S3 Synchronous Replication with Active-Directory Users and Bucket Policy

  • Updated on Jan 28, 2026
  • 3 minute(s) read
Prev Next

ℹ️ Info

This document is intended to provide clear instructions for configuring synchronous S3 replication using Active-Directory users and Bucket policies.
The steps listed in this procedure have been tested on VAST Cluster 5.2

Create a Bucket Policy

 Important notes:

  • Policy create/attach/delete can be performed only using 3rd third-party tool such as aws-cli.

  • Only the bucket owner can attach or modify bucket policies.

  • Supported starting from VAST Cluster version 5.2.

 

Bucket policy can only be managed from cli therefore first login to a machine with access to the S3 endpoint and create a JSON file with the desired policy, in the below example you can find a policy template that will allow all action on a specific bucket and its subdirectories, you can review the bucket policy wiki or aws documentation for more details on policies permutations and tuning.

Policy JSON (allow-all-s3.json):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-all-s3",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::managed-by-b-policy",
        "arn:aws:s3:::managed-by-b-policy/*"
      ]
    }
  ]
}

 

Attach Policy to Bucket

  • Use the command below to attach the JSON file (allow-all-s3.json) policy to the managed-by-b-policy bucket.

aws s3api put-bucket-policy \
  --bucket managed-by-b-policy \
  --policy file://allow-all-s3.json \
  --endpoint-url http://172.27.115.1

  • You can (and should) validate the attachment by running the command below.

 

aws s3api get-bucket-policy \
  --bucket managed-by-b-policy \
  --endpoint-url http://172.27.115.1

 


Enable S3 Bucket replication

This action needs to be done on both clusters

  • From the VAST UI, go to Settings.

  • Click on S3 and Enable the Bucket Replication.

Enable the Bucket Replication

Enable the Bucket Replication

 

ℹ️ Info

You will be prompted to enable the replication. Note that this option is not reversible.

 

Confirm Enable the Bucket Replication

Confirm Enable the Bucket Replication

 

Configure Active-Directory

  • Log in to VAST UI.

  • Go to User Management.

  • Go to the Active Directory tab.

  • Click on the Create Active Directory button.

  • Fill all required fields with your Active Directory details.

Create Active Directory

Create Active Directory

  • Click on Create.

  • Wait for the newly created Active Directory status to change to Connected.

  • Right-click on the Active Directory and choose Join.

  • Fill in the user and password and click Join.

Join Active Directory

Join Active Directory

 

Configure Active-Directory user on VAST Cluster

  • Go to the Users tab.

  • Click on the query button in the upper right corner of the screen.

Query user

Query user

  • Enter a username and click the Query button.

Enter user details for query

Enter user details for query

  •  The windows will be closed, and the user's view will change to display the selected Active Directory user.

  

Set keys for Active Directory User

  • Right-click on the user and click Edit.

  • Choose the Identity Policy to use.

  • Choose Bucket permissions (Allow create, Allow Delete).

  • Click on the Create keys.

ℹ️ Info

Save the newly generated access and secret keys in a secure location (e.g., a password manager or secrets vault).

User details

User details

  • That will look like the following.

Example of user details

Example of user details

  • Click Update to complete the operation.

ℹ️ Info

NOTE: The keys will be migrated to the remote (DR) cluster; no additional actions are required.

Set the Active-Directory User as the Bucket Owner

  • In the VAST UI, navigate to the Element Store and to the View menu.

Navigate to the Element Store and to the View menu

Navigate to the Element Store and to the View menu

  • Right-click on the View you want to edit.

  • In the S3 section, add/set the Active Directory user.

Update View

Update View

  • Click “Update” to complete the operation.

  • Configure Protected Path.


Configure Protected Path

 

  • From the VAST UI, navigate to Data Protection.

  • Click on Protected Path.

  • Click on Create Protected Path and choose New Remote Protected Path.

New Remote Protected Path

New Remote Protected Path

  • Name the new protected path and fill the Path field.

  • Note that you can set the path to a specific bucket or to an endpoint. In this example, we’ve pointed to an endpoint, so every bucket that will be created under this endpoint will be included within the replication.

Create a new protected path

Create a new protected path

  • Click Next.

  • Fill in the needed details for the remote site, as in the example below.

Fill in details for new Remote Protected Path

Fill in details for new Remote Protected Path

  • Click Add.

  • Set the connectivity timeout.

Add a connectivity timeout

Add a connectivity timeout

  • Click Add.

  • Click Create to complete the operation.

Complete setup

Complete setup

  • Wait until the replication state becomes Active.

ℹ️ Info

At the point the replication is configured and the bucket can be accessed on each cluster with the same keys.

Related articles