Skip to main content
Amazon FSx for NetApp ONTAP

Connect to an FSx for ONTAP file system with a Lambda link

Contributors netapp-rlithman netapp-mwallis
PDFs

To perform advanced ONTAP management operations, you'll need to establish connectivity between your workload factory account and one or more FSx for ONTAP file systems. Establishing connectivity includes associating new and existing Lambda links, and authenticating the links. Link association allows you to monitor and manage certain features directly from the FSx for ONTAP file system that are not available through the AWS FSx for ONTAP API.

Learn more about links.

About this task

Links leverage AWS Lambda to execute code in response to events and automatically manage the computing resources required by that code. The links that you create are part of your NetApp account and they are associated with an AWS account.

You can create a link in your account when defining an FSx for ONTAP file system. That link will be used for that file system, and it can be used by other FSx for ONTAP file systems. You can also associate a link for a file system later.

Links require authentication. You can authentic links using credentials stored in the workload factory credentials service or with your credentials stored in AWS Secrets Manager. Only one authentication method is supported per link. For example, if you select link authentication with AWS Secrets Manager, you can't change the authentication method later.

Note AWS Secrets Manager isn't supported when using a Connector.

Associating a new link includes link creation and association.

You have two options for creating links in this workflow - automatically or manually. You'll need to launch an AWS CloudFormation stack in your AWS account to create the link.

  • Automatically: Creates a link with automatic registration via workload factory. A link created automatically requires tokens for workload factory automation and the CloudFormation code is short-lived. It can only be used for up to six hours.

  • Manually: Creates a link with manual registration. The CloudFormation code persists giving you more time to complete the operation. This is useful when working with different teams like Security and DevOps that might first need to grant the permissions necessary to complete link creation.

Before you begin

  • You should consider which link creation option you'll use.

  • You need to have at least one FSx for ONTAP file system in workload factory. To discover or create FSx for ONTAP file systems, you must have an AWS account with permissions for FSx for ONTAP instances and add credentials in workload factory with read-only or read/write permissions for Storage management.

  • The following ports must be open in the security group associated with the FSx for ONTAP file system for link connectivity.

    • For the workload factory console: port 443 (HTTPS)

    • For CloudShell: port 22(SSH)

  • You must have the following permissions in your AWS account when adding a link using a CloudFormation stack:

    Details 
    "cloudformation:GetTemplateSummary",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStackResources",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetRole",
"iam:DeleteRolePolicy",
"iam:CreateRole",
"iam:DetachRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:TagResource",
"codestar-connections:GetSyncConfiguration",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
Create automatically

Use CloudFormation to automatically create and register the link within workload factory.

Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to storage inventory.

  3. In the FSx for ONTAP tab, select the three-dot menu of the file system to associate a link to and then select Associate link.

  4. In the Associate link dialog, select Create a new link and select Continue.

  5. On the Create Link page, provide the following:

    1. Link name: Enter the name that you want to use for this link. The name must be unique within your account.

    2. AWS Secrets Manager: Optional. Allows workload factory to fetch FSx for ONTAP access credentials from your AWS Secrets Manager.

      The link deployment stack adds the following default secret manager ARN regex to the Lambda permission policy: arn:aws:secretsmanager:<link_deployment_region>:<link_deployment_account_id>:secret:FSxSecret*.

      You can either create secrets in alignment with the default permissions or assign your custom permissions for the link policy.

      Configure VPC private endpoint to AWS Secrets Manager is disabled by default. Selecting this option stores the secret using the VPC private endpoint instead of storing it locally.

    3. Link permissions: Select one of the following options for link permissions:

      • Automatic: Select this option so that AWS CloudFormation code automatically creates the Lambda permission policy and execution role.

      • User-provided: Select this option to assign a specified Lambda execution role and its attached policies to the Lambda link. The following permissions are required for the Lambda permission policy. The secretsmanager:GetSecretValue permission is required only if you enabled AWS Secrets Manager.

        "ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"secretsmanager:GetSecretValue"

        Enter the Lambda execution role ARN in the text box.

    4. Tags: Optionally, add any tags that you want to associate with this link so you can more easily categorize your resources. For example, you could add a tag that identifies this link as being used by FSx for ONTAP file systems.

      The AWS account and the additional information for Account, Location, and Security group are retrieved automatically based on the FSx for ONTAP file system.

  6. Select Create.

    The Redirect to CloudFormation dialog appears and explains how to create the link from the AWS CloudFormation service is displayed.

  7. Select Continue to open the AWS Management Console, and then log in to the AWS account for this FSx for ONTAP file system.

  8. On the Quick create stack page, under Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources.

    Note that three permissions are granted to Lambda when you launch the CloudFormation template. Workload factory uses these permissions when using links.

    "lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode"

  9. Select Create stack and then Select Continue.

    You can monitor the link creation status from the Events page. This should take no more than 5 minutes.

  10. Return to the workload factory interface and you'll see that the link is associated with the FSx for ONTAP file system.

Create manually

With this option, you extract the ARN for the link from AWS CloudFormation and report it here. Workload factory manually registers the link for you.

Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to storage inventory.

  3. In the FSx for ONTAP tab, select the three-dot menu of the file system to associate a link to and then select Associate link.

  4. In the Associate link dialog, select Create a new link and select Continue.

  5. On the Create Link page, provide the following:

    1. Link name: Enter the name that you want to use for this link. The name must be unique within your account.

    2. AWS Secrets Manager: Optional. Allows workload factory to fetch FSx for ONTAP access credentials from your AWS Secrets Manager.

      The link deployment stack adds the following default secret manager ARN regex to the Lambda permission policy: arn:aws:secretsmanager:<link_deployment_region>:<link_deployment_account_id>:secret:FSxSecret*.

      You can either create secrets in alignment with the default permissions or assign your custom permissions for the link policy.

      Configure VPC private endpoint to AWS Secrets Manager is disabled by default. Selecting this option stores the secret using the VPC private endpoint instead of storing it locally.

    3. Link permissions: Select one of the following options for link permissions:

      • Automatic: Select this option so that AWS CloudFormation code automatically creates the Lambda permission policy and execution role.

      • User-provided: Select this option to assign a specified Lambda execution role and its attached policies to the Lambda link. The following permissions are required for the Lambda permission policy. The secretsmanager:GetSecretValue permission is required only if you enabled AWS Secrets Manager.

        "ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
"secretsmanager:GetSecretValue"

        Enter the Lambda execution role ARN in the text box.

    4. Tags: Optionally, add any tags that you want to associate with this link so you can more easily categorize your resources. For example, you could add a tag that identifies this link as being used by FSx for ONTAP file systems.

    5. Link registration: select on the dropdown arrow to expand the instructions for how to register the link from the AWS CloudFormation service or using Terraform. Follow the instructions.

      Note that three permissions are granted to Lambda when you launch the CloudFormation template. Workload factory uses these permissions when using links.

      "lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode"

      After you successfully create the stack, paste the Lambda ARN in the text box.

    6. The AWS account and the additional information for Account, Location, and Security group are retrieved automatically based on the FSx for ONTAP file system.

  6. Select Create.

    You can monitor the link creation status from the Events page. This should take no more than 5 minutes.

  7. Return to the workload factory interface and you'll see that the link is associated with the FSx for ONTAP file system.

Result

The link you created is associated with the FSx for ONTAP file system. You can perform advanced ONTAP operations.

After you create a link, associate it with one or more FSx for ONTAP file system.

Steps

  1. Log in using one of the console experiences.

  2. In Storage, select Go to storage inventory.

  3. In the FSx for ONTAP tab, select the three-dot menu of the file system to associate a link to and then select Associate link.

  4. In the Associate link page, select Associate an existing link, select the link, and select Continue.

  5. Select the authentication mode.

    • Workload Factory: enter the password twice.

    • AWS Secrets Manager: enter the secret ARN.

      The secret ARN must include the following key valid pairs:

      • filesystemID = FSx_filesystem_id

      • username = FSx_user

      • password = user_password

  6. Select Apply.

Result

The link is associated with the FSx for ONTAP file system. You can perform advanced ONTAP operations.

Issue

The link lacks permissions to retrieve the secret.

Resolution: Add permissions after the link is active. Log in to the AWS console, locate the Lambda link, and edit the attached permission policy.

Issue

The secret isn't found.

Resolution: Provide the correct secret ARN.

Issue

The secret isn't in the right format.

Resolution: Go to AWS Secrets Manager and edit the format.

The secret should contain the following key valid pairs:

  • filesystemID = FSx_filesystem_id

  • username = FSx_user

  • password = user_password

Issue

The secret doesn't contain valid ONTAP credentials for file system authentication.

Resolution: Provide credentials that can authenticate FSx for ONTAP file systems in AWS Secrets Manager.