Skip to content

Adding/Modifying/Deleting a bucket to InfinStor

Concepts

InfinStor maintains a table of buckets. A bucket known to InfinStor may be used for InfinSnap/InfinSlice or for MLflow artifact storage. This table of buckets has access information for each bucket, i.e. access key id and secret access key or role ARN and role external ID.

REST API

InfinStor provides an API for managing entries in this buckets table

add-mod-del-bucket

URL: https://your_service_server/add-mod-del-bucket

Method: POST

Data:

  • op: required. must be add, modify or delete
  • bucketname: required for the add operation.
  • cloud: required for add operation. Must be aws, azure, minio or other
  • endpoint: optional
  • sharedSecret: optional. used by minio storage for sending infinsnap events from minio to InfinStor object_store_event lambda
  • accessKeyId: optional
  • secretAccessKey: optional
  • accessRole: optional
  • accessRoleExt: optional

Notes:

Calls to the API must be authenticated. Only the administrator for the service has permissions to make this call.

Example 1:

In this example, a new buckets table entry is created for the bucket named testb3. This bucket uses the default endpoint and has access role called aaaa with external id bbbb. The following is the data sent in the POST call

op=add&bucketname=testb3&endpoint=&accessKeyId=&secretAccessKey=&accessRole=aaaa&accessRoleExt=bbbb

Here are some hints if the bucket testb3 belongs to another AWS account.

The bucket must have CORS enabled

Go to the bucket, click on permissions, scroll down to the CORS section and add a policy that might look like:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3600
    }
]
Role Details

The role described as aaa in the example above is a role ARN. The role must have a permissions policy that enables access to the bucket testb3. For example, the following policy would work

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::testb3"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::testb3/*"
            ]
        }
    ]
}

Example 2:

In this example, an existing buckets table entry is modified for the bucket named testb3. A non default endpoint https://minio.isstage1.bb.com/ is specified in this call. Note that the endpoint URL is urlencoded

op=modify&bucketname=testb3&endpoint=https%3A%2F%2Fminio.isstage1.bb.com%2F

Example 3:

In this example, an existing buckets table entry for the bucket named testb3 is deleted

op=delete&bucketname=testb3

Example 4:

In this example, an existing buckets table entry for the bucket named testb3 is converted from role based access to secret access key based access

op=add&bucketname=testb3&endpoint=&accessKeyId=iiii&secretAccessKey=ssss&accessRole=&accessRoleExt=