Home > Storage > ObjectScale and ECS > Industry Solutions and Verticals > Dell ECS and Veeam Backup & Replication > Creating an Object Lock enabled bucket
You can create an S3 bucket on ECS with Object Lock enabled by using one of many utilities. You cannot use the ECS management UI to create a bucket with Object Lock or enable Object Lock on an existing bucket.
Install and configure the AWS CLI, and then create the Object Lock enabled bucket.
To install the AWS CLI on your Windows, Mac, or Linux client, see the following AWS documentation: Installing or updating the latest version of the AWS CLI.
Create an AWS CLI local profile, which allows you to specify the access key ID and secret that you will use. This example creates the local AWS CLI user iamuser1:
To create a bucket with the Object Lock feature enabled, run the following command:
To check that the bucket has been created with Object Lock enabled, run this command:
You cannot use the AWS CLI to create a bucket in an ADO enabled namespace. Therefore, if you try to create a bucket with Object Lock enabled and using an access key that is in an ECS namespace with ADO enabled, you will get the following error:
The s3curl tool is a wrapper around curl that allows the Amazon S3 API to interact with ECS (create buckets; write, read, or delete objects; and so on). To use s3curl with ECS and its x-emc headers, minor modifications must be made to the s3curl Perl script. You can obtain the modified, ECS specific version of s3curl from the ECS GitHub repository.
S3curl uses a configuration file .s3curl to hold account details.
[paul@hop-paul-01 ~]$ cat .s3curl
%awsSecretAccessKeys = (
imm => {
id => 'AKIA97F3278B845636D4',
key => 'rf3WC4p/DffmPfBLFzbCHHYEFLHYB2hTnVMBjorl',
},
imm2=> {
id => 'AKIAC7E5184C46EF06F4',
key => 'mbu6D3UyFn6rr7goYUd6ggb+9xENaFuKwtYf7SMf',
},
s3user1 => {
id => 's3user1',
key => 'rFl+cbHfB4tIhp3NGGEs+VIXamxRntXEVWEveLMF',
},
imm3 => {
id => 'AKIAD5A20788B1CF3A06',
key => 'ReeUkKlx5FtvRVOBmtsWRfHwkGyIO58yI2Jpml8x',
},
imm4 => {
id => 'AKIAD5A20788B1CF3A06',
key => 'fiivRGdSw5hzTmT5gtWumpzUCY0jFQnHcWqhN+vF',
},
netbu => {
id => 'AKIAB56E2670552958AA',
key => 'KVSMMrBlVHspgRGYzYc6jvDmZyYEYeVIGs4BL23M',
},
@endpoints=('10.246.27.230',)
);
Each of the imm => entries store the access ID and the secret key that you will be using.
The @endpoint=(‘…’) is a list of HTTP endpoints that will be used,
Note: All user access accounts being used must be IAM based to use Object Lock functionality.
To create a bucket with Object Lock enabled, run the following command:
$ # create a bucket with object lock enabled $ ./s3curl.pl --id=imm --createBucket -- http://10.246.22.151:9020/olbucketa -H "x-amz-bucket-object-lock-enabled: true" -H "x-emc-is-stale-allowed: false" |
The use of -H "x-emc-is-stale-allowed: false" ensures that the bucket being created does not have ADO enabled even if it is the default setting for the namespace in which the IAM user has been created.
You can also enable Object Lock on a previously created bucket:
$ # First create the bucket $ ./s3curl.pl --id=imm --createBucket -- http://10.246.22.151:9020/olbucketb -H "x-emc-is-stale-allowed: false"
$ # Now enable object lock on it $ ./s3curl.pl --id=imm -- http://10.246.22.151:9020/olbucketb?object-lock -X PUT
$ # query the state of the bucket $ ./s3curl.pl --id=imm -- http://10.246.22.151:9020/olbucketb?object-lock <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <ObjectLockEnabled>Enabled</ObjectLockEnabled> </ObjectLockConfiguration>
$ |
You can also set the retention mode and default retention period for a bucket. For example:
$ #set the Retention mode to GOVERNANCE and the default retention to 1 day $ ./s3curl.pl --id=imm -- http://10.246.22.151:9020/olbucketb?object-lock -X PUT -d "<ObjectLockConfiguration><ObjectLockEnabled>Enabled</ObjectLockEnabled><Rule><DefaultRetention><Mode>GOVERNANCE</Mode><Days>1</Days></DefaultRetention></Rule></ObjectLockConfiguration>" |
You can query for the bucket Object Lock status as follows:
$ # query the Object Lock status of the bucket $ ./s3curl.pl --id=imm -- http://10.246.22.151:9020/olbucketb?object-lock <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> <ObjectLockEnabled>Enabled</ObjectLockEnabled> <Rule> <DefaultRetention> <Mode>GOVERNANCE</Mode> <Days>1</Days> </DefaultRetention> </Rule> </ObjectLockConfiguration> $ |
Note: Veeam Backup & Replication does not support the setting of the default retention mode or retention period on a bucket. You are only required to enable Object Lock on the bucket.
Postman is a commonly used UI-based utility that allows you to use S3 API methods. Postman is available for download at https://www.postman.com/downloads/.
You must create an account with Postman.
Using Postman, create a Postman Collection (to group your requests). Then create a request to create a bucket with Object Lock enabled and the x-emc-is-stale-allowed flag. These settings ensure that the bucket will not be created with ADO enabled (which would fail if the namespace had ADO enabled by default).
On the Authorization tab, include the IAM user key and secret:
You can get the Object Lock status of the bucket as follows:
You can set the default bucket retention mode and retention period. In this example, the Body section is used to pass the XML in the request:
View the object status of the bucket:
Note: Veeam Backup & Replication does not support setting the bucket retention mode or default retention period. Veeam Backup & Replication requires that the bucket only has Object Lock enabled.