Use the following information to add or modify an Amazon S3 cloud storage library with AWS IAM Role Policy authentication in the Add / Edit Cloud Storage (General) dialog box in CommCell Console.
Note
Refer to Amazon S3 documentation for additional information on the inputs required in this dialog box.
Configure the EC2 IAM role details before configuring the storage library. For more information, see Configuring EC2 IAM Role Details for STS Assume IAM Role.
Authentication
AWS IAM Role Policy - Use this Authentication for an user with the IAM role, thereby allowing the specific user to provide the IAM roles assigned to the user. For more information on IAM Role Policies, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html.
Note
For AWS IAM Role Policy the selected MediaAgent must reside in the EC2 instance and an IAM Role must be associated with the EC2 instance. Make sure to select the specific MediaAgent from the drop-down list during library configuration. (For more information about installing the MediaAgent on the EC2 instance, see MediaAgent Installations.)
AWS Identity and Access Management (IAM) role policies are used to avoid the effort associated with rotating access keys and secret keys within an organization. An AWS IAM role permitting activity on your AWS resources (EC2, S3) is created and associated with your AWS-based MediaAgent. No credentials are stored within the Commvault system. You can create the AWS IAM Role policy using the IAM Console. For more information about creating AWS IAM Role policy, see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html.
The IAM Role must have the following actions enabled in the Amazon S3 account: (sample json file with these actions)
"s3:CreateBucket"
"s3:GetBucketLocation"
"s3:GetObject"
"s3:PutObject"
"s3:PutObjectRetention"
"s3:PutObjectTagging"
"s3:ListBucket"
"s3:ListAllMyBuckets"
"s3:DeleteObject"
Notes
-
The
CreateBucket
permission is required only when the bucket must be created by the MediaAgent while configuring the cloud storage. (This permission can be skipped if an existing bucket is used for configuring the cloud storage.) -
The
ListAllMyBuckets
permissions request is required for the Detect button to work. -
To recall data from Amazon Glacier Glacier/Deep Archive or Combined Tier Storage Classes, make sure that the user associated with the bucket has the
RestoreObject
permission. For more information on POST Object restore, see https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOSTrestore.html.
Service Host
A valid endpoint name for the Amazon S3 region provided by the agency.
Default: s3.[region].amazonaws.com
. For example, s3.us-west-1.amazonaws.com
.
To find the region, see https://docs.aws.amazon.com/general/latest/gr/rande.html.
IAM Role
Name of the IAMRole.
Bucket
Click the Detect button to detect an existing bucket.
Note
Sometimes, existing bucket list may not get populated while detecting the buckets, as some vendors may not support this operation, or if there are no permissions to complete the operation. In such cases, type the name of the existing bucket that you want to use. The system will automatically use the existing bucket if it is available.
To recall data from Amazon Glacier Glacier/Deep Archive or Combined Tier Storage Classes, make sure that the user associated with the bucket has the RestoreObject
permission. For more information on POST Object restore, see https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOSTrestore.html.
Storage Class
The following Amazon S3 storage classes are supported for Commvault Cloud Storage libraries:
-
Standard
-
Standard - Infrequent Access
-
One Zone - Infrequent Access
-
Intelligent - Tiering
-
Standard/Glacier (Combined Storage Tiers)
-
Standard-IA/Glacier (Combined Storage Tiers)
-
One Zone-IA/Glacier (Combined Storage Tiers)
-
Intelligent-Tiering/Glacier (Combined Storage Tiers)
-
Standard/Deep Archive (Combined Storage Tiers)
-
Standard-IA/Deep Archive (Combined Storage Tiers)
-
One Zone-IA/Deep Archive (Combined Storage Tiers)
-
Intelligent-Tiering/Deep Archive (Combined Storage Tiers)
-
Glacier
-
Deep Archive
-
Reduced Redundancy Storage
Reference https://aws.amazon.com/s3/storage-classes/ for more information.