`mc ilm tier`

Changed in version RELEASE.2022-12-24T15-21-38Z: mc ilm tier replaces mc admin tier.

Description

The mc ilm tier command and its subcommands configure a remote supported S3-compatible service for MinIO Lifecycle Management: Object Transition (“Tiering”).

After creating one or more tiers with this command, use mc ilm rule and its subcommands to create the rules that move objects to other storage.

For more information, see the overview of lifecycle management.

Subcommands

mc ilm tier includes the following subcommands:

Subcommand	Description
`add`	The `mc ilm tier add` command creates a new remote storage tier to a supported storage services.
`check`	The `mc ilm tier check` command displays the configuration for remote tier on a deployment.
`info`	The `mc ilm tier info` command outputs statistics about a tier or all tiers for a deployment.
`ls`	The `mc ilm tier ls` command shows the remote tiers configured on a deployment.
`rm`	The `mc ilm tier rm` command removes an remote tier that has not been used to transition any objects.
`update`	The `mc ilm tier update` command modifies an existing configured remote tier.

Required Permissions

To create tiers for object transition, MinIO requires the following administrative permissions on the cluster:

For example, the following policy provides sufficient permissions for configuring object transition lifecycle management rules on any bucket in the cluster:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "admin:SetTier",
               "admin:ListTier"
            ],
            "Effect": "Allow",
            "Sid": "EnableRemoteTierManagement"
      },
      {
            "Action": [
               "s3:PutLifecycleConfiguration",
               "s3:GetLifecycleConfiguration"
            ],
            "Resource": [
                        "arn:aws:s3:::*"
            ],
            "Effect": "Allow",
            "Sid": "EnableLifecycleManagementRules"
      }
   ]
}

Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, MinIO requires the remote tier credentials provide read, write, list, and delete permissions.

For example, if the remote storage tier implements AWS IAM policy-based access control, the following policy provides the necessary permissions for transitioning objects into and out of the remote tier:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket"
            ],
            "Sid": ""
      },
      {
            "Action": [
               "s3:GetObject",
               "s3:PutObject",
               "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket/*"
            ],
            "Sid": ""
      }
   ]
}

Modify the Resource for the bucket into which MinIO tiers objects.

Avoid enabling versioning in the remote tier

MinIO strongly recommends against enabling bucket versioning for remote tiers. If the remote tier bucket is versioned, each source object version is transitioned to a unique object in the remote tier.

If your environment requires versioning for the remote tier, you must also allow the s3:DeleteObjectVersion permission.

Defer to the documentation for the supported tiering targets for more complete information on configuring users and permissions to support MinIO tiering:

Documentation

`mc ilm tier`

Description

Subcommands

Required Permissions

Transition Permissions