snapmirror object-store config create
Define the configuration for a SnapMirror object store
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The snapmirror object-store config create
command is used by a cluster administrator to tell Data ONTAP how to connect to an object store. Following pre-requisites must be met before creating an object store configuration in Data ONTAP.
-
A valid data bucket or container must be created with the object store provider. This assumes that the user has valid account credentials with the object store provider to access the data bucket.
-
The Data ONTAP node must be able to connect to the object store. This includes
-
Fast, reliable connectivity to the object store.
-
An inter-cluster LIF (Logical Interface) must be configured on the cluster.
-
If SSL/TLS authentication is required, then valid certificates must be installed.
An object-store configuration once created must not be reassociated with a different object-store or container. See snapmirror object-store config modify command for more information.
Parameters
-vserver <vserver name>
- Vserver Name-
This parameter specifies the vserver on which the object store configuration needs to be created.
-object-store-name <text>
- Object Store Configuration Name-
This parameter specifies the name that will be used to identify the object store configuration. The name can contain the following characters: "", "-", A-Z, a-z, and 0-9. The first character must be one of the following: "", A-Z, or a-z.
-usage {data|metadata}
- Object Store Use-
This parameter specifies the usage for an object store configuration.
-provider-type <providerType>
- Type of the Object Store Provider-
This parameter specifies the type of object store provider that will be attached to the aggregate. Valid options are: AWS_S3 (Amazon S3 storage), Azure_Cloud (Microsoft Azure Cloud), SGWS (StorageGrid WebScale), IBM_COS (IBM Cloud Object Storage), AliCloud (Alibaba Cloud Object Storage Service), GoogleCloud (Google Cloud Storage) and ONTAP_S3.
-server <Remote InetAddress>
- Fully Qualified Domain Name of the Object Store Server-
This parameter specifies the Fully Qualified Domain Name (FQDN) of the remote object store server. For Amazon S3, server name must be an AWS regional endpoint in the format s3.amazonaws.com or s3-<region>.amazonaws.com, for example, s3-us-west-2.amazonaws.com. The region of the server and the bucket must match. For more information on AWS regions, refer to 'Amazon documentation on AWS regions and endpoints'. For Azure, if the
-server
is a "blob.core.windows.net" or a "blob.core.usgovcloudapi.net", then a value of-azure-account
followed by a period will be added in front of the server. [-is-ssl-enabled {true|false}]
- Is SSL/TLS Enabled-
This parameter indicates whether a secured SSL/TLS connection will be used during data access to the object store. The default value is
true
. [-port <integer>]
- Port Number of the Object Store-
This parameter specifies the port number on the remote server that Data ONTAP will use while establishing connection to the object store.
-container-name <text>
- Data Bucket/Container Name-
This parameter specifies the data bucket or container that will be used for read and write operations.
This name cannot be modified once a configuration is created. [-access-key <text>]
- Access Key ID for S3 Compatible Provider Types-
This parameter specifies the access key (access key ID) required to authorize requests to the AWS S3, SGWS, IBM COS object stores and ONTAP_S3. For an Azure object store see
-azure-account.
[-ipspace <IPspace>]
- IPspace to Use in Order to Reach the Object Store-
This optional parameter specifies the IPspace to use to connect to the object store. Default value:
Default
. [-use-iam-role {true|false}]
- (DEPRECATED)-Use IAM Role for AWS Cloud Volumes ONTAP-
This optional parameter is deprecated. Please use
-auth-type
instead. Note, that-auth-type EC2-IAM
is an equivalent of-use-iam-role true
, and-auth-type key
is an equivalent of-use-iam-role false
. [-secret-password <text>]
- Secret Access Key for S3 Compatible Provider Types-
This parameter specifies the password (secret access key) to authenticate requests to the AWS S3, SGWS, IBM COS object stores and ONTAP_S3. If the
-access-key
is specified but the-secret-password
is not, then one will be asked to enter the-secret-password
without echoing the input. [-is-certificate-validation-enabled {true|false}]
- Is SSL/TLS Certificate Validation Enabled-
This parameter indicates whether an SSL/TLS certificate of an object store server is validated whenever an SSL/TLS connection to an object store server is established. This parameter is only applicable when
is-ssl-enabled
istrue
. The default value istrue
. It is recommended to use the default value to make sure that Data ONTAP connects to a trusted object store server, otherwise identities of an object store server are not verified. [-azure-account <text>]
- Azure Account-
This parameter specifies the account required to authorize requests to the Azure object store. For other object store providers see access-key.
The value of this field cannot be modified once a configuration is created. [-ask-azure-private-key {true|false}]
- Ask to Enter the Azure Access Key without Echoing-
If this parameter is true then one will be asked to enter
-azure-private-key
without echoing the input. Default value:true
. [-azure-private-key <text>]
- Azure Access Key-
This parameter specifies the access key required to authenticate requests to the Azure object store. See also
ask-azure-private-key
. For other object store providers see-secret-password
. [-server-side-encryption {none | SSE-S3}]
- Encryption of Data at Rest by the Object Store Server (privilege: advanced)-
This parameter specifies if AWS or other S3 compatible object store server must encrypt data at rest. The available choices depend on provider-type.
none
encryption (no encryption required) is supported by all types of S3 (non-Azure) object store servers.SSE-S3
encryption is supported by and is a default for all types of S3 (non-Azure) object store servers except ONTAP_S3. This is an advanced property. In most cases it is best not to change default value of "sse_s3" for object store servers which support SSE-S3 encryption. The encryption is in addition to any encryption done by ONTAP at a volume or at an aggregate level. [-url-style {path-style | virtual-hosted-style}]
- URL Style Used to Access S3 Bucket-
This parameter specifies the URL style used to access S3 bucket. This option is only available for non-Azure object store providers. The available choices and default value depend on provider-type.
[-iamra-session-token <text>]
- IAMRA Session Token for Authentication-
This parameter specifies a temporary token for S3 snapmirror which will expire periodically. This will increase security.
Examples
The following example creates a cluster scoped object store configuration named objectStoreName.
cluster1::*> snapmirror object-store config create -object-store-name objectStoreName -usage data -owner snapmirror -provider-type SGWS -server objectStoreServer.com -container-name containerName -is-ssl-enabled true -is-certificate-validation-enabled false -ipspace Default -access-key userAccessKey -secret-password userSecretPassWord