This topic gives you reference information about the Amazon S3 (csb-aws-s3-bucket) service. It details the plans, configuration parameters, and binding credentials.
Note: Release v1.2.0 removed brokerpak pre-configured plans for the Amazon S3 bucket. All plans must be configured through the tile. If you have instances of the S3 bucket that were created in previous versions and that you want to maintain, see Previously Provided Pre-configured Plans later in this topic. For more information on upgrade steps, see Upgrading.
Plan Configuration Parameters
When configuring Cloud Service Broker for AWS you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for AWS.
The following table lists parameters which can only be configured for additional plans:
| Parameter Name | Values | Default | Required |
|---|---|---|---|
name |
The plan name. | n/a | Yes |
id |
A unique GUID. | n/a | Yes |
description |
Description of the new plan. | n/a | Yes |
display_name |
Name to use when displaying plan in Marketplace. | n/a | No |
free |
When false, service instances of this service plan have a cost. | true | No |
bindable |
Specifies whether service instances of the service plan can bind to applications. | true | No |
plan_updateable |
Whether the plan supports upgrading, downgrading, or sidegrading to another version. | true | No |
You can also add any of the parameters listed in the Configuration Parameters section to your plan.
NoteIf you set a parameter at plan level, developers cannot change the value when creating or updating service instances.
Configuration Parameters
You can provision a service by running:
cf create-service csb-aws-s3-bucket PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}
You can update the configuration parameters for a service instance by running:
cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, by using the -c flag, when provisioning or updating a csb-aws-s3-bucket service. The Operation column displays whether a parameter is supported for both provision and update, or for provision only:
| Parameter Name | Type | Description | Default | Operation |
|---|---|---|---|---|
bucket_name |
String | The name of the bucket to create | csb-INSTANCE-ID |
provision |
acl |
String | S3 bucket access control list (ACL). For more information, see the AWS documentation. ACLs are automatically deactivated if boc_object_ownership is set to BucketOwnerEnforced. Permitted values: null, private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, bucket-owner-full-control, and log-delivery-write |
null |
provision |
enable_versioning |
Boolean | Activate bucket versioning. Versioning is automatically active if Amazon S3 Object Lock is activated. | false |
provision and update |
region |
String | This is the AWS region to deploy the service in. For more information about available regions, see the AWS documentation. | us-west-2 |
provision |
boc_object_ownership |
String | S3 Bucket Ownership Controls. Permitted values: BucketOwnerPreferred, ObjectWriter, and BucketOwnerEnforced. Setting this property to BucketOwnerEnforced deactivates ACLs. For more information, see the AWS documentation. |
BucketOwnerEnforced |
provision |
sse_default_algorithm |
String | The server-side encryption algorithm to use to automatically encrypt new objects stored in this bucket. Valid values are AES256 to use Amazon S3-managed keys (SSE-S3) and aws:kms to use an AWS Key Management Service key (SSE-KMS). For more information about server-side encryption, see the AWS documentation. |
null |
provision and update |
sse_default_kms_key_id |
String | The AWS Key Management Service (KMS) key ID used for the Amazon S3 server-side encryption, which uses AWS Key Management Service (SSE-KMS). To use this parameter, set the value of sse_default_algorithm to aws:kms. |
null |
provision and update |
sse_bucket_key_enabled |
Boolean | Sets whether to use Amazon S3 Bucket Keys for SSE-KMS. For more information about Bucket Keys, see the AWS documentation. | false |
provision and update |
pab_block_public_acls |
Boolean | Sets whether Amazon S3 blocks public ACLs for the bucket. For more information, see the AWS documentation. | false |
provision and update |
pab_block_public_policy |
Boolean | Sets whether Amazon S3 blocks public bucket policies for the bucket. For more information, see the AWS documentation. | false |
provision and update |
pab_ignore_public_acls |
Boolean | Sets whether Amazon S3 ignores public ACLs for the bucket. For more information, see the AWS documentation. | false |
provision and update |
pab_restrict_public_buckets |
Boolean | Sets whether Amazon S3 restricts public bucket policies for the bucket. For more information, see the AWS documentation. | false |
provision and update |
ol_enabled |
Boolean | Sets whether to activate Amazon S3 Object Lock. This stores objects using a write-once-read-many (WORM) model. For more information about Object Lock, see the AWS documentation. | false |
provision |
ol_configuration_default_retention_enabled |
Boolean | Sets whether the bucket has an active Object Lock configuration. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. |
null |
provision and update |
ol_configuration_default_retention_mode |
String | The default retention mode for objects placed in the bucket. If you set this parameter, you must also set the ol_configuration_default_retention_days or ol_configuration_default_retention_years parameter. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. |
null |
provision and update |
ol_configuration_default_retention_days |
Number | The default fixed number of days of retention for objects placed in the bucket. This property is only required if you have set ol_configuration_default_retention_mode, but have not set ol_configuration_default_retention_years. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. |
null |
provision and update |
ol_configuration_default_retention_years |
Number | The default fixed number of years of retention for objects placed in the bucket. This property is only required if you have set ol_configuration_default_retention_mode, but have not set ol_configuration_default_retention_days. To activate Object Lock for a new bucket, see the ol_enabled parameter. For more information about Object Lock, see the AWS documentation. |
null |
provision and update |
aws_access_key_id |
String | The AWS Access Key to use for an instance. | The value the operator entered for AWS Access Key in Ops Manager | provision and update |
aws_secret_access_key |
String | The corresponding secret for the AWS Access Key to use for an instance. | The value the operator entered for AWS Secret Access Key in Ops Manager | provision and update |
When using S3 Object Lock, take your encryption technique into consideration. For example, if you are using server-side encryption with AWS KMS keys, consider how the possible deletion of the key might interact with S3 Object Lock.
When creating a bucket with Object Lock activated, Amazon S3 automatically activates versioning for the bucket. To avoid differences between the local state and the AWS state, Cloud Service Broker for AWS activates versioning when enabling Object Lock.
Binding Parameters
You can bind a service by running:
cf bind-service APP-NAME SERVICE-INSTANCE-NAME --binding-name BINDING-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, using the -c flag, when binding to a csb-aws-s3-bucket service:
| Parameter Name | Type | Description | Default |
|---|---|---|---|
aws_access_key_id |
String | The AWS Access Key to use for an instance | The value the operator entered for AWS Access Key in Ops Manager |
aws_secret_access_key |
String | The corresponding secret for the AWS Access Key to use for an instance | The value the operator entered for AWS Secret Access Key in Ops Manager |
Binding Credentials
The format for binding credentials for Amazon S3 Bucket is as follows:
{
"arn" : "BUCKET-ARN",
"bucket_domain_name" : "BUCKET-FQDN",
"region" : "BUCKET-REGION",
"bucket_name" : "BUCKET-NAME",
"access_key_id" : "ACCESS-KEY-FOR-BUCKET",
"secret_access_key" : "SECRET-KEY-FOR-BUCKET"
}
Previously Provided Pre-configured Plans
The following table lists the previously provided plans for the csb-aws-s3-bucket service:
| Plan | Description |
|---|---|
| private | Private S3 bucket |
| public-read | Publicly readable S3 bucket |
To keep these plans in this version of the broker, add them through the tile as custom plans. For how to configure plans through the tile, see Configure Services with Cloud Service Broker for AWS.
Add the following block to keep the private plan:
{
"name": "private",
"id": "8938b4c0-d67f-4c34-9f68-a66deef99b4e",
"description": "Private S3 bucket",
"display_name": "Private",
"acl": "private",
"boc_object_ownership": "ObjectWriter"
}
Add the following block to keep the public-read plan:
{
"name": "public-read",
"id": "04317eaa-11ac-4c5f-b77f-eb005fe977fe",
"description": "Public-read S3 bucket",
"display_name": "Public Read",
"acl": "public-read",
"boc_object_ownership": "ObjectWriter"
}
