Creating, updating, or deleting a configuration of type S3Credentials for use with the App Connect Dashboard

If you want to use a bucket in an object storage service to store BAR files that are uploaded or imported to your App Connect Dashboard instance, you must create a configuration object of type S3Credentials. This configuration object is used to store the credentials for accessing the bucket in the Simple Storage Service (S3) instance. You will need to provide the name of this configuration object while creating the Dashboard.

You can also update the configuration object if your credentials change, or delete it if it's no longer needed.

Note: A configuration object of type S3Credentials can be used only while creating an App Connect Dashboard or App Connect Designer instance, and is not visible in the Dashboard UI in the way configurations for integration servers and integration runtimes are.

Creating a configuration of type S3Credentials for use with the App Connect Dashboard
Updating or deleting a configuration of type S3Credentials for an App Connect Dashboard

Creating a configuration of type S3Credentials for use with the App Connect Dashboard

The credentials that you supply for accessing an S3 bucket must have read and write permissions.

You can provide the following types of credentials for the supported S3 providers:

Identity and Access Management (IAM) credentials:
- API key
- Resource instance identifier
IAM credentials are supported for IBM® Cloud Object Storage S3 only. You can obtain the credentials (apikey and resource_instance_id) for your bucket from the Service Credentials page in your IBM Cloud Object Storage S3 instance. For more information, see Service credentials.
Hash-Based Message Authentication Code (HMAC) credentials:
- Access key ID
- Secret access key
HMAC credentials are supported for both IBM Cloud Object Storage S3 and Amazon S3.
- For IBM Cloud Object Storage S3, you can obtain these credentials (cos_hmac_keys) from the Service Credentials page.
- Amazon S3 you can obtain these credentials from the Security Credentials page in the AWS Management Console.

You can create a configuration object of type S3Credentials by using the Red Hat® OpenShift® web console or CLI, or the CLI for a Kubernetes environment. The credentials must be supplied in JSON format and will be validated when the content server is started.

Procedure

The following steps describe how to create a configuration object from the CLI. These instructions relate to the Red Hat OpenShift CLI, but can be applied to a Kubernetes environment by using the relevant command to log in to the cluster, and substituting oc with kubectl where appropriate. If you want to use the Red Hat OpenShift web console, you can follow the instructions in Configuration reference: Creating an instance from the Red Hat OpenShift web console.

Specify the credentials as follows in JSON format. (You can save these credentials to a .json file for Base64 encoding or you can specify them directly from the command line if your operating system allows, as described in the next step.)
- To provide IAM credentials, use the following format, where authTypeValue is IBM_COS_IAM (for IBM Cloud Object Storage S3), apikeyValue is the API key, and resource_instance_id is the resource instance identifier:
```
{"authType": "authTypeValue","credentials": {"apiKey": "apikeyValue","resourceInstanceId": "resource_instance_id"}}
```
  For example:
  
  {"authType": "IBM_COS_IAM","credentials": {"apiKey": "12345abc","resourceInstanceId": "crn:v1:bluemix:public:cloud-object-storage:global:a/xxxxx:xxx-xxx-xxx::"}}
- To provide HMAC credentials, use the following format, where authTypeValue is AWS_SIGNATURE_V4 (for either Amazon S3 or IBM Cloud Object Storage S3), accessKeyIdentifier is the access key ID, and secretAccessKeyValue is the secret access key:
```
{"authType": "authTypeValue","credentials": {"accessKeyId": "accessKeyIdentifier","secretAccessKey": "secretAccessKeyValue"}}
```
  The following example shows how to provide HMAC credentials for Amazon S3:
  
  {"authType": "AWS_SIGNATURE_V4","credentials": {"accessKeyId": "12345abc","secretAccessKey": "abcde"}}
Use your preferred method to Base64 encode the JSON content. If you created a file, run a Base64 encoder against the file and save the contents.
Or if supported on your operating system, directly Base64-encocde the JSON content from the command line by running a supported command. For example:
```
echo 'JSONcontent' | base64
```
Example:

echo '{"authType": "IBM_COS_IAM","credentials": {"apiKey": "12345abc","resourceInstanceId": "crn:v1:bluemix:public:cloud-object-storage:global:a/xxxxx:xxx-xxx-xxx::"}}' | base64
Optional. If preferred, create a secret to securely store the Base64-encoded value, which contains sensitive data.
Note: Only perform this step if you prefer to manually create and manage your own secret. If you skip this step, a secret is automatically generated by default to store the Base64-encoded value (specified in spec.data) when you save the configuration.
1. From the command line, log in to your Red Hat OpenShift cluster by using the oc login command.
2. Run the following command:
```
oc create secret generic secretName --from-literal=configuration=configurationContent --namespace=namespaceName
```
  Where:
  - secretName is the name of the secret for storing the Base64-encoded credentials.
  - configurationContent is the Base64-encoded configuration content.
  - namespaceName is the namespace in which both the configuration object and the App Connect Dashboard instance will be created. You can omit the --namespace flag if you are already logged in to this namespace.
3. Make a note of the secret name so that you can specify it while creating the configuration object.
4. Leave the command window open.
From your local computer, create a YAML file that contains the configuration for the object that you want to create. Include the metadata.namespace parameter to identify the namespace in which you want to create the configuration; this should be the same namespace where the App Connect Dashboard instance is created.
To view the full set of parameters and values available for configurations, see Configuration reference: Custom resource values. (This section also describes how the spec.data value is stored after you create the configuration object.)

The following YAML code shows an example of what the custom resource of your configuration object should look like if you did not manually create a secret to store the Base64-encoded content. Note that the value of the spec.data parameter must be the Base64-encoded file content that you generated in an earlier step, and spec.type must be s3credentials.
```
apiVersion: appconnect.ibm.com/v1beta1
kind: Configuration
metadata:
  name: configurationObjectName
  namespace: namespaceName
spec:
  data: Base64-encodedValue
  description: configurationObjectDescription
  type: s3credentials
```
The following YAML code shows an example of what the custom resource of your configuration object should look like if you manually created a secret to store the Base64-encoded content. Note that the value of the spec.secretName parameter must be the name of this secret, and spec.type must be s3credentials.
```
apiVersion: appconnect.ibm.com/v1beta1
kind: Configuration
metadata:
  name: configurationObjectName
  namespace: namespaceName
spec:
  description: configurationObjectDescription
  secretName: mySecret
  type: s3credentials
```
Save this file with a .yaml extension; for example, s3config_cr.yaml.
From the command line, run the following command to create the configuration in your cluster. (Use the name of the .yaml file that you created.)
```
oc apply -f s3config_cr.yaml
```
This configuration object is not assigned a status (if you run oc get configurations) because the object simply represents a document that is referenced by a Dashboard.

You can apply this configuration to an App Connect Dashboard instance in the same namespace by specifying the metadata.name value of the configuration object within the Dashboard's custom resource (CR), under spec.storage.s3Configuration. For more information, see Dashboard reference: Creating an instance.

Updating or deleting a configuration of type S3Credentials for an App Connect Dashboard

If the credentials for accessing your S3 bucket change, you must update your existing App Connect Dashboard settings to use the new credentials:

Create another configuration of type S3Credentials to store the new credentials, as described in Creating a configuration of type S3Credentials for use with the App Connect Dashboard.
Update your App Connect Dashboard CR to reference the new configuration by replacing the existing spec.storage.s3Configuration value with the new value. When you save the updated CR, the App Connect Dashboard pods are automatically restarted to pick up the new value.

If you need to delete a configuration object of type S3Credentials that's no longer required, you can do so by using the Red Hat OpenShift web console or CLI, or the CLI for a Kubernetes environment. For more information, see Configuration reference: Deleting an instance.

Note: You cannot delete a configuration object if it's being used by an App Connect Dashboard instance; that is, if it's referenced in spec.storage.s3Configuration in the Dashboard CR.