This topic provides reference information about the Amazon S3 (csb-aws-s3-bucket) service.

It details the plans, configuration parameters, and binding credentials.

Note: Release v1.2.0 removed brokerpak pre-configured plans for the Amazon S3 bucket. Since then, all plans must be configured through the tile. If you have instances of the S3 bucket that were created in previous versions and that you want to maintain, see Add previously pre-configured plans later in this topic. For more information on upgrade steps, see Upgrading.

Plan Configuration Parameters

When configuring Cloud Service Broker for AWS you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for AWS.

The following table lists parameters which can only be configured for additional plans:

Parameter Name Values Default Required
name The plan name. n/a Yes
id A unique GUID. n/a Yes
description Description of the new plan. n/a Yes
display_name Name to use when displaying plan in Marketplace. n/a No
free When false, service instances of this service plan have a cost. true No
bindable Specifies whether service instances of the service plan can bind to applications. true No
plan_updateable Whether the plan supports upgrading, downgrading, or sidegrading to another version. true No

You can also add any of the parameters listed in the Configuration Parameters section to your plan.

Caution: If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.

Configuration Parameters

You can provision a service by running:

cf create-service csb-aws-s3-bucket PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}

You can update the configuration parameters for a service instance by running:

cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

The following table lists the parameters that you can configure, by using the -c flag, when provisioning or updating a csb-aws-s3-bucket service. The Operation column displays whether a parameter is supported for both provision and update, or for provision only:

Parameter Name Type Description Default Operation
bucket_name String The name of the bucket to create csb-INSTANCE-ID provision
acl String S3 bucket access control list (ACL). For more information, see the AWS documentation. ACLs are automatically deactivated if boc_object_ownership is set to BucketOwnerEnforced. Permitted values: null, private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, bucket-owner-full-control, and log-delivery-write null provision
enable_versioning Boolean Activate bucket versioning. Versioning is automatically active if Amazon S3 Object Lock is activated. false provision and update
region String This is the AWS region to deploy the service in. For more information about available regions, see the AWS documentation. us-west-2 provision
boc_object_ownership String S3 Bucket Ownership Controls. Permitted values: BucketOwnerPreferred, ObjectWriter, and BucketOwnerEnforced. Setting this property to BucketOwnerEnforced deactivates ACLs. For more information, see the AWS documentation. BucketOwnerEnforced provision
sse_default_algorithm String The server-side encryption algorithm to use to automatically encrypt new objects stored in this bucket. Valid values are AES256 to use Amazon S3-managed keys (SSE-S3) and aws:kms to use an AWS Key Management Service key (SSE-KMS). For more information about server-side encryption, see the AWS documentation. null provision and update
sse_default_kms_key_id String The AWS Key Management Service (KMS) key ID used for the Amazon S3 server-side encryption, which uses AWS Key Management Service (SSE-KMS). To use this parameter, set the value of sse_default_algorithm to aws:kms. null provision and update
sse_bucket_key_enabled Boolean Sets whether to use Amazon S3 Bucket Keys for SSE-KMS. For more information about Bucket Keys, see the AWS documentation. false provision and update
pab_block_public_acls Boolean Sets whether Amazon S3 blocks public ACLs for the bucket. For more information, see the AWS documentation. false provision and update
pab_block_public_policy Boolean Sets whether Amazon S3 blocks public bucket policies for the bucket. For more information, see the AWS documentation. false provision and update
pab_ignore_public_acls Boolean Sets whether Amazon S3 ignores public ACLs for the bucket. For more information, see the AWS documentation. false provision and update
pab_restrict_public_buckets Boolean Sets whether Amazon S3 restricts public bucket policies for the bucket. For more information, see the AWS documentation. false provision and update
ol_enabled Boolean Sets whether to activate Amazon S3 Object Lock. This stores objects using a write-once-read-many (WORM) model. For more information about Object Lock, see the AWS documentation. false provision
ol_configuration_default_retention_enabled Boolean Sets whether the bucket has an active Object Lock configuration. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. null provision and update
ol_configuration_default_retention_mode String The default retention mode for objects placed in the bucket. If you set this parameter, you must also set the ol_configuration_default_retention_days or ol_configuration_default_retention_years parameter. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. null provision and update
ol_configuration_default_retention_days Number The default fixed number of days of retention for objects placed in the bucket. This property is only required if you have set ol_configuration_default_retention_mode, but have not set ol_configuration_default_retention_years. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. null provision and update
ol_configuration_default_retention_years Number The default fixed number of years of retention for objects placed in the bucket. This property is only required if you have set ol_configuration_default_retention_mode, but have not set ol_configuration_default_retention_days. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. null provision and update
aws_access_key_id String The AWS Access Key to use for an instance. The value the operator entered for AWS Access Key in Ops Manager provision and update
aws_secret_access_key String The corresponding secret for the AWS Access Key to use for an instance. The value the operator entered for AWS Secret Access Key in Ops Manager provision and update

When using S3 Object Lock, take your encryption technique into consideration. For example, if you are using server-side encryption with AWS KMS keys, consider how the possible deletion of the key might interact with S3 Object Lock.

When creating a bucket with Object Lock activated, Amazon S3 automatically activates versioning for the bucket. To avoid differences between the local state and the AWS state, Cloud Service Broker for AWS activates versioning when enabling Object Lock.

Binding Parameters

You can bind a service by running:

cf bind-service APP-NAME SERVICE-INSTANCE-NAME --binding-name BINDING-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

The following table lists the parameters that you can configure, using the -c flag, when binding to a csb-aws-s3-bucket service:

Parameter Name Type Description Default
aws_access_key_id String The AWS Access Key to use for an instance The value the operator entered for AWS Access Key in Ops Manager
aws_secret_access_key String The corresponding secret for the AWS Access Key to use for an instance The value the operator entered for AWS Secret Access Key in Ops Manager

Binding Credentials

The format for binding credentials for Amazon S3 Bucket is as follows:

{
    "arn" : "BUCKET-ARN",
    "bucket_domain_name" : "BUCKET-FQDN",
    "region" : "BUCKET-REGION",
    "bucket_name" : "BUCKET-NAME",
    "access_key_id" : "ACCESS-KEY-FOR-BUCKET",
    "secret_access_key" : "SECRET-KEY-FOR-BUCKET"
}

Add previously provided pre-configured plans

The following table lists the previously provided plans for the csb-aws-s3-bucket service:

Plan Description
private Private S3 bucket
public-read Publicly readable S3 bucket

To keep these plans in later versions of the broker, add them through the tile as custom plans. For how to configure plans through the tile, see Configure Services with Cloud Service Broker for AWS.

Add the following block to keep the private plan:

{
    "name": "private",
    "id": "8938b4c0-d67f-4c34-9f68-a66deef99b4e",
    "description": "Private S3 bucket",
    "display_name": "Private",
    "acl": "private",
    "boc_object_ownership": "ObjectWriter"
}

Add the following block to keep the public-read plan:

  {
      "name": "public-read",
      "id": "04317eaa-11ac-4c5f-b77f-eb005fe977fe",
      "description": "Public-read S3 bucket",
      "display_name": "Public Read",
      "acl": "public-read",
      "boc_object_ownership": "ObjectWriter"
  }
check-circle-line exclamation-circle-line close-line
Scroll to top icon