Skip to main content

Regenerate ONTAP S3 keys and modify their retention period

Contributors netapp-perveilerk netapp-dbagwell netapp-manini netapp-aherbin
PDFs

Access keys and secret keys are automatically generated during user creation for enabling S3 client access. You can regenerate keys for a user if a key is expired or compromised. Beginning with ONTAP 9.19.1, you can also generate or remove a second access key for an S3 user so they can access S3 resources if their original access key expires.

For information about generation of access keys, see Create an S3 user.

Regenerate an S3 access key

System Manager

  1. Select Storage > Storage VMs and then select the storage VM.

  2. In the Settings tab, select Edit icon in the S3 tile.

  3. In the Users tab, verify that there is no access key, or the key has expired for the user.

  4. If you need to regenerate the key, select Menu options icon next to the user, then select Regenerate Key.

  5. By default, generated keys have a validity value of 0 and never expire. Beginning with ONTAP 9.14.1, you can modify their retention period, after which the keys automatically expire. Enter the retention period in days, hours, minutes, or seconds.

  6. Beginning with ONTAP 9.19.1, users can have a second access key. If the user has a second access key, select the access key to regenerate. You can select both access keys for regeneration.

  7. Select Storage > Storage VMs and then select the storage VM.
    Save. The key is regenerated. Any changes in the key retention period takes effect immediately.

  8. Download or save the access key and secret key. They will be required for access from S3 clients.

CLI

  1. Regenerate access and secret keys for a user by running the vserver object-store-server user regenerate-keys command.

  2. By default, generated keys are valid indefinitely. Beginning with ONTAP 9.14.1, you can modify their retention period, after which the keys automatically expire. You can add the retention period in this format: P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W
    For example, if you want to enter a retention period of one day, two hours, three minutes, and four seconds, enter the value as P1DT2H3M4S.

  3. Beginning with ONTAP 9.19.1, if the user has more than one access key, you can choose which key to regenerate. You specify the key in this format: [-key-id {1..2}]

    • If no key-id needs to be specified, key 1 is regenerated.

    • To specify key 1 enter the value as -key-id 1.

    • To specify key 2 enter the value as -key-id 2.

    • To specify keys 1 and 2 enter the value as -key-id 1 2.
      For example, to regenerate key 1:

      vserver object-store-server user regenerate-keys -vserver svm_name -user user -key-id 1 -key-time-to-live 0

  4. Save the access and secret keys. They will be required for access from S3 clients.

Generate a second S3 access key

Beginning with ONTAP 9.19.1, you can generate a second access key for a user.

System Manager

  1. Select Storage > Storage VMs and then select the storage VM.

  2. Select Storage > Storage VMs and then select the storage VM.
    Storage > Storage VMs and then select the storage VM.

  3. In the Settings tab, select Edit icon in the S3 tile.

  4. In the Users tab, select Menu options icon next to the user, then select Add another key.

  5. By default, generated keys have a validity value of 0 and never expire. Beginning with ONTAP 9.14.1, you can modify their retention period, after which the keys automatically expire. Enter the retention period in days, hours, minutes, or seconds.

  6. Select Storage > Storage VMs and then select the storage VM.
    Add. The second key is generated. The specified key retention period takes effect immediately.

  7. Download or save the access key and secret key. They will be required for access from S3 clients.

CLI

  1. Generate second access and secret keys for a user by running the vserver object-store-server user regenerate-keys command.

  2. By default, generated keys are valid indefinitely. Beginning with ONTAP 9.14.1, you can modify their retention period, after which the keys automatically expire. You can add the retention period in this format: P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W
    For example, if you want to enter a retention period of one day, two hours, three minutes, and four seconds, enter the value as P1DT2H3M4S.

  3. Beginning with ONTAP 9.19.1, you can generate a second access key in this format: [-key-id 2]

    For example:

    vserver object-store-server user regenerate-keys -vserver svm_name -user user -key-id 2 -key-time-to-live 0

  4. Save the access and secret keys. They will be required for access from S3 clients.

Show S3 access keys

System Manager

  1. Select Storage > Storage VMs and then select the storage VM.

  2. In the Settings tab, select Edit icon in the S3 tile.

  3. In the Users tab, verify that there are no second access keys for the S3 users.

CLI

View access and secret keys for a user by running the vserver object-store-server user show command.

For example:

vserver object-store-server user show -vserver svm_name -user user

Remove an S3 access key

Beginning with ONTAP 9.19.1, you can remove one of the access keys for a user. To delete both keys for a user, the user should be deleted.

System Manager

  1. Select Storage > Storage VMs and then select the storage VM.

  2. In the Settings tab, select Edit icon in the S3 tile.

  3. In the Users tab, select Menu options icon next to the user, then select Add another key.

  4. Select Remove key 1 or Remove key 2.

  5. Select Save. The selected key is removed.

  6. Download or save the access key and secret key. They will be required for access from S3 clients.

CLI

  1. Remove access and secret keys for a user by running the vserver object-store-server user delete-keys command.

  2. You can choose which key to remove by specifying the key in this format: [-key-id {1..2}]

    • If the user has only one key, no key-id needs to be specified.

    • To specify key 1 enter the value as -key-id 1.

    • To specify key 2 enter the value as -key-id 2.

    • If no key id is specified, the command defaults to delete key 2.

    • To delete both keys, delete the user.
      For example:

      vserver object-store-server user delete-keys -vserver svm_name -user user -key-id 2