Skip to main content

Create an S3 user

Contributors netapp-lenida netapp-ahibbard netapp-dbagwell netapp-manini netapp-aherbin
PDFs

Create an S3 user with specific permissions. User authorization is required on all ONTAP object stores to restrict connectivity to authorized clients.

Before you begin.

An S3-enabled storage VM must already exist.

About this task

An S3 user can be granted access to any bucket in a storage VM. When you create an S3 user, an access key and a secret key are also generated for the user. They should be shared with the user along with the FQDN of the object store and bucket name.

For added security, beginning with ONTAP 9.15.1, access keys and secret keys are only displayed at the time the S3 user is created and cannot be displayed again. If the keys are lost, new keys must be generated by recreating the user.

You can grant specific access permissions to S3 users in a bucket policy or an object server policy.

Note

When you create a new object store server, ONTAP creates a root user (UID 0), which is a privileged user with access to all buckets. Rather than administering ONTAP S3 as the root user, NetApp recommends that an admin user role be created with specific privileges.
CLI

  1. Create an S3 user:
    vserver object-store-server user create -vserver svm_name -user user_name -comment [-comment text] -key-time-to-live time

    • Adding a comment is optional.

    • Beginning with ONTAP 9.14.1, you can define the period of time for which the key will be valid in the -key-time-to-live parameter. You can add the retention period in this format, to indicate the period after which the access key expires: P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W
      For example, if you want to enter a retention period of one day, two hours, three minutes, and four seconds, enter the value as P1DT2H3M4S. Unless specified, the key is valid for an indefinite period of time.

      The below example creates a user with name sm_user1 on storage VM vs0, with a key retention period of one week.

      vserver object-store-server user create -vserver vs0 -user sm_user1 -key-time-to-live P1W

  2. Be sure to save the access key and secret key. They will be required for access from S3 clients.

System Manager

  1. Click Storage > Storage VMs. Select the storage VM to which you need to add a user, select Settings and then click Edit icon under S3.

  2. To add a user, click Users > Add.

  3. Enter a name for the user.

  4. Beginning with ONTAP 9.14.1, you can specify the retention period of the access keys that get created for the user. You can specify the retention period in days, hours, minutes, or seconds, after which the keys automatically expire. By default, the value is set to 0 that indicates that the key is indefinitely valid.

  5. Click Save. The user is created, and an access key and a secret key are generated for the user.

  6. Download or save the access key and secret key. They will be required for access from S3 clients.

Next steps