set <<BUCKET_NAME>> --file cors.json
  1. Verify what’s currently set:
npx wrangler r2 bucket cors list <<BUCKET_NAME>>

Troubleshooting

Access denied / signature errors

  • Confirm you’re using the correct endpoint for your bucket’s jurisdiction (default vs EU vs FedRAMP)
  • Confirm the token has Object Read & Write (or at least the permissions you need)
  • If the token is bucket-scoped, make sure your bucket is included

Browser says “CORS policy blocked”

  • Make sure AllowedOrigins includes the exact origin the browser is running on
  • If you’re testing locally, add http://localhost:<port> as an additional allowed origin
  • Make sure AllowedHeaders includes any headers your request is sending (["*"] is easiest to start with)

Ready to try it? Sign up for quickS3 and connect your Cloudflare R2 bucket.

Read next