Documentation

mc ilm tier

Changed in version RELEASE.2022-12-24T15-21-38Z: mc ilm tier replaces mc admin tier.

Description

The mc ilm tier command and its subcommands configure a remote supported S3-compatible service for MinIO Lifecycle Management: Object Transition (“Tiering”).

After creating one or more tiers with this command, use mc ilm rule and its subcommands to create the rules that move objects to other storage.

For more information, see the overview of lifecycle management.

Subcommands

mc ilm tier includes the following subcommands:

Subcommand

Description

add

The mc ilm tier add command creates a new remote storage tier to a supported storage services.

check

The mc ilm tier check command displays the configuration for remote tier on a deployment.

info

The mc ilm tier info command outputs statistics about a tier or all tiers for a deployment.

ls

The mc ilm tier ls command shows the remote tiers configured on a deployment.

rm

The mc ilm tier rm command removes an remote tier that has not been used to transition any objects.

update

The mc ilm tier update command modifies an existing configured remote tier.

Required Permissions

To create tiers for object transition, MinIO requires the following administrative permissions on the cluster:

For example, the following policy provides sufficient permissions for configuring object transition lifecycle management rules on any bucket in the cluster:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "admin:SetTier",
               "admin:ListTier"
            ],
            "Effect": "Allow",
            "Sid": "EnableRemoteTierManagement"
      },
      {
            "Action": [
               "s3:PutLifecycleConfiguration",
               "s3:GetLifecycleConfiguration"
            ],
            "Resource": [
                        "arn:aws:s3:::*"
            ],
            "Effect": "Allow",
            "Sid": "EnableLifecycleManagementRules"
      }
   ]
}

Transition Permissions

Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, MinIO requires the remote tier credentials provide read, write, list, and delete permissions.

For example, if the remote storage tier implements AWS IAM policy-based access control, the following policy provides the necessary permissions for transitioning objects into and out of the remote tier:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket"
            ],
            "Sid": ""
      },
      {
            "Action": [
               "s3:GetObject",
               "s3:PutObject",
               "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket/*"
            ],
            "Sid": ""
      }
   ]
}

Modify the Resource for the bucket into which MinIO tiers objects.

Avoid enabling versioning in the remote tier

MinIO strongly recommends against enabling bucket versioning for remote tiers. If the remote tier bucket is versioned, each source object version is transitioned to a unique object in the remote tier.

If your environment requires versioning for the remote tier, you must also allow the s3:DeleteObjectVersion permission.

Defer to the documentation for the supported tiering targets for more complete information on configuring users and permissions to support MinIO tiering: