S3 Asynchronous Replication with Active-Directory Users and Identity Policy

  • Updated on Jan 24, 2026
  • 4 minute(s) read
Prev Next

ℹ️ Info

This document is intended to provide clear instructions for configuring Asynchronous S3 replication using Active Directory and identity policies.
The steps listed in this procedure have been tested on VAST 5.2 and above.

Create an Identity Policy

  • Log in to the VAST UI.

  • Go to User Management.

  • Click on Identity Policy.

  • Click on Create Policy, type a name for the new policy, and set the policy definition. The policy definition can be done using the Action and Resource drop-down menu or by using the JSON code box.

You can use the example below of JSON code to set the policy.

The image displays an interface for creating and configure AWS S3 policy settings, where users can define permissions interactively by selecting actions and resources to allow or deny access.

Sample JSON code policy

 

JSON policy definition example.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": "*"
    }
  ]
}

ℹ️ Info

NOTE - The identity policy is automatically replicated to the DR(remote) cluster, but in Disabled mode, please manually enable it.

 

Configure Active Directory

  • Log in to VAST UI.

  • Go to User Management.

  • Go to the Active Directory tab.

  • Click on the Create Active Directory button.

  • Fill all required fields with your Active Directory details.

The image showcases the configuration interface for setting up Active Directory on an application, including fields such as domain name, machine account name, organizational unit, port number, and bind DN. The attribute mapping section allows users to customize how attributes map between the directory and the system.

Active Directory details

  • Click on Create.

  • Wait for the newly created Active Directory status to change to Connected.

  • Right-click on the Active Directory and choose Join.

  • Fill in the user and password and click Join.

The image displays an interface for joining Active Directory with the domain "vasteng.lab," where users need to input their admin username and password to complete the join process.

Join Active Directory

 

Configure Active Directory user on VAST Cluster

  • Go to the Users tab.

  • Click on the query button in the upper right corner of the screen.

The user management screen displays local users with columns including Name, Login Name, UID, SID, and permissions such as creating buckets and deleting buckets, indicated by green checkmarks throughout their entries. A

Slect query button

  • Enter a username and click the Query button.

The image shows a query user interface where users can input details such as a username, login name, and context to perform a tenant-specific search operation. The interface also includes options like 'UID', 'SID', 'Context' (set to 'Aggregated'), and 'Tenant' (defaulted to 'default').

Query user

  • The windows will be closed, and the user's view will change to display the selected Active Directory user.

 Enable S3 Bucket Replication.

Production Cluster

  • From the VAST UI, go to Settings.

  • Click on S3 and Enable the Bucket Replication.

The screenshot displays the S3 configuration settings in a cloud management interface, where options such as enabling HTTP and HTTPS protocols, CORS (Cross-Origin Resource Sharing), and bucket replication can be turned on or off according to security requirements. Additionally, it highlights that S3 Signature V2 is less secure than V4 and should only be used if necessary.

Enable the Bucket Replication

 

ℹ️ Info

You will be prompted to enable the replication. Note that this option is not reversible.

 

ab1aeb68-97d4-4e12-a23c-e2f7548747fb.png

Confirm enable bucket replication

 

Create a Replication Peer

  • From the VAST UI, go to Data Protection.

  • Replication Peers, then click the Create Peer button.

  • Name the new peer and provide the Remote VIP address, choose the Local IP Pool to use, and click on Create.

00f07bfc-3d7d-4a23-ac8f-0c7d2ba02659.png

Add a native replication peer

  • Wait a few moments and verify that the peer is connected before moving on.

166e2163-218e-4eec-9ccb-10147212a272.png

Verify peer connection

 

Set Keys for Active Directory User

  • Right-click the user, then click Edit.

  • Choose the Identity Policy to use.

  • Choose the Bucket permissions (Allow create, Allow Delete).

  • Click on the Create keys.

ℹ️ Info

Save the newly generated access and secret keys in a secure location (e.g., a password manager or secrets vault).

c447f1a2-6144-46c8-94cb-b9f59735e80a.png

User details

  • Click Update to complete the operation.

ℹ️ Info

NOTE - The keys will be migrated to the remote (DR) cluster; no additional actions are required.

Enable  Identity Policy on the Remote Cluster

  • Log on to the remote cluster web UI

  • Go to User Management

  • Go to  Identity Policies

  • Find the policy you selected on the local cluster and right-click on it

  • Click Enable  to complete the operation

Initiate FailOver

  • To initiate FailOver, go to the UI of the remote (DR) cluster.

  • Go to Data Protection.

  • Go to Protected Paths.

  • Right-click on the newly created protected path and select:
    Replication => Modify Replication State.

672c4027-28da-4b0f-97d3-f6e063e3ce60.png

Modify Replication State

  • Select FailOver based on your preference.

  • Stand-alone: Any updates done afterwards at <your path name> on <your “local” cluster> are not available at <your “remote” cluster>.

  • Source: The configured replication interval is x. The estimated Read-Only time is xxx. To reduce the Read-Only time, you may reduce the replication interval.

  • Click on the FailOver button.

d0b71269-0211-4eea-bed2-47e53d1e3899.png

Initiate failove

  • Click Yes on the confirmation box.

6246fe1e-e0d1-4cb5-b83e-3c6d47b21cf5.png

Confirm initiation of failover

 

  • Monitor the Role of the protected path and wait until it changes from Destination to Source.

678b0afc-ebb5-45a6-9e1f-67ec4fa0e6c4.png

Monitor failover

  • Once the failover is completed, the operation is done.

ℹ️ Info

The remote (DR) bucket is always in ReadOnly mode, and attempting to write to it will issue “(AccessDenied) when calling the PutObject operation: Access Denied” Error message

ℹ️ Info

Note that FailOver and FailBack are always performed from the “Remote/DR” cluster.

 

Client Configuration Notes

ℹ️ Info

Although the above procedure covers the system behavior, client adjustments are required for operational continuity. Follow the baseline instructions below for configuring the client.

 

Given that our production cluster is accessible via the DNS name s3.prod.vast.local and our bucket is prod-bucket, and that the remote (DR) cluster is accessible via s3.dr.vast.local, assuming we've already configured prod-bucket to be included in our protected-path (or simply created it under the protected endpoint), all we need to do to establish continuity is to point our application to the new (active) system by updating the S3 endpoint.

Example (Python with Boto3):

Before (Production):

import boto3
# Connect to production S3 cluster
s3_client = boto3.client(
    's3',
    endpoint_url='http://s3.prod.vast.local',
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY'
)
# Verify bucket access by listing objects
response = s3_client.list_objects_v2(Bucket='prod-bucket')
for item in response.get('Contents', []):
    print(f"Object found: {item['Key']}")

After Failover (DR cluster becomes active):

import boto3
# Connect to the DR S3 cluster
s3_client = boto3.client(
    's3',
    endpoint_url='http://s3.dr.vast.local',  # Update only this line
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY'
)
# Verify bucket access by listing objects
response = s3_client.list_objects_v2(Bucket='prod-bucket')
for item in response.get('Contents', []):
    print(f"Object found: {item['Key']}")

 

Related articles