Operations on buckets

04/12/2023 Contributors

PDFs

The StorageGRID system supports a maximum of 1,000 buckets for each S3 tenant account.

Bucket name restrictions follow the AWS US Standard region restrictions, but you should further restrict them to DNS naming conventions to support S3 virtual hosted-style requests.

See the following for more information:

The GET Bucket (List Objects) and GET Bucket versions operations support StorageGRID consistency controls.

You can check whether updates to last access time are enabled or disabled for individual buckets.

The following table describes how StorageGRID implements S3 REST API bucket operations. To perform any of these operations, the necessary access credentials must be provided for the account.

Operation Implementation

Operation	Implementation
DELETE Bucket	This operation deletes the bucket.
DELETE Bucket cors	This operation deletes the CORS configuration for the bucket.
DELETE Bucket encryption	This operation deletes the default encryption from the bucket. Existing encrypted objects remain encrypted, but any new objects added to the bucket aren't encrypted.
DELETE Bucket lifecycle	This operation deletes the lifecycle configuration from the bucket. See Create S3 lifecycle configuration.
DELETE Bucket policy	This operation deletes the policy attached to the bucket.
DELETE Bucket replication	This operation deletes the replication configuration attached to the bucket.
DELETE Bucket tagging	This operation uses the `tagging` subresource to remove all tags from a bucket.
GET Bucket (ListObjects) (ListObjectsV2)	This operation returns some or all (up to 1,000) of the objects in a bucket. The Storage Class for objects can have either of two values, even if the object was ingested with the `REDUCED_REDUNDANCY` storage class option: `STANDARD`, which indicates the object is stored in a storage pool consisting of Storage Nodes. `GLACIER`, which indicates that the object has been moved to the external bucket specified by the Cloud Storage Pool. If the bucket contains large numbers of deleted keys that have the same prefix, the response might include some `CommonPrefixes` that don't contain keys.
GET Bucket Object versions (ListObjectVersions)	With READ access on a bucket, this operation with the `versions` subresource lists metadata of all of the versions of objects in the bucket.
GET Bucket acl	This operation returns a positive response and the ID, DisplayName, and Permission of the bucket owner, indicating that the owner has full access to the bucket.
GET Bucket cors	This operation returns the `cors` configuration for the bucket.
GET Bucket encryption	This operation returns the default encryption configuration for the bucket.
GET Bucket lifecycle (GetBucketLifecycleConfiguration)	This operation returns the lifecycle configuration for the bucket. See Create S3 lifecycle configuration.
GET Bucket location	This operation returns the region that was set using the `LocationConstraint` element in the PUT Bucket request. If the bucket's region is `us-east-1`, an empty string is returned for the region.
GET Bucket notification (GetBucketNotificationConfiguration)	This operation returns the notification configuration attached to the bucket.
GET Bucket policy	This operation returns the policy attached to the bucket.
GET Bucket replication	This operation returns the replication configuration attached to the bucket.
GET Bucket tagging	This operation uses the `tagging` subresource to return all tags for a bucket.
GET Bucket versioning	This implementation uses the `versioning` subresource to return the versioning state of a bucket. blank: Versioning has never been enabled (bucket is “Unversioned”) Enabled: Versioning is enabled Suspended: Versioning was previously enabled and is suspended
GET Object Lock Configuration	This operation returns the bucket default retention mode and default retention period, if configured. See Use S3 REST API to configure S3 Object Lock.
HEAD Bucket	This operation determines if a bucket exists and you have permission to access it. This operation returns: `x-ntap-sg-bucket-id`: The UUID of the bucket in UUID format. `x-ntap-sg-trace-id`: The unique trace ID of the associated request.
PUT Bucket	This operation creates a new bucket. By creating the bucket, you become the bucket owner. Bucket names must comply with the following rules: Must be unique across each StorageGRID system (not just unique within the tenant account). Must be DNS compliant. Must contain at least 3 and no more than 63 characters. Can be a series of one or more labels, with adjacent labels separated by a period. Each label must start and end with a lowercase letter or a number and can only use lowercase letters, numbers, and hyphens. Must not look like a text-formatted IP address. Should not use periods in virtual hosted style requests. Periods will cause problems with server wildcard certificate verification. By default, buckets are created in the `us-east-1` region; however, you can use the `LocationConstraint` request element in the request body to specify a different region. When using the `LocationConstraint` element, you must specify the exact name of a region that has been defined using the Grid Manager or the Grid Management API. Contact your system administrator if you don't know the region name you should use. Note: An error will occur if your PUT Bucket request uses a region that has not been defined in StorageGRID. You can include the `x-amz-bucket-object-lock-enabled` request header to create a bucket with S3 Object Lock enabled. See Use S3 REST API to configure S3 Object Lock. You must enable S3 Object Lock when you create the bucket. You can't add or disable S3 Object Lock after a bucket is created. S3 Object Lock requires bucket versioning, which is enabled automatically when you create the bucket.
PUT Bucket cors	This operation sets the CORS configuration for a bucket so that the bucket can service cross-origin requests. Cross-origin resource sharing (CORS) is a security mechanism that allows client web applications in one domain to access resources in a different domain. For example, suppose you use an S3 bucket named `images` to store graphics. By setting the CORS configuration for the `images` bucket, you can allow the images in that bucket to be displayed on the website `http://www.example.com`.
PUT Bucket encryption	This operation sets the default encryption state of an existing bucket. When bucket-level encryption is enabled, any new objects added to the bucket are encrypted.StorageGRID supports server-side encryption with StorageGRID-managed keys. When specifying the server-side encryption configuration rule, set the `SSEAlgorithm` parameter to `AES256`, and don't use the `KMSMasterKeyID` parameter. Bucket default encryption configuration is ignored if the object upload request already specifies encryption (that is, if the request includes the `x-amz-server-side-encryption-*` request header).
PUT Bucket lifecycle (PutBucketLifecycleConfiguration)	This operation creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration. StorageGRID supports up to 1,000 lifecycle rules in a lifecycle configuration. Each rule can include the following XML elements: Expiration (Days, Date) NoncurrentVersionExpiration (NoncurrentDays) Filter (Prefix, Tag) Status ID StorageGRID does not support these actions: AbortIncompleteMultipartUpload ExpiredObjectDeleteMarker Transition See Create S3 lifecycle configuration. To understand how the Expiration action in a bucket lifecycle interacts with ILM placement instructions, see How ILM operates throughout an object’s life. Note: Bucket lifecycle configuration can be used with buckets that have S3 Object Lock enabled, but bucket lifecycle configuration is not supported for legacy Compliant buckets.
PUT Bucket notification (PutBucketNotificationConfiguration)	This operation configures notifications for the bucket using the notification configuration XML included in the request body. You should be aware of the following implementation details: StorageGRID supports Simple Notification Service (SNS) topics as destinations. Simple Queue Service (SQS) or Amazon Lambda endpoints aren't supported. The destination for notifications must be specified as the URN of an StorageGRID endpoint. Endpoints can be created using the Tenant Manager or the Tenant Management API. The endpoint must exist for notification configuration to succeed. If the endpoint does not exist, a `400 Bad Request` error is returned with the code `InvalidArgument`. You can't configure a notification for the following event types. These event types are not supported. `s3:ReducedRedundancyLostObject` `s3:ObjectRestore:Completed` Event notifications sent from StorageGRID use the standard JSON format except that they don't include some keys and use specific values for others, as shown in the following list: eventSource `sgws:s3` awsRegion not included x-amz-id-2 not included arn `urn:sgws:s3:::bucket_name`
PUT Bucket policy	This operation sets the policy attached to the bucket.
PUT Bucket replication	This operation configures StorageGRID CloudMirror replication for the bucket using the replication configuration XML provided in the request body. For CloudMirror replication, you should be aware of the following implementation details: StorageGRID only supports V1 of the replication configuration. This means that StorageGRID does not support the use of the `Filter` element for rules, and follows V1 conventions for deletion of object versions. For details, see the Amazon S3 documentation on replication configuration. Bucket replication can be configured on versioned or unversioned buckets. You can specify a different destination bucket in each rule of the replication configuration XML. A source bucket can replicate to more than one destination bucket. Destination buckets must be specified as the URN of StorageGRID endpoints as specified in the Tenant Manager or the Tenant Management API. See Configure CloudMirror replication. The endpoint must exist for replication configuration to succeed. If the endpoint does not exist, the request fails as a `400 Bad Request`. The error message states: `Unable to save the replication policy. The specified endpoint URN does not exist: URN.` You don't need to specify a `Role` in the configuration XML. This value is not used by StorageGRID and will be ignored if submitted. If you omit the storage class from the configuration XML, StorageGRID uses the `STANDARD` storage class by default. If you delete an object from the source bucket or you delete the source bucket itself, the cross-region replication behavior is as follows: If you delete the object or bucket before it has been replicated, the object/bucket is not replicated and you aren't notified. If you delete the object or bucket after it has been replicated, StorageGRID follows standard Amazon S3 delete behavior for V1 of cross-region replication.
PUT Bucket tagging	This operation uses the `tagging` subresource to add or update a set of tags for a bucket. When adding bucket tags, be aware of the following limitations: Both StorageGRID and Amazon S3 support up to 50 tags for each bucket. Tags associated with a bucket must have unique tag keys. A tag key can be up to 128 Unicode characters in length. Tag values can be up to 256 Unicode characters in length. Key and values are case sensitive.
PUT Bucket versioning	This implementation uses the `versioning` subresource to set the versioning state of an existing bucket. You can set the versioning state with one of the following values: Enabled: Enables versioning for the objects in the bucket. All objects added to the bucket receive a unique version ID. Suspended: Disables versioning for the objects in the bucket. All objects added to the bucket receive the version ID `null`.
PUT Object Lock Configuration	This operation configures or removes the bucket default retention mode and default retention period. If the default retention period is modified, the retain-until-date of existing object versions remains the same and is not recalculated using the new default retention period. See Use S3 REST API to configure S3 Object Lock for detailed information.

DELETE Bucket

This operation deletes the bucket.

DELETE Bucket cors

This operation deletes the CORS configuration for the bucket.

DELETE Bucket encryption

This operation deletes the default encryption from the bucket. Existing encrypted objects remain encrypted, but any new objects added to the bucket aren't encrypted.

DELETE Bucket lifecycle

This operation deletes the lifecycle configuration from the bucket. See Create S3 lifecycle configuration.

DELETE Bucket policy

This operation deletes the policy attached to the bucket.

DELETE Bucket replication

This operation deletes the replication configuration attached to the bucket.

DELETE Bucket tagging

This operation uses the tagging subresource to remove all tags from a bucket.

GET Bucket

(ListObjects)

(ListObjectsV2)

This operation returns some or all (up to 1,000) of the objects in a bucket. The Storage Class for objects can have either of two values, even if the object was ingested with the REDUCED_REDUNDANCY storage class option:

STANDARD, which indicates the object is stored in a storage pool consisting of Storage Nodes.
GLACIER, which indicates that the object has been moved to the external bucket specified by the Cloud Storage Pool.

If the bucket contains large numbers of deleted keys that have the same prefix, the response might include some CommonPrefixes that don't contain keys.

GET Bucket Object versions

(ListObjectVersions)

With READ access on a bucket, this operation with the versions subresource lists metadata of all of the versions of objects in the bucket.

GET Bucket acl

This operation returns a positive response and the ID, DisplayName, and Permission of the bucket owner, indicating that the owner has full access to the bucket.

GET Bucket cors

This operation returns the cors configuration for the bucket.

GET Bucket encryption

This operation returns the default encryption configuration for the bucket.

GET Bucket lifecycle

(GetBucketLifecycleConfiguration)

This operation returns the lifecycle configuration for the bucket. See Create S3 lifecycle configuration.

GET Bucket location

This operation returns the region that was set using the LocationConstraint element in the PUT Bucket request. If the bucket's region is us-east-1, an empty string is returned for the region.

GET Bucket notification

(GetBucketNotificationConfiguration)

This operation returns the notification configuration attached to the bucket.

GET Bucket policy

This operation returns the policy attached to the bucket.

GET Bucket replication

This operation returns the replication configuration attached to the bucket.

GET Bucket tagging

This operation uses the tagging subresource to return all tags for a bucket.

GET Bucket versioning

This implementation uses the versioning subresource to return the versioning state of a bucket.

blank: Versioning has never been enabled (bucket is “Unversioned”)
Enabled: Versioning is enabled
Suspended: Versioning was previously enabled and is suspended

GET Object Lock Configuration

This operation returns the bucket default retention mode and default retention period, if configured.

See Use S3 REST API to configure S3 Object Lock.

HEAD Bucket

This operation determines if a bucket exists and you have permission to access it.

This operation returns:

x-ntap-sg-bucket-id: The UUID of the bucket in UUID format.
x-ntap-sg-trace-id: The unique trace ID of the associated request.

PUT Bucket

This operation creates a new bucket. By creating the bucket, you become the bucket owner.

Bucket names must comply with the following rules:
- Must be unique across each StorageGRID system (not just unique within the tenant account).
- Must be DNS compliant.
- Must contain at least 3 and no more than 63 characters.
- Can be a series of one or more labels, with adjacent labels separated by a period. Each label must start and end with a lowercase letter or a number and can only use lowercase letters, numbers, and hyphens.
- Must not look like a text-formatted IP address.
- Should not use periods in virtual hosted style requests. Periods will cause problems with server wildcard certificate verification.
By default, buckets are created in the us-east-1 region; however, you can use the LocationConstraint request element in the request body to specify a different region. When using the LocationConstraint element, you must specify the exact name of a region that has been defined using the Grid Manager or the Grid Management API. Contact your system administrator if you don't know the region name you should use.

Note: An error will occur if your PUT Bucket request uses a region that has not been defined in StorageGRID.
You can include the x-amz-bucket-object-lock-enabled request header to create a bucket with S3 Object Lock enabled. See Use S3 REST API to configure S3 Object Lock.

You must enable S3 Object Lock when you create the bucket. You can't add or disable S3 Object Lock after a bucket is created. S3 Object Lock requires bucket versioning, which is enabled automatically when you create the bucket.

PUT Bucket cors

This operation sets the CORS configuration for a bucket so that the bucket can service cross-origin requests. Cross-origin resource sharing (CORS) is a security mechanism that allows client web applications in one domain to access resources in a different domain. For example, suppose you use an S3 bucket named images to store graphics. By setting the CORS configuration for the images bucket, you can allow the images in that bucket to be displayed on the website http://www.example.com.

PUT Bucket encryption

This operation sets the default encryption state of an existing bucket. When bucket-level encryption is enabled, any new objects added to the bucket are encrypted.StorageGRID supports server-side encryption with StorageGRID-managed keys. When specifying the server-side encryption configuration rule, set the SSEAlgorithm parameter to AES256, and don't use the KMSMasterKeyID parameter.

Bucket default encryption configuration is ignored if the object upload request already specifies encryption (that is, if the request includes the x-amz-server-side-encryption-* request header).

PUT Bucket lifecycle

(PutBucketLifecycleConfiguration)

This operation creates a new lifecycle configuration for the bucket or replaces an existing lifecycle configuration. StorageGRID supports up to 1,000 lifecycle rules in a lifecycle configuration. Each rule can include the following XML elements:

Expiration (Days, Date)
NoncurrentVersionExpiration (NoncurrentDays)
Filter (Prefix, Tag)
Status
ID

StorageGRID does not support these actions:

AbortIncompleteMultipartUpload
ExpiredObjectDeleteMarker
Transition

See Create S3 lifecycle configuration. To understand how the Expiration action in a bucket lifecycle interacts with ILM placement instructions, see How ILM operates throughout an object’s life.

Note: Bucket lifecycle configuration can be used with buckets that have S3 Object Lock enabled, but bucket lifecycle configuration is not supported for legacy Compliant buckets.

PUT Bucket notification

(PutBucketNotificationConfiguration)

This operation configures notifications for the bucket using the notification configuration XML included in the request body. You should be aware of the following implementation details:

StorageGRID supports Simple Notification Service (SNS) topics as destinations. Simple Queue Service (SQS) or Amazon Lambda endpoints aren't supported.
The destination for notifications must be specified as the URN of an StorageGRID endpoint. Endpoints can be created using the Tenant Manager or the Tenant Management API.

The endpoint must exist for notification configuration to succeed. If the endpoint does not exist, a 400 Bad Request error is returned with the code InvalidArgument.
You can't configure a notification for the following event types. These event types are not supported.
- s3:ReducedRedundancyLostObject
- s3:ObjectRestore:Completed
Event notifications sent from StorageGRID use the standard JSON format except that they don't include some keys and use specific values for others, as shown in the following list:
- eventSource
  
  sgws:s3
- awsRegion
  
  not included
- x-amz-id-2
  
  not included
- arn
  
  urn:sgws:s3:::bucket_name

PUT Bucket policy

This operation sets the policy attached to the bucket.

PUT Bucket replication

This operation configures StorageGRID CloudMirror replication for the bucket using the replication configuration XML provided in the request body. For CloudMirror replication, you should be aware of the following implementation details:

StorageGRID only supports V1 of the replication configuration. This means that StorageGRID does not support the use of the Filter element for rules, and follows V1 conventions for deletion of object versions. For details, see the Amazon S3 documentation on replication configuration.
Bucket replication can be configured on versioned or unversioned buckets.
You can specify a different destination bucket in each rule of the replication configuration XML. A source bucket can replicate to more than one destination bucket.
Destination buckets must be specified as the URN of StorageGRID endpoints as specified in the Tenant Manager or the Tenant Management API. See Configure CloudMirror replication.

The endpoint must exist for replication configuration to succeed. If the endpoint does not exist, the request fails as a 400 Bad Request. The error message states: Unable to save the replication policy. The specified endpoint URN does not exist: URN.
You don't need to specify a Role in the configuration XML. This value is not used by StorageGRID and will be ignored if submitted.
If you omit the storage class from the configuration XML, StorageGRID uses the STANDARD storage class by default.
If you delete an object from the source bucket or you delete the source bucket itself, the cross-region replication behavior is as follows:
- If you delete the object or bucket before it has been replicated, the object/bucket is not replicated and you aren't notified.
- If you delete the object or bucket after it has been replicated, StorageGRID follows standard Amazon S3 delete behavior for V1 of cross-region replication.

PUT Bucket tagging

This operation uses the tagging subresource to add or update a set of tags for a bucket. When adding bucket tags, be aware of the following limitations:

Both StorageGRID and Amazon S3 support up to 50 tags for each bucket.
Tags associated with a bucket must have unique tag keys. A tag key can be up to 128 Unicode characters in length.
Tag values can be up to 256 Unicode characters in length.
Key and values are case sensitive.

PUT Bucket versioning

This implementation uses the versioning subresource to set the versioning state of an existing bucket. You can set the versioning state with one of the following values:

Enabled: Enables versioning for the objects in the bucket. All objects added to the bucket receive a unique version ID.
Suspended: Disables versioning for the objects in the bucket. All objects added to the bucket receive the version ID null.

PUT Object Lock Configuration

This operation configures or removes the bucket default retention mode and default retention period.

If the default retention period is modified, the retain-until-date of existing object versions remains the same and is not recalculated using the new default retention period.

See Use S3 REST API to configure S3 Object Lock for detailed information.

Related information

Consistency controls

GET Bucket last access time

Use bucket and group access policies

S3 operations tracked in audit logs