Amazon S3 - AWS STS Assume Role with IAM Role Policy

Use this dialog box to add (or modify) Amazon S3, with AWS STS Assume Role with IAM Role Policy authentication, as a storage target.

Note

Refer to Amazon S3 documentation for additional information on the inputs required in this dialog box.

Before You Begin

Configure the EC2 IAM role details before configuring the storage library. For more information, see Configuring EC2 IAM Role Details for STS Assume IAM Role.

Configurable Options

Option

Description

Additional Information

Type

Select Amazon S3 from the list.

Name

The name of the cloud library.

MediaAgent

The name of the MediaAgent to which the device is attached. Select a MediaAgent from the list to add to the cloud storage device. The list contains the names of all the MediaAgents configured in the CommCell.

For AWS IAM Role Policy the selected MediaAgent must reside in the EC2 instance and an IAM Role must be associated with the EC2 instance. Make sure to select the specific MediaAgent from the drop-down list during library configuration. (For more information about installing the MediaAgent on the EC2 instance, see MediaAgent Installations.)

Storage Class

The following Amazon S3 storage classes are supported for Commvault Cloud Storage libraries:

  • S3 Standard

  • S3 Intelligent-Tiering

  • S3 Standard-Infrequent Access

  • S3 One Zone - Infrequent Access

  • S3 Glacier Instant Retrieval

  • S3 Glacier Flexible Retrieval

  • S3 Glacier Deep Archive

  • S3 Reduced Redundancy Storage

Reference https://aws.amazon.com/s3/storage-classes/ for more information.

Region

Select the region for the cloud storage from the drop down list.

Service Host

A valid endpoint name for the Amazon S3 region provided by the agency. (Commvault transfers data using HTTPS protocol to the service host.)

Default: s3.[region].amazonaws.com. For example, s3.us-west-1.amazonaws.com.

  • For more information about Amazon Access Points, see https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html.

    For more information about AWS PrivateLink for Amazon S3, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html.

  • For Amazon S3 Transfer Acceleration, provide the service host provider name as s3-accelerate.amazonaws.com.

  • For AWS PrivateLink for Amazon S3, provide the service host provider name as [VPC-endpoint-ID].[region].vpce.amazonaws.com. For example, vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com.

  • For Amazon S3 Access Points, provide the service host provider name as s3-accesspoint.[region].amazonaws.com.

  • For Access Point with AWS PrivateLink, provide the service host provider name as accesspoint.[VPC-endpoint-ID].[region].vpce.amazonaws.com. For example, accesspoint.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com.

  • To connect to the VPC STS endpoint, provide the service host provider name as vpce-1234567f12345678-123456e2hf.s3.us-east-1.vpce.amazonaws.com.

  • Do not add the bucket name as the service host.

  • Multiple hosts can be added in the Service Host field using commas to separate them. For example servicehost1, servicehost2, servicehost3. (For local cloud servers with multiple IP addresses, the list of IP addresses can be added. For example, 192.xxx.0.100,192.xxx.0.101, 192.xxx.0.102. )

    Note

    All the hosts (or IP addresses) in the list must point to the same storage. Adding a host or IP address to a different storage will result in data loss.

Authentication

Select AWS STS Assume Role with IAM Role Policy.

For more information on this role, refer to the following links:

Credentials

Add the credentials and other details required to access the cloud storage space.

Credentials must not contain blank spaces or other special characters. For instructions about creating a credential, see Adding a Credential to Credential Vault.

Credential name

Enter a name for the credential.

Role ARN

Name of the ARN role.

External ID

Enter the external ID used in the trust relationship.

For more information, see How to use an external ID when granting access to your AWS resources to a third party.

Bucket

Click the Detect button to detect an existing bucket.

Sometimes, existing bucket list may not get populated while detecting the buckets, as some vendors may not support this operation, or if there are no permissions to complete the operation. In such cases, type the name of the existing bucket that you want to use. The system will automatically use the existing bucket if it is available.

The following permissions must be enabled for the bucket:

Sample json file with these permissions.

"s3:CreateBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:PutBucketObjectLockConfiguration"
  • The CreateBucket permission is required only when the bucket must be created by the MediaAgent while configuring the cloud storage. (This permission can be skipped if an existing bucket is used for configuring the cloud storage.)

  • The ListAllMyBuckets permissions request is required for the Detect button to work.

  • For a bucket with versioning enabled, the user must have DeleteObjectVersion and ListBucketVersions permissions to delete a versioned objects when a pruning request is sent to delete the objects.

    To recall data from Amazon Glacier Glacier/Deep Archive or Combined Tier Storage Classes, make sure that the user associated with the bucket has the RestoreObject permission. For more information on POST Object restore, see https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOSTrestore.html.

Use Combined Tier

Enable the option to use a combine storage tier, with S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, or S3 Glacier Deep Archive Storage Classes.

This option will be enabled when S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, or S3 Glacier Deep Archive Storage Class is selected.

Combined Storage Class

The following combined Storage options are available for the Glacier Flexible and Glacier Deep Archive storage classes:

  • Intelligent Tiering

  • One Zone - Infrequent Access

  • Standard

  • Standard- Infrequent Access

Loading...