Configure CTE COS S3
In order for CTE COS S3 to do transparent encryption and decryption, all requests sent to the AWS S3 server must be generated and signed using valid AWS credentials. In order to retrieve these credentials for CTE COS S3, you can use any of the following methods:
-
The User Supplies the Credentials for the User's AWS Account
The application can send the long-term credentials from the user's AWS account to CTE COS S3. These credentials do not expire.
For the AWS CLI, the credentials are in the credential file
~/.aws/credential. The user credentials consists of an Access Key ID and a Secret Access Key. For details about accessing the user's credentials, see your AWS documentation.To add the AWS credentials to CTE COS S3, use the
voradmin cos s3 cred addcommand:voradmin cos s3 cred add [<aws_key_id> <aws_secret_key>]where:
-
<aws_key_id>is the AWS secret key ID from the.aws/credentialsfile. -
<aws_secret_key>is the AWS secret key from the same file.
For example:
voradmin cos s3 cred add AKIA****P KQSm****D -
-
The User Supplies Temporary Security Credentials
You can use temporary security credentials, which expire after a short period of time. Usually temporary security credential are obtained through IAM roles and other features of the AWS Security Token Service.
Use the
voradmin cos s3 cred addcommand, described above, to add the temporary credential to CTE COS S3. -
CTE COS S3 Captures Temporary Credentials
CTE COS S3 can capture a temporary, newly generated, security credential and automatically add it to CTE COS S3 if the application generates the temporary security credential using the AWS Security Token Service with one of the following 3 actions and
HTTPS_PROXYis set tolocalhost:3128.-
AssumeRole -
AssumeRoleWithSAML -
AssumeRoleWithWebIdentity
No other action is required from the application or user.
-
-
CTE COS S3 Retrieves Credentials from EC2 Instance Metadata Service
When CTE COS S3 is installed on AWS EC2 instance with an attached role, CTE COS S3 automatically retrieves the credential from Instance Metadata Service and uses it. However, if CTE COS S3 already has a valid credential given by the user or admin using the
voradmincommand, then than that credential will be used instead. For information about setting up an IAM Role, see your AWS EC2 documentation.No action is required from application or user.
Setting the Default Chunk Size
Note
If a chunk size is configured in the AWS CLI configuration, you must configure the same chunk size for CTE COS S3.
The default chunk size for multi-part uploads is 8 MB. To change the chunk size, use the following command:
voradmin cos s3 chunk [<aws_key_id> <aws_secret_key>] [<chunk_size>]
where:
-
<aws_key_id>is the AWS secret key ID from the.aws/credentialsfile. -
<aws_secret_key>is the AWS secret key from the same file. -
<chunk_size>is the number of MB per chunk that you want to use for multi-part uploads. Enter an integer between 5 and 5120.
The voradmin command prompts for any of the optional parameters that you do not specify on the command.
For example, to set a chunk size of 250MB, you would enter:
voradmin cos s3 chunk AKIA****P KQSm****D 250
Optionally Support other 3rd Party S3 Compatible Storage
CTE COS S3 has a configuration file that lists all supported S3 compatible cloud storages. It is located at:
`<installation directory>/agent/squid/etc/cos.conf`
To support a new 3rd party S3 compatible storage:
-
Add a new section to the configuration file with its name and endpoint base url. The following is an example with Wasabi Cloud Storage.
[wasabi] endpoint = wasabisys.com -
Restart CTE COS service using the following command:
# voradmin cos service stop # voradmin cos service start -
Configure credentials and other needed items following the guideline for the 3rd party S3 compatible storage.
