mc ilm tier update
The mc ilm tier update
command modifies an existing configured remote tier.
Syntax
Parameters
The command accepts the following arguments:
TARGET
Required
The alias
of a configured AIStor deployment.
TIER_NAME
Required
The name of the remote tier the command modifies.
The value corresponds to the mc ilm tier add TIER_NAME
specified when creating the remote tier.
--access-key
Optional
The access key for a user on the remote S3 or AIStor tier. The user must have permission to perform read/write/list/delete operations on the remote bucket or bucket prefix.
This option only applies to remote storage tiers with TIER_TYPE
is s3
or minio
.
This option has no effect for any other TIER_TYPE
.
--secret-key
Optional
The secret key for a user on the remote s3
or minio
tier.
This option only applies to remote storage tiers with TIER_TYPE
is s3
or minio
.
This option has no effect for any other TIER_TYPE
.
--use-aws-role
Optional
Use the access permission for the locally configured AWS Role.
This option only applies if TIER_TYPE
is s3
or minio
.
This option has no effect for any other value of TIER_TYPE
.
--account-key
Optional
The account key for a user on a remote Azure tier.
Required for Azure tier types.
Use this option to rotate the credentials for the --account-name
associated to the remote tier.
This option only applies to remote storage tiers with TIER_TYPE
is azure
.
This option has no effect for any other type of login.
--az-sp-tenant-id
Optional
Directory ID for the Azure service principal account.
This option only applies to remote storage tiers with TIER_TYPE
is azure
.
This option has no effect for any other type of login.
--az-sp-client-id
Optional
Client ID of the Azure service principal account.
Requires --az-sp-client-secret
.
This option only applies to remote storage tiers with TIER_TYPE
is azure
.
This option has no effect for any other type of login.
--az-sp-client-secret
Optional
The secret for the Azure service principal account.
Requires --az-sp-client-id
.
This option only applies to remote storage tiers with TIER_TYPE
is azure
.
This option has no effect for any other type of login.
--credentials-file
Optional
Required for Google Cloud Storage tier types.
The credential file for a user on the remote GCS tier. The user must have permission to perform read/write/list/delete operations on the remote bucket or bucket prefix.
This option only applies to remote storage tiers with TIER_TYPE
is gcs
.
This option has no effect for any other type of login.
Global Flags
This command supports any of the global flags.
Examples
Rotate Credentials for an S3 Remote Tier
The following example updates the credentials for an S3 remote tier called S3TIER
on the myminio
deployment.
mc ilm tier update myminio S3TIER --access-key ACCESS_KEY --secret-key SECRET_KEY
- Replace
S3TIER
with the name for your Amazon Simple Storage Solution tier. - Replace
ACCESS_KEY
with the updated access key for your S3 storage. - Replace
SECRET_KEY
with the updated secret key for the access key provided.
Rotate Credentials for an Azure Blob Storage Remote Tier
The following example updates the credentials for an Azure remote tier called AXTIER
on the myminio
deployment.
mc ilm tier update myminio AZTIER --account-key ACCOUNT-KEY
- Replace
AZTIER
with the name for your Azure tier. - Replace
ACCOUNT-KEY
with the updated key for your Azure storage.
Rotate Credentials for a Google Cloud Storage Remote Tier
The following example updates the credentials for a Google Cloud Storage remote tier called GCSTIER
on the myminio
deployment.
mc ilm tier update myminio GCSTIER --credentials-file /path/to/credentials.json
- Replace
GCSTIER
with the name for your Google Cloud Storage tier. - Replace
/path/to/credentials.json
with the path of the updated credential file to use to access the remote storage.
Behavior
Supported S3 Services
mc ilm tier
supports only the following S3-compatible services as a remote target for object tiering:
- AIStor
- Amazon S3
- Google Cloud Storage
- Azure Blob Storage
Required Permissions
AIStor requires the following permissions scoped to to the bucket or buckets for which you are creating lifecycle management rules.
AIStor also requires the following administrative permissions on the cluster in which you are creating remote tiers for object transition lifecycle management rules:
For example, the following policy provides permission for configuring object transition lifecycle management rules on any bucket in the cluster:.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:SetTier",
"admin:ListTier"
],
"Effect": "Allow",
"Sid": "EnableRemoteTierManagement"
},
{
"Action": [
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow",
"Sid": "EnableLifecycleManagementRules"
}
]
}
Transition Permissions
Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, AIStor requires the remote tier credentials provide read, write, list, and delete permissions.
For example, if the remote storage tier implements AWS IAM policy-based access control, the following policy provides the necessary permission for transitioning objects into and out of the remote tier:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyDestinationBucket"
],
"Sid": ""
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyDestinationBucket/*"
],
"Sid": ""
}
]
}
Modify the Resource
for the bucket into which AIStor tiers objects.
Defer to the documentation for the supported tiering targets for more complete information on configuring users and permissions to support AIStor tiering:
- Amazon S3 Permissions
- Google Cloud Storage Access Control
- Authorizing access to data in Azure storage
S3 Compatibility
The mc
commandline tool is built for compatibility with the AWS S3 API and is tested with AIStor and AWS S3 for expected functionality and behavior.
AIStor provides no guarantees for other S3-compatible services, As their S3 API implementation is unknown and therefore unsupported.
While mc
commands may work as documented, any such usage is at your own risk.