Bucket Replication Requirements
This page documents all requirements of bucket replication configurations, including:
Ensure you meet the following prerequisites before you set up any of these replication configurations.
Permissions Required for Setting Up Bucket Replication
Bucket replication requires specific permissions on the source and destination deployments to configure and enable replication rules.
Replication Admin
The following policy provides permissions for configuring and enabling replication on a deployment:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:SetBucketTarget",
"admin:GetBucketTarget"
],
"Effect": "Allow",
"Sid": "EnableRemoteBucketConfiguration"
},
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:PutReplicationConfiguration"
],
"Resource": [
"arn:aws:s3:::*"
],
"Sid": "EnableReplicationRuleConfiguration"
}
]
}
- The
"EnableRemoteBucketConfiguration"statement grants permission for creating a remote target for supporting replication. - The
"EnableReplicationRuleConfiguration"statement grants permission for creating replication rules on a bucket. The"arn:aws:s3:::*resource applies the replication permissions to any bucket on the source deployment. You can restrict the user policy to specific buckets as-needed.
The following code creates a user with the necessary policy.
Replace the TARGET with the alias of the AIStor deployment on which you are configuring replication:
wget -O - https://min.io/docs/minio/linux/examples/ReplicationAdminPolicy.json | \
mc admin policy create TARGET ReplicationAdminPolicy /dev/stdin
mc admin user add TARGET ReplicationAdmin LongRandomSecretKey
mc admin policy attach TARGET ReplicationAdminPolicy --user=ReplicationAdmin
Replication Remote User
The following policy provides permissions for enabling synchronization of replicated data into the deployment:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::*"
],
"Sid": "EnableReplicationOnBucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetReplicationConfiguration",
"s3:ReplicateTags",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutBucketObjectLockConfiguration",
"s3:PutObjectLegalHold",
"s3:DeleteObject",
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::*"
],
"Sid": "EnableReplicatingDataIntoBucket"
}
]
}
- The
"EnableReplicationOnBucket"statement grants permission for a remote target to retrieve bucket-level configuration for supporting replication operations on all buckets in the AIStor deployment. To restrict the policy to specific buckets, specify those buckets as an element in theResourcearray similar to"arn:aws:s3:::bucketName". - The
"EnableReplicatingDataIntoBucket"statement grants permission for a remote target to synchronize data into any bucket in the AIStor deployment. To restrict the policy to specific buckets, specify those buckets as an element in theResourcearray similar to"arn:aws:s3:::bucketName/*".
The following code creates a user with the necessary policy.
Replace the TARGET with the alias of the AIStor deployment on which you are configuring replication:
wget -O - https://min.io/docs/minio/linux/examples/ReplicationRemoteUserPolicy.json | \
mc admin policy create TARGET ReplicationRemoteUserPolicy /dev/stdin
mc admin user add TARGET ReplicationRemoteUser LongRandomSecretKey
mc admin policy attach TARGET ReplicationRemoteUserPolicy --user=ReplicationRemoteUser
Matching Object Encryption Settings for Bucket Replication
AIStor supports replication of objects encrypted using SSE-KMS and SSE-S3:
- For objects encrypted using SSE-KMS, AIStor requires that the target bucket support SSE-KMS encryption of objects using the same key names used to encrypt objects on the source bucket.
- For objects encrypted using SSE-S3, AIStor requires that the target bucket also support SSE-S3 encryption of objects regardless of key name.
As part of the replication process, AIStor decrypts the object on the source bucket and transmits the unencrypted object over the network. The destination AIStor deployment then re-encrypts the object using the encryption settings from the target. AIStor therefore strongly recommends enabling TLS on both source and destination deployments to ensure the safety of objects during transmission.
AIStor does not support replicating client-side encrypted objects (SSE-C).
Bucket Replication Requires AIStor Deployments
AIStor server-side replication only works between AIStor deployments. Both the source and destination deployments must run Object Store with matching versions.
To configure replication between arbitrary S3-compatible services, use mc mirror.
Replication Requires Versioning
AIStor relies on the immutability protections provided by versioning to support replication and resynchronization.
Use mc version info to validate the versioning status of both the source and remote buckets.
Use the mc version enable command to enable versioning as necessary.
If you exclude a prefix or folder from versioning within the source bucket, AIStor cannot replicate objects within that folder or prefix.
Matching Object Locking State With Bucket Replication
AIStor supports replicating objects held under WORM Locking. Both replication buckets must have object locking enabled for AIStor to replicate the locked object. For active-active configuration, AIStor recommends using the same retention rules on both buckets to ensure consistent behavior across sites.
You must enable object locking during bucket creation as per S3 behavior. You can then configure object retention rules at any time. Configure the necessary rules on the unhealthy target bucket prior to beginning this procedure.