Configure tenant accounts and connections
Configuring StorageGRID to accept connections from client applications requires creating one or more tenant accounts and setting up the connections.
Create and configure S3 tenant accounts
An S3 tenant account is required before S3 API clients can store and retrieve objects on StorageGRID. Each tenant account has its own account ID, groups, users, buckets, and objects.
S3 tenant accounts are created by a StorageGRID grid administrator using the Grid Manager or the Grid Management API. See Manage tenants for details. After an S3 tenant account is created, tenant users can access the Tenant Manager to manage groups, users, access keys, and buckets. See Use a tenant account for details.
While S3 tenant users can create and manage S3 access key and buckets with the Tenant Manager, they must use an S3 client application to ingest and manage objects. See Use S3 REST API for details. |
How to configure client connections
A grid administrator makes configuration choices that affect how S3 clients connect to StorageGRID to store and retrieve data. There are four basic steps for connecting StorageGRID to any S3 application:
-
Perform prerequisite tasks in StorageGRID, based on how the client application will connect to StorageGRID.
-
Use StorageGRID to obtain the values the application needs to connect to the grid. You can either use the S3 setup wizard or configure each StorageGRID entity manually.
-
Use the S3 application to complete the connection to StorageGRID. Create DNS entries to associate IP addresses to any domain names you plan to use.
-
Perform ongoing tasks in the application and in StorageGRID to manage and monitor object storage over time.
For details on these steps, see Configure client connections.
Information required for client connections
To store or retrieve objects, S3 client applications connect to the Load Balancer service, which is included on all Admin Nodes and Gateway Nodes, or to the Local Distribution Router (LDR) service, which is included on all Storage Nodes.
Client applications can connect to StorageGRID using the IP address of a grid node and the port number of the service on that node. Optionally, you can create high availability (HA) groups of load-balancing nodes to provide highly available connections that use virtual IP (VIP) addresses. If you want to connect to StorageGRID using a fully qualified domain name (FQDN) instead of an IP or VIP address, you can configure DNS entries.
See Summary: IP addresses and ports for client connections for more information.
Decide to use HTTPS or HTTP connections
When client connections are made using a Load Balancer endpoint, connections must be made using the protocol (HTTP or HTTPS) that was specified for that endpoint. To use HTTP for client connections to Storage Nodes, you must enable its use.
By default, when client applications connect to Storage Nodes, they must use encrypted HTTPS for all connections. Optionally, you can enable less-secure HTTP connections by selecting CONFIGURATION > Security settings > Network and objects > Enable HTTP for Storage Node connections in the Grid Manager. For example, a client application might use HTTP when testing the connection to a Storage Node in a non-production environment.
Be careful when enabling HTTP for a production grid because requests and responses will be sent unencrypted. |
S3 endpoint domain names for S3 requests
Before you can use S3 endpoint domain names for client requests, a StorageGRID administrator must configure the system to accept connections that use S3 endpoint domain names in S3 path-style and S3 virtual-hosted-style requests.
To enable you to use S3 virtual hosted style-requests, a grid administrator must perform the following tasks:
-
Use the Grid Manager to add the S3 endpoint domain names to the StorageGRID system.
-
Ensure that the certificate the client uses for HTTPS connections to StorageGRID is signed for all domain names that the client requires.
For example, if the S3 API service endpoint domain endpoint is
s3.company.com
, the grid administrator must ensure that the certificate used for HTTPS connections hass3.company.com
as the Subject Common Name and in the Subject Alternative Names, and*.s3.company.com
in the Subject Alternative Names. -
Configure the DNS server used by the client to include DNS records that match the S3 endpoint domain names, including any required wildcard records.
If the client connects using the Load Balancer service, the certificate that the grid administrator configures is the certificate for the load balancer endpoint that the client uses.
Each load balancer endpoint has its own certificate, and each endpoint can be configured to recognize different S3 endpoint domain names. |
If the client connects to Storage Nodes, the certificate that the grid administrator configures is the single custom server certificate used for the grid.
See the instructions for administering StorageGRID for more information.
After these steps have been completed, you can use virtual hosted-style requests.
Test your S3 REST API configuration
You can use the Amazon Web Services Command Line Interface (AWS CLI) to test your connection to the system and to verify that you can read and write objects to the system.
-
You have downloaded and installed the AWS CLI from aws.amazon.com/cli.
-
You have created an S3 tenant account in the StorageGRID system.
-
You have created an access key in the tenant account.
-
Configure the AWS CLI settings to use the account you created in the StorageGRID system:
-
Enter configuration mode:
aws configure
-
Enter the access key ID for the account you created.
-
Enter the secret access key for the account you created.
-
Enter the default region to use, for example, us-east-1.
-
Enter the default output format to use, or press Enter to select JSON.
-
-
Create a bucket.
This example assumes you configured a load balancer endpoint to use IP address 10.96.101.17 and port 10443.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl create-bucket --bucket testbucket
If the bucket is created successfully, the location of the bucket is returned, as seen in the following example:
"Location": "/testbucket"
-
Upload an object.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl put-object --bucket testbucket --key s3.pdf --body C:\s3-test\upload\s3.pdf
If the object is uploaded successfully, an Etag is returned which is a hash of the object data.
-
List the contents of the bucket to verify that the object was uploaded.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl list-objects --bucket testbucket
-
Delete the object.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl delete-object --bucket testbucket --key s3.pdf
-
Delete the bucket.
aws s3api --endpoint-url https://10.96.101.17:10443 --no-verify-ssl delete-bucket --bucket testbucket