Skip to main content

Create an ONTAP S3 user

Contributors netapp-manini netapp-perveilerk netapp-lenida netapp-ahibbard netapp-dbagwell johnlantz netapp-aherbin
PDFs

Create an S3 user with specific permissions. User authorization is required on all ONTAP object stores to restrict connectivity to authorized clients.

Before you begin.

An S3-enabled storage VM must already exist.

About this task

An S3 user can be granted access to any bucket in a storage VM. When you create an S3 user, an access key and a secret key are also generated for the user. They should be shared with the user along with the FQDN of the object store and bucket name.

For added security, beginning with ONTAP 9.15.1, access keys and secret keys are only displayed at the time the S3 user is created and cannot be displayed again. If the keys are lost, new keys must be regenerated.

To maintain access S3 resources if the original access key expires, beginning with ONTAP 9.19.1, you can generate a second access key for each S3 user.

You can grant specific access permissions to S3 users in a bucket policy or an object server policy.

Note

When you create a new object store server, ONTAP creates a root user (UID 0), which is a privileged user with access to all buckets. Rather than administering ONTAP S3 as the root user, NetApp recommends that an admin user role be created with specific privileges.
CLI

  1. Create an S3 user:
    vserver object-store-server user create -vserver svm_name -user user_name -comment [-comment text] -key-time-to-live time

    • Adding a comment is optional.

    • Beginning with ONTAP 9.14.1, you can define the period of time for which the key will be valid in the -key-time-to-live parameter. You can add the retention period in this format, to indicate the period after which the access key expires: P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W
      For example, if you want to enter a retention period of one day, two hours, three minutes, and four seconds, enter the value as P1DT2H3M4S. Unless specified, the key is valid for an indefinite period of time.

      The below example creates a user with name sm_user1 on storage VM vs0, with a key retention period of one week.

      vserver object-store-server user create -vserver vs0 -user sm_user1 -key-time-to-live P1W

      You can also manually define your own access key and secret key when creating a user in the -access-key and -secret-key parameters. For example:

      vserver object-store-server user create -vserver svm1 -user user1 -access-key "20-characters" -secret-key "40-characters"

  2. Be sure to save the access key and secret key. They will be required for access from S3 clients.

System Manager

  1. Select Storage > Storage VMs. Select the storage VM to which you need to add a user, select Settings and then select Edit icon under S3.

  2. To add a user, select Users > Add.

  3. Enter a name for the user.

  4. Beginning with ONTAP 9.14.1, you can specify the retention period of the access keys that get created for the user. You can specify the retention period in days, hours, minutes, or seconds, after which the keys automatically expire. By default, the value is set to 0 that indicates that the key is indefinitely valid.

  5. Select Save. The user is created, and an access key and a secret key are generated for the user.

  6. Download or save the access key and secret key. They will be required for access from S3 clients.

Next steps