Note
Amazon S3 with Glacier storage class is recommended over Amazon Glacier. Amazon S3 with glacier storage class has more advantages like no 24-hour limit for recalled data and deduplication support.
-
Authentication - Create the account using one of the following authentication:
-
Access & Secret Access Key - This is the default authentication.
-
AWS IAM Role Policy - Use this Authentication for an user with the IAM role, thereby allowing the specific user to provide the IAM roles assigned to the user. For more information on IAM Role Policies, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html.
Note
For AWS IAM Role Policy the selected MediaAgent must reside in the EC2 instance and an IAM Role must be associated with the EC2 instance. Make sure to select the specific MediaAgent from the drop-down list during library configuration.
-
AWS STS Assume Role
For more information on Amazon STS (Security Token Service), refer to http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html and http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html.
-
C2S Access Portal
Use this Authentication for a user with credentials to either the Amazon C2S (Amazon Commercial Cloud Services) or Amazon SC2S (Amazon Secure - Commercial Cloud Services).
For Access & Secret Access Keys*
-
Service Host
A valid endpoint name for the Amazon Glacier region provided by the agency.
Default:
glacier.[region].amazonaws.com. For example,glacier.us-west-1.amazonaws.com.To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
-
Access Key ID
-
Secret Access Key
-
Verify Secret Access Key
-
Vault
For AWS IAM Role Policy*
Note
For AWS IAM Role Policy the selected MediaAgent must reside in the EC2 instance.
-
Service Host
A valid endpoint name for the Amazon Glacier region provided by the agency.
Default:
glacier.[region].amazonaws.com. For example,glacier.us-west-1.amazonaws.com.To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
-
IAM Role
-
Vault
Note
*Note: The following permissions are needed in Amazon (Direct) Glacier for both the IAM and Access & Secret Access Key user: (sample json file with these actions)
-
List
ListJobs
ListMultipartUploads
ListParts
ListVaults
-
Read
DescribeJob
DescribeVault
GetJobOutput
-
Write
AbortMultipartUpload
CompleteMultipartUpload
CreateVault
DeleteArchive
DeleteVault
InitiateJob
InitiateMultipartUpload
UploadArchive
UploadMultipartPart
For AWS STS Assume Role
-
Service Host
A valid endpoint name for the Amazon Glacier region provided by the agency.
Default:
glacier.[region].amazonaws.com. For example,glacier.us-west-1.amazonaws.com.To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
-
Role ARN
-
Access Key ID
-
Secret Access Key
-
Verify Secret Access Key
-
Vault
For C2S Access Portal
-
Service Host
A valid endpoint name for the Amazon Glacier region provided by the agency.
Default:
glacier.[region].amazonaws.com. For example,glacier.us-west-1.amazonaws.com.To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
-
CAP URL
The CAP URL. For example:
https://<URL:Port_Name>/TAP/api/v1/credentials?agency=<agency>&mission=<mission>&role=<role>
-
Certificate Filename
File name provided by the agency. For example: <file_name>.p12.
Make sure that the file is copied and available in all the MediaAgents using the library under the following folder:
<software install folder>/Base/Certificates
-
Passphrase
The password for the certificate file provided by the agency.
-
Verify Passphrase
-
Vault
-
Additional Information
Considerations for Setting up Amazon Glacier with Vault Lock Policies
Make sure that the retention set in the Glacier Vault Lock policy is shorter than the retention time set for the data in the Storage Policy.
For more information on Amazon Glacier Vault lock policies, see https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-lock-policy.html.
For more information on setting the retention in a storage policy, see Data Aging - Getting Started.