Using DAS proxy to access S3 and S3 compatible buckets

External applications and query engines can access the S3 and S3 compatible buckets that are managed by watsonx.data through DAS proxy.

watsonx.data on IBM Software Hub

To access the S3 and S3 compatible buckets:
  1. Get the DAS endpoint from the watsonx.data information window. Click the i icon on the home page to open the information window.
  2. Replace the S3 endpoint with the DAS endpoint in your Java code.
    <cas endpoint>/cas/v1/proxy
  3. Replace the access key with the encoded value in your Java code as follows:
    base64{<instanceid>|ZenAPIkey base64{username:<apikey>}}
    Note: To get the Base64 encoded string, use one of the following commands:
    • printf "username:<apikey>" | base64
    • echo -n "username:<apikey>" | base64
Java code example to use DAS:
        String bucketName = "bucket1";
        String keyName = "folder1/file1";
        # replace the target object store endpoint with the DAS proxy endpoint
        String endpoint = "<cas endpoint get from About page>/cas/v1/proxy";
        /** Replace the Access Key with watsonx.data user name and API key following the below base64 encoded method.
        * CPD base64{<instanceid>|ZenAPIkey base64{username:<apikey>}}
        * SaaS base64{<crn>|Basic base64{ibmlhapikey_<user_id>:<IAM_APIKEY>}}
        */
        String accessKey = "encoded value";
        String secretKey = "any string";

        BasicAWSCredentials cos_cred = new BasicAWSCredentials(accessKey, secretKey);
        EndpointConfiguration cosEndPoint = new EndpointConfiguration(endpoint, "us-east");
        AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withPathStyleAccessEnabled(true)
                .withCredentials(new AWSStaticCredentialsProvider(cos_cred))
                .withEndpointConfiguration(cosEndPoint).build();
        GetObject.GetObjectTest(s3Client, bucketName, keyName);
Note: For information about S3 REST API permissions, see S3 REST API permissions.
Note: To use DAS externally, you have to import the CA certificates and add them in your cluster. To get the certificates, run:
echo QUIT | openssl s_client -showcerts -connect <cas host>:443 | awk '/-----BEGIN CERTIFICATE-----/ {p=1}; p; /-----END CERTIFICATE-----/ {p=0}' > cas.cert
To import the certificates to your local Java truststore, run:
sudo keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias cas-cert -file ./cas.cert