Get started
Create a Cloud Storage Pool
Suggest changes
-
PDF of this doc site
-
Install, upgrade, and hotfix
-
Configure and manage
-
Collection of separate PDF docs
Creating your file...
A Cloud Storage Pool specifies a single external Amazon S3 bucket or other S3-compatible provider or an Azure Blob storage container.
When you create a Cloud Storage Pool, you specify the name and location of the external bucket or container that StorageGRID will use to store objects, the cloud provider type (Amazon S3/GCP or Azure Blob storage), and the information StorageGRID needs to access the external bucket or container.
StorageGRID validates the Cloud Storage Pool as soon as you save it, so you must ensure that the bucket or container specified in the Cloud Storage Pool exists and is reachable.
-
You are signed in to the Grid Manager using a supported web browser.
-
You have the required access permissions.
-
You have reviewed the considerations for Cloud Storage Pools.
-
The external bucket or container referenced by the Cloud Storage Pool already exists, and you have the service endpoint information.
-
To access the bucket or container, you have the account information for the authentication type you will choose.
-
Select ILM > Storage pools > Cloud Storage Pools.
-
Select Create, then enter the following information:
Field Description Cloud Storage Pool name
A name that briefly describes the Cloud Storage Pool and its purpose. Use a name that will be easy to identify when you configure ILM rules.
Provider type
Which cloud provider you will use for this Cloud Storage Pool:
-
Amazon S3/GCP: Select this option for an Amazon S3, Commercial Cloud Services (C2S) S3, Google Cloud Platform (GCP), or other S3-compatible provider.
-
Azure Blob Storage
Bucket or container
The name of the external S3 bucket or Azure container. You can't change this value after the Cloud Storage Pool is saved.
-
-
Based on your Provider type selection, enter the service endpoint information.
Amazon S3/GCPAzure Blob StorageAmazon S3/GCPAmazon S3/GCPAzure Blob Storage-
For the protocol, select either HTTPS or HTTP.
Don't use HTTP connections for sensitive data. -
Enter the hostname. Example:
s3-aws-region.amazonaws.com -
Select the URL style:
Option Description Auto-detect
Attempt to automatically detect which URL style to use, based on the information provided. For example, if you specify an IP address, StorageGRID will use a path-style URL. Select this option only if you don't know which specific style to use.
Virtual-hosted-style
Use a virtual-hosted-style URL to access the bucket. Virtual-hosted-style URLs include the bucket name as part of the domain name. Example:
https://bucket-name.s3.company.com/key-namePath-style
Use a path-style URL to access the bucket. Path-style URLs include the bucket name at the end. Example:
https://s3.company.com/bucket-name/key-nameNote: The path-style URL option is not recommended and will be deprecated in a future release of StorageGRID.
-
Optionally, enter the port number, or use the default port: 443 for HTTPS or 80 for HTTP.
-
Using one of the following formats, enter the URI for the service endpoint.
-
https://host:port -
http://host:port
-
Example:
https://myaccount.blob.core.windows.net:443If you don't specify a port, by default port 443 is used for HTTPS and port 80 is used for HTTP.
-
-
Select Continue. Then select the authentication type and enter the required information for the Cloud Storage Pool endpoint:
Access keyIAM Roles AnywhereCAP (C2S access portal)Azure Blob StorageAnonymousAccess keyAccess keyIAM Roles AnywhereCAP (C2S access portal)Azure Blob StorageAnonymousFor Amazon S3/GCP or other S3-compatible provider
-
Access key ID: Enter the access key ID for the account that owns the external bucket.
-
Secret access key: Enter the secret access key.
For AWS IAM Roles Anywhere service
StorageGRID uses the AWS Security Token Service (STS) to dynamically generate a short-lived token to access AWS resources.
-
AWS IAM Roles Anywhere region: Select the region for the Cloud Storage Pool. For example,
us-east-1. -
Trust anchor URN: Enter the URN of the trust anchor that validates requests for short-lived STS credentials. Can be a root or intermediate CA.
-
Profile URN: Enter the URN of the IAM Roles Anywhere profile that lists the roles that are assumable for anyone trusted.
-
Role URN: Enter the URN of the IAM role that is assumable for anyone trusted.
-
Session duration: Enter the duration of the temporary security credentials and role session. Enter at least 15 minutes and no more than 12 hours.
-
Server CA certificate (optional): One or more trusted CA certificates, in PEM format, for verifying the IAM Roles Anywhere server. If omitted, the server won't be verified.
-
End-entity certificate: The public key, in PEM format, of the X509 certificate signed by the trust anchor. AWS IAM Roles Anywhere uses this key to issue an STS token.
-
End-entity private key: The private key for the end-entity certificate.
For Commercial Cloud Services (C2S) S3 service
-
Temporary credentials URL: Enter the complete URL that StorageGRID will use to obtain temporary credentials from the CAP server, including all the required and optional API parameters assigned to your C2S account.
-
Server CA certificate: Select Browse and upload the CA certificate that StorageGRID will use to verify the CAP server. Certificate must be PEM-encoded and issued by an appropriate Government Certificate Authority (CA).
-
Client certificate: Select Browse and upload the certificate that StorageGRID will use to identify itself to the CAP server. The client certificate must be PEM-encoded, issued by an appropriate Government Certificate Authority (CA), and granted access to your C2S account.
-
Client private key: Select Browse and upload the PEM-encoded private key for the client certificate.
-
If the client private key is encrypted, enter the passphrase for decrypting the client private key. Otherwise, leave the Client private key passphrase field blank.
If the client certificate will be encrypted, use the traditional format for the encryption. PKCS #8 encrypted format is not supported. For Azure Blob Storage, Shared Key only
-
Account name: Enter the name of the storage account that owns the external container
-
Account key: Enter the secret key for the storage account
You can use the Azure portal to find these values.
No additional information is required.
-
-
Select Continue. Then choose the type of server verification you want to use:
Option Description Use root CA certificates in Storage Node OS
Use the Grid CA certificates installed on the operating system to secure connections.
Use custom CA certificate
Use a custom CA certificate. Select Browse and upload the PEM-encoded certificate.
Do not verify certificate
Selecting this option means that TLS connections to the Cloud Storage Pool aren't secure.
-
Select Save.
When you save a Cloud Storage Pool, StorageGRID does the following:
-
Validates that the bucket or container and the service endpoint exist and that they can be reached using the credentials that you specified.
-
Writes a marker file to the bucket or container to identify it as a Cloud Storage Pool. Never remove this file, which is named
x-ntap-sgws-cloud-pool-uuid.If Cloud Storage Pool validation fails, you receive an error message that explains why validation failed. For example, an error might be reported if there is a certificate error or if the bucket or container you specified does not already exist.
-
-
If an error occurs, see the instructions for troubleshooting Cloud Storage Pools, resolve any issues, and then try saving the Cloud Storage Pool again.
