S3 Synchronous Replication with Active-Directory Users and Identity Policy

ℹ️ Info

This document is intended to provide clear instructions for configuring synchronous S3 replication using Active-Directory users and identity policies.
The steps listed in this procedure have been tested on VAST 5.2 and above.

Enable S3 Bucket Replication

This action needs to be done on both clusters

• From the VAST UI, go to Settings.

• Click S3, then enable Bucket Replication.

ℹ️ Info

You will be prompted to enable the replication. Note that this option is not reversible.

Create an Identity Policy

• Log in to the VAST UI.

• Go to User Management.

• Click on Identity Policy.

• Click on Create Policy, type a name for the new policy, and set the policy definition. The policy definition can be done using the Action and Resource drop-down menu or by using the JSON code box.

You can use the JSON example below to set the policy.

JSON policy definition example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": "*"
    }
  ]
}

ℹ️ Info

NOTE - The identity policy is automatically replicated to the DR(remote) cluster, but in Disabled mode, please manually enable it.

Configure Active-Directory

• Log in to VAST UI.

• Go to User Management.

• Go to the Active Directory tab.

• Click on the Create Active Directory button.

• Fill all required fields with your Active Directory details.

• Click on Create.

• Wait for the newly created Active Directory status to change to Connected.

• Right-click on the Active Directory and choose Join.

• Fill in the user and password and click Join.
  

Configure Active-Directory User on VAST Cluster

• Go to the Users tab.

• Click on the query button in the upper right corner of the screen.

• Enter a username and click the Query button.

• The windows will be closed, and the user's view will change to display the selected Active Directory user.

 Set Keys for Active-Directory User

• Right-click on the user and click Edit.

• Choose the Identity Policy to use.

• Choose Bucket permissions (Allow create, Allow Delete).

• Click on the Create keys.

ℹ️ Info

Save the newly generated access and secret keys in a secure location (e.g., a password manager or secrets vault).

• That will look like the following.

• Click Update to complete the operation.

ℹ️ Info

NOTE: The keys will be migrated to the remote (DR) cluster; no additional actions are required.

Set the Active-Directory User as the Bucket Owner

• In the VAST UI, navigate to the Element Store and to the View menu.

• Right-click on the View you want to edit.

• In the S3 section, add/set the Active Directory user.
  

• Click “Update” to complete the operation.

• Configure Protected Path.

Configure Protected Path

• From the VAST UI, navigate to Data Protection.

• Click on Protected Path.

• Click on Create Protected Path and choose New Remote Protected Path.

• Name the new protected path and fill the Path field.

• Note that you can set the path to a specific bucket or to an endpoint. In this example, we’ve pointed to an endpoint, so every bucket created under this endpoint will be included in the replication.

• Click Next.

• Fill in the necessary details for the remote site, as shown in the example below.
  

• Click Add.

• Set the connectivity timeout.
  

• Click Add.

• Click Create to complete the operation.

• Wait until the replication state becomes Active.

ℹ️ Info

At the point the replication is configured and the bucket can be accessed on each cluster with the same keys.