Cloud Connections in StorageLink

Overview

A Cloud Connection defines the requisite setting needed for allowing a folder to connect to a cloud storage location.

In order to use a Cloud Connection, you will need to map it to a Folder. A Folder can be used as a logical mapping, similar to a mount point.

This includes the setting pertaining to the following cloud providers

AWS

S3 bucket name

Prefix or relative path with in that bucket

The region in which the bucket is located

Encryption type for the server side encryption on the bucket

Whether you want to use the EC2 instance profile or an AWS access key/secret

Here is an example of a Cloud Connection:

S3 Bucket: s3://bryce-sandbox

S3 Encryption Option: SSE-S3

Cloud Connection Credentials: Uses Instance Profile credentials

When creating a Cloud Connection to S3, you will need to fill out the following fields:

S3 URL:

Enter the S3 Bucket name. Remember to follow the standard S3 Bucket naming convention:

Has to be globally unique (cannot conflict with S3 buckets in other AWS accounts)

Lowercase letters (no uppercase allowed), numbers, and hyphens

Must have fewer than 63 characters

Only include the S3 bucket (i.e. don't include the folder path)

Region:

The AWS region in which the S3 Bucket is located. If left blank the region of the StorageLink server will be used.

S3 Encryption Option:

S3 objects are encrypted at the time of upload. The encryption method you define on the Cloud Connection will apply to all subsequently uploaded S3 objects.

SSE-S3: The S3 service manages encryption behind the scenes. S3 objects are encrypted at rest, and the S3 service automatically decrypts the object so long as you have read-access.

KMS: KMS encryption offers more security value, because KMS key permissions are decoupled from S3 access permissions.

No Encryption: Do not override encryption settings, so that objects are encrypted using the S3 bucket's default encryption setting.

Cloud Connection Credentials:

The Use instance profile credentials option leverages the IAM permissions on the EC2 instance. This is the recommended approach, because the access key credentials are handled transparently, and rotated for you automatically.

If you want to restrict S3 permissions on a per-user basis, select the Use unique credentials option. You can set AWS Access Key credentials on the Cloud Connection. And then each can have their own dedicated Cloud Connection.

For creating the unique credentials, refer to this documentation.

Azure

Storage Account Name

Blob Container

Relative path with in the Blob container

Connection String used to authenticate to the Storage Account

Blob storage environment (i.e. commercial endpoint versus GovCloud)

You may also use instance identity instead of a Connection String, see this article for Configuring instance identity.

Google

Bucket Name

Relative path following the Bucket

Service Account JSON Key File

First launch

AWS

Upon first launch of an AWS StorageLink server, there will already be a default S3 bucket (named swiftgw-i-ec2_instance_id) configured and no additional connection is required.

Azure

When you log into your StorageLink admin web UI, the first thing you see is a Configure Default Storage popup.

Click OK, and this will take you to a page titled Add Azure Cloud Connection.

Create a Blob Storage Container

If you don't already have a Blob Storage Container, take a moment to create one.

Note: Make sure the Container name is all lowercase, which is an Azure requirement.

Add Azure Cloud Connection

You will need to fill out the following form:

Connection Name: On first launch, leave this as the default, so you know it's the default Cloud Connection.

Cloud Connection Notes: This field is optional.

Container Resource URI: Get this URL fromStorage Account -> Container -> Properties -> Container URL

Cloud Connection Credentials: Change this to `Use unique credentials`

Connection String: Get this from Storage Account -> Access keys -> Connection String

Google

When you log into your StorageLink VM, the first thing you see is a Configure Default Storage popup.

Click OK, and this will take you to a page titled Add Google Cloud Connection.

Create a Cloud Storage Container

If you don't already have a Cloud Storage Container, take a moment to create one.

Note: Make sure the Container name is in all lowercase and try to make it unique, as they are Google Cloud requirements.

Add Google Cloud Connection

You will need to fill out the following form:

Connection Name: On first launch, leave this as the default, so you know it's the default Cloud Connection.

Cloud Connection Notes: This field is optional.

Bucket Name: Get this from Cloud Storage.

Cloud Connection Credentials:

Attached Service Account: Uses the Storage API to gain access to your Google Cloud Bucket. Check out this article for configuring an Attached Service Account.

Service Account JSON Key File: Get this fromIAM & Admin -> Service Accounts -> Service Account Name -> Keys or check out this article for creating the JSON Key File.

Test Connection

When you have configured all the fields, click Test Connection.

If all goes well, you should see 3 green checkmarks.

Otherwise, check your settings and get this step working before proceeding.

If you are stuck, you can reach out to us at support@thorntech.com.