Skip to main content

storage aggregate object-store config create

Contributors
Suggest changes

Define the configuration for an object store

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The storage aggregate object-store config create command is used by a cluster administrator to tell Data ONTAP how to connect to an object store. Following pre-requisites must be met before creating an object store configuration in Data ONTAP.

  • A valid data bucket or container must be created with the object store provider. This assumes that the user has valid account credentials with the object store provider to access the data bucket.

  • The Data ONTAP node must be able to connect to the object store. This includes

  • Fast, reliable connectivity to the object store.

  • An inter-cluster LIF (Logical Interface) must be configured on the cluster. Data ONTAP will verify connectivity prior to saving this configuration information.

  • If SSL/TLS authentication is required, then valid certificates must be installed.

  • FabricPool license (required for Amazon S3 and Azure object stores).

An object-store configuration once created must not be reassociated with a different object-store or container. See storage aggregate object-store config modify command for more information. If neither the access-key nor the secret-password are provided while setting up a configuration for AWS_S3 object store in Cloud Volumes ONTAP, then the access key (access key ID), the secret password (secret access key), and the session token will be retrieved from EC2 instance metadata for the AWS Identity and Access Management (IAM) role associated with the EC2 instance. If Data ONTAP is unable to create a object store configuration, then the command will fail explaining the reason for failure.

Parameters

-object-store-name <text> - Object Store Configuration Name

This parameter specifies the name that will be used to identify the object store configuration. The name can contain the following characters: "", "-", A-Z, a-z, and 0-9. The first character must be one of the following: "", A-Z, or a-z.

-provider-type <providerType> - Type of the Object Store Provider

This parameter specifies the type of object store provider that will be attached to the aggregate. Valid options are: AWS_S3 (Amazon S3 storage), Azure_Cloud (Microsoft Azure Cloud), SGWS (StorageGrid WebScale), IBM_COS (IBM Cloud Object Storage), AliCloud (Alibaba Cloud Object Storage Service), GoogleCloud (Google Cloud Storage) and ONTAP_S3.

[-auth-type <object_store_auth_type>] - Authentication Used to Access the Object Store

This parameter specifies where the system obtains credentials for authentication to an object store. The available choices depend on the platform (Cloud Volumes ONTAP or not) and provider-type (AWS_S3 or not). The keys value is always applicable, and if selected means that the access-key and secret-password are provided by the system administrator. In Cloud Volumes ONTAP, the EC2-IAM value is also applicable. It means that the IAM role is associated with the EC2 instance, and that the access-key , secret-password and session token are retrieved from EC2 instance metadata for this IAM role. Note that -use-iam-role and -auth-type are mutually exclusive, -auth-type EC2-IAM is an equivalent of -use-iam-role true , and -auth-type key is an equivalent of -use-iam-role false . In Cloud Volumes ONTAP, the GCP-SA value may also be applicable. It means that a session token is retrieved from the GCP instance metadata for the Service Account associated with the GCP instance. Similarly, Azure-MSI means that a session token is retrieved from the Azure instance metadata for the Managed Service Identity (MSI) associated with the Azure instance. For the AWS_S3 provider, the CAP (C2S Authentication Portal) value is also applicable. This should only be used when accessing C2S (Commercial Cloud Services). If the CAP value is specified, then the`-cap-url` must be specified. See cap-url .

[-cap-url <text>] - URL to Request Temporary Credentials for C2S Account

This parameter is available only when -auth-type is CAP . It specifies a full URL of the request to a CAP server for retrieving temporary credentials (access-key, secret-pasword and session token) for accessing the object store server. The CAP URL may look like: https://123.45.67.89:1234/CAP/api/v1/credentials?agency=myagency=mymission=myrole

-server <Remote InetAddress> - Fully Qualified Domain Name of the Object Store Server

This parameter specifies the Fully Qualified Domain Name (FQDN) of the remote object store server. For Amazon S3, server name must be an AWS regional endpoint in the format s3.amazonaws.com or s3-<region>.amazonaws.com, for example, s3-us-west-2.amazonaws.com. The region of the server and the bucket must match. For more information on AWS regions, refer to 'Amazon documentation on AWS regions and endpoints'. For Azure, if the -server is a "blob.core.windows.net" or a "blob.core.usgovcloudapi.net", then a value of -azure-account followed by a period will be added in front of the server.

[-is-ssl-enabled {true|false}] - Is SSL/TLS Enabled

This parameter indicates whether a secured SSL/TLS connection will be used during data access to the object store. The default value is true .

[-port <integer>] - Port Number of the Object Store

This parameter specifies the port number on the remote server that Data ONTAP will use while establishing connection to the object store.

-container-name <text> - Data Bucket/Container Name

This parameter specifies the data bucket or container that will be used for read and write operations.

Note This name cannot be modified once a configuration is created.
{ [-access-key <text>] - Access Key ID for S3 Compatible Provider Types

This parameter specifies the access key (access key ID) required to authorize requests to the AWS S3, SGWS, IBM COS object stores and ONTAP_S3. For an Azure object store see -azure-account .

[-secret-password <text>] - Secret Access Key for S3 Compatible Provider Types

This parameter specifies the password (secret access key) to authenticate requests to the AWS S3, SGWS, IBM COS object stores and ONTAP_S3. If the -access-key is specified but the -secret-password is not, then one will be asked to enter the -secret-password without echoing the input. For an Azure object store see -azure-private-key .

| [-azure-account <text>] - Azure Account

This parameter specifies the account required to authorize requests to the Azure object store. For other object store providers see access-key.

Note The value of this field cannot be modified once a configuration is created.
[-ask-azure-private-key {true|false}] - Ask to Enter the Azure Access Key without Echoing

If this parameter is true then one will be asked to enter -azure-private-key without echoing the input. Default value: true .

[-azure-private-key <text>] - Azure Access Key }

This parameter specifies the access key required to authenticate requests to the Azure object store. See also ask-azure-private-key . For other object store providers see -secret-password .

[-azure-sas-token <text>] - Azure Account Shared Access Signature token (privilege: advanced) }

This parameter specifies the shared access signature token to authenticate requests and provide limited access to storage resources in the Azure object store.

[-ipspace <IPspace>] - IPspace to Use in Order to Reach the Object Store

This optional parameter specifies the IPspace to use to connect to the object store. Default value: Default .

[-is-certificate-validation-enabled {true|false}] - Is SSL/TLS Certificate Validation Enabled

This parameter indicates whether an SSL/TLS certificate of an object store server is validated whenever an SSL/TLS connection to an object store server is established. This parameter is only applicable when is-ssl-enabled is true . The default value is true . It is recommended to use the default value to make sure that Data ONTAP connects to a trusted object store server, otherwise identities of an object store server are not verified.

[-use-http-proxy {true|false}] - Use HTTP Proxy

This optional parameter indicates whether an HTTP proxy will be used for connecting to an object store. Note that an HTTP proxy is configured using the vserver http-proxy commands at the diagnostic privilege level. Default value: false .

[-cluster <Cluster name>] - The Name of the Cluster to which the Configuration Belongs

This optional parameter should only be specified in MetroCluster switched-over mode and specifies the name of the cluster for which the configuration must be created. By default the configuration is created for the local cluster.

[-server-side-encryption {none | SSE-S3}] - Encryption of Data at Rest by the Object Store Server (privilege: advanced)

This parameter specifies if AWS or other S3 compatible object store server must encrypt data at rest. The available choices depend on provider-type. none encryption (no encryption required) is supported by all types of S3 (non-Azure) object store servers. SSE-S3 encryption is supported by and is a default for all types of S3 (non-Azure) object store servers except ONTAP_S3. This is an advanced property. In most cases it is best not to change default value of "sse_s3" for object store servers which support SSE-S3 encryption. The encryption is in addition to any encryption done by ONTAP at a volume or at an aggregate level.

[-url-style {path-style | virtual-hosted-style}] - URL Style Used to Access S3 Bucket

This parameter specifies the URL style used to access S3 bucket. This option is only available for non-Azure object store providers. The available choices and default value depend on provider-type.

Examples

The following example creates an object store configuration in Data ONTAP:

cluster1::>storage aggregate object-store config create -object-store-name
           my_aws_store -provider-type AWS_S3 -server s3.amazonaws.com
     -container-name my-aws-bucket -access-key DXJRXHPXHYXA9X31X3JX