Storage Authentication Information settings

In HULFT Cloud Storage Option Ver.8.5.1 or higher, you can use the individual settings or default settings of the object storage authentication information according to actual operations.

Specify the individual settings or default settings of the authentication information in the Storage Authentication Information.

The settings for the Storage Authentication Information to configure the individual settings or default settings are shown below.

  • When configuring the individual settings

    You can configure the settings of the object storage authentication information for each transfer destination (individual settings) by registering values in the Storage Authentication Information in the Cloud Storage DB.

    If you specify Storage Authentication Information ID in the Receive Storage Management Information or the Send Storage Management Information, the individual settings information registered for the ID is used.

  • When configuring the default settings

    You can configure the settings that are used in common when the individual settings are not specified (default settings) by registering values in the default information for the Storage Authentication Information in the Cloud Storage DB.

    If you do not specify Storage Authentication Information ID in the Receive Storage Management Information or the Send Storage Management Information, the default settings information is used.

 

For the Storage Authentication Information and the default information, you can register only the necessary fields instead of registering all of the fields.

If you do not register a value in the Storage Authentication Information, the value registered in the default information is used.

If you do not register a default value, the value in the downward-compatible settings is used.

 

The transfer-related information that can be set to the Storage Authentication Information or the default information is shown below.

Table 2.21 Authentication information that can be set to Storage Authentication Information and default information (Amazon S3)

Field Name

Whether It Can Be Omitted

Storage Authentication Information ID

(*1)

AWS Access Key

AWS Secret Access Key

Session Token

✓ (*4)

Enable IAM Role

✓ (*2)
Switch Role ARN

✓ (*3)
External ID

✓ (*3)
Role Session Name

✓ (*3)

:

Optional

Blank

:

Mandatory

*1

:

In the default information, this field does not exist and cannot be set.

*2

:

You can set this field in HULFT Cloud Storage Option Ver.8.5.2 or higher.

*3

:

You can set this field in HULFT Cloud Storage Option Ver.8.5.4 or higher.

*4

:

You can set this field in HULFT Cloud Storage Option Ver.8.5.6 or higher.

 

Table 2.22 Authentication information that can be set to Storage Authentication Information and default information (Azure Blob Storage)

Field Name

Whether It Can Be Omitted

Storage Authentication Information ID

(*1)

Azure Storage Account

Azure Storage SAS Token

Azure Storage Key

Enable Managed ID

✓ (*2)

:

Optional

Blank

:

Mandatory

*1

:

In the default information, this field does not exist and cannot be set.

*2

:

You can set this field in HULFT Cloud Storage Option Ver.8.5.6 or higher.

 

Table 2.23 Authentication information that can be set to Storage Authentication Information and default information (Google Cloud Storage)

Field Name

Whether It Can Be Omitted

Storage Authentication Information ID

(*1)

Google Application Credentials File

Enable Service Account

✓ (*2)

:

Optional

Blank

:

Mandatory

*1

:

In the default information, this field does not exist and cannot be set.

*2

:

You can set this field in HULFT Cloud Storage Option Ver.8.5.6 or higher.

 

For details on the fields, refer to Utilities of HULFT Cloud Storage Option.

 

For Amazon S3, for the details on how to get an access key, secret access key, and session token, refer to the respective documents provided by AWS.

When you set Enable IAM role to "Enabled (ON)" for the Storage Authentication Information on the Cloud Storage DB, the IAM role (instance profile authentication information) set on Amazon EC2 is used. For details on the authentication information on Amazon EC2, refer to the respective documents provided by AWS.

 

For Azure Blob Storage, for the details on how to get an account name and access key and how to create an SAS token, refer to the respective documents provided by Azure.

When you set Enable Managed ID to "Enabled (ON)" for the Storage Authentication Information on the Cloud Storage DB, the Azure Active Directory (Azure AD) authentication that uses the managed identity for the Azure resource is used. For details on Azure Active Directory (Azure AD) authentication, refer to the respective documents provided by Azure.

 

For Google Cloud Storage, for the details on how to get the json file for Google Cloud Storage, refer to the respective documents.

When you set Enable Service Account to "Enabled (ON)" for the Storage Authentication Information on the Cloud Storage DB, the service account attached to the Google Compute Engine VM (GCE VM) is used for authentication. For details on authentication with a service account, refer to the respective documents provided by Google.

 

For usage examples of the utilities to configure the individual settings or default settings of authentication information, refer to the following:

 

Priority of use for setting values

When you use Amazon S3, authentication that uses an AWS access key and AWS secret access key is called "Authenticate IAM user".

If you set the values for the aforementioned "Authenticate IAM user" and set the enabling of the IAM role to "Enabled", the values for "Authenticate IAM user" are prioritized and used.

Authentication that uses an AWS access key, AWS secret access key, and session token is called "Temporary security credential authentication".

If you set the values for "Temporary security credential authentication", it has priority over "Authenticate IAM user".

The priority of the fields is shown in the table below.

Table 2.24 Priority of use for setting values (Amazon S3)

Priority

Location of the Setting

Field

1

Storage Authentication Information

AWS Access Key

AWS Secret Access Key

Session Token (*1)

2

Default information for the Storage Authentication Information

3

Environment variable

4

Storage Authentication Information

Enable IAM Role

5

Default information for the Storage Authentication Information

*1

:

Settings for the "Storage Authentication Information" and the "default information for the Storage Authentication Information"

 

When you use Azure Blob Storage, authentication that uses either an Azure storage SAS token or an Azure storage key is called "Shared Key authentication".

If you set the values for "Shared Key authentication" and set the managed identity to "Enabled", the values for "Shared Key authentication" are prioritized and used.

If you specify both the Azure storage SAS token and Azure storage key, the Azure storage SAS token specified in the Storage Authentication Information, in the default information for the Storage Authentication Information, or in the environment variables is used prior to the Azure storage key.

The priority of the fields is shown in the table below.

Table 2.25 Priority of use for setting values (Azure Blob Storage)

Priority

Location of the Setting

Field

1

Storage Authentication Information

Azure Storage SAS Token

2

Default information for the Storage Authentication Information

3

Environment variable

4

Storage Authentication Information

Azure Storage Key

5

Default information for the Storage Authentication Information

6

Environment variable

7

Storage Authentication Information

Enable Managed ID

8

Default information for the Storage Authentication Information

 

When you use Google Cloud Storage, if you configure the Google Application Credentials file and set the service account to "Enabled", the Google Application Credentials file is prioritized and used.

Table 2.26 Priority of use for setting values (Google Cloud Storage)

Priority

Location of the Setting

Field

1

Storage Authentication Information

Google Application Credentials File

2

Default information for the Storage Authentication Information

3

Environment variable

4

Storage Authentication Information

Enable Service Account

5

Default information for the Storage Authentication Information

Registering or deleting the Storage Authentication Information

For the Storage Authentication Information, check the settings by using the output command included in the HULFT Cloud Storage Option utilities, and then register or delete the content.

For details on the HULFT Cloud Storage Option utilities, refer to Utilities of HULFT Cloud Storage Option.