Skip to main content

Create an S3 user

Contributors netapp-ahibbard netapp-manini

User authorization is required on all ONTAP object stores to restrict connectivity to authorized clients.

Before you begin.

An S3-enabled storage VM must already exist.

About this task

An S3 user can be granted access to any bucket in a storage VM. When you create an S3 user, an access key and a secret key are also generated for the user. They should be shared with the user along with the FQDN of the object store and bucket name. An S3 users' keys can be viewed with the vserver object-store-server user show command.

You can grant specific access permissions to S3 users in a bucket policy or an object server policy.

Note

When you create a new object store server, ONTAP creates a root user (UID 0), which is a privileged user with access to all buckets. Rather than administering ONTAP S3 as the root user, NetApp recommends that an admin user role be created with specific privileges.

CLI
  1. Create an S3 user:
    vserver object-store-server user create -vserver svm_name -user user_name -comment [-comment text] -key-time-to-live time

    • Adding a comment is optional.

    • Beginning with ONTAP 9.14.1, you can define the period of time for which the key will be valid in the -key-time-to-live parameter. You can add the retention period in this format, to indicate the period after which the access key expires: P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W
      For example, if you want to enter a retention period of one day, two hours, three minutes, and four seconds, enter the value as P1DT2H3M4S. Unless specified, the key is valid for an indefinite period of time.

      The below example creates a user with name sm_user1 on storage VM vs0, with a key retention period of one week.

      vserver object-store-server user create -vserver vs0 -user sm_user1 -key-time-to-live P1W
  2. Be sure to save the access key and secret key. They will be required for access from S3 clients.

System Manager
  1. Click Storage > Storage VMs. Select the storage VM to which you need to add a user, select Settings and then click pencil icon under S3.

  2. To add a user, click Users > Add.

  3. Enter a name for the user.

  4. Beginning with ONTAP 9.14.1, you can specify the retention period of the access keys that get created for the user. You can specify the retention period in days, hours, minutes, or seconds, after which the keys automatically expire. By default, the value is set to 0 that indicates that the key is indefinitely valid.

  5. Click Save. The user is created, and an access key and a secret key are generated for the user.

  6. Download or save the access key and secret key. They will be required for access from S3 clients.