ECS: How to Configure and Use S3 AWS CLI

Summary: When using AWS CLI to test customer scenario's where they are using AWS CLI with ECS to confirm functionality and compatibility, always reference the ECS Data Access Guide for ECS AWS S3 supported API calls. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

AWS Command-Line Interface (AWS CLI) is a tool by AWS that can be used to test S3 high-level commands and s3 API-Level (s3api)

High-level, aws s3 (External Link) commands support common bucket operations, such as creating, listing, and deleting buckets. How to download and install the tool, all supported High-Level commands can be obtained in command set using the command aws s3api help.

S3Uri: Represents the location of a S3 object, prefix, or bucket - This must be written in the form s3://mybucket/mykey where mybucket is t specified S3 bucket, mykey is the specified S3 key. The path argument must begin with s3://

API-Level aws s3api (External Link) commands are contained in the s3api commend set. These S3 API commands provide access to bucket metadata, like bucket ACL, bucket policy, life cycle policies to mention a few, all supported API calls can be obtained in command set using command aws s3api help.

  • AWS CLI automatically uses up to 10 threads to upload files or parts during uploads by default
  • The AWS CLI automatically uses multipart_threshold uploads for files >= 8 MB file size, multipart_chunksize

Download and install instructions.

  1. Version releases https://github.com/aws/aws-cli/releases (External Link)
  2. Download and install AWS CLI bundle
# curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
  1. Extract bundle
# unzip awscli-bundle.zip
  1. Run install command
# sudo /awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
  1. Confirm version
# aws version
Output:
      aws-cli/2.0.33 Python/3.7.3 Linux/4.15.0-109-generic botocore/2.0.0dev37

Configuring the AWS CLI

This section explains the basic steps to configure AWS CLI for use with ECS S3, using ECS object user. This section assumes Bucket, and object user have been already created on ECS. The credentials and configuration file are updated when you run the command aws configure.

The credentials file is located here ~/.aws/credentials. Credentials file stores user profile details (Access key ID and Secret access Keys) configuration file stores region and output format details.

Required:
  • Access key ID: ECS object user
  • Secret Access key: Secret Key
Steps:
  1. This example creates a profile name mc_s3
# aws configure --profile mc_s3
Prompt:

    AWS Access Key ID [None]: mc_s3
    AWS Secret Access Key [None]: 1guFemRLSgqFau6uKzIVAZJu5+PS+S8qO7rvEsi7
    Default region name [None]: 
    Default output format [None]: json
  1. List profiles all profiles (list-properties available in AWS CLI v2
# aws configure list-properties
Output:
    mc_s3
    ad_uid1

# aws configure list
Output:
		  Name                    Value             Type    Location
		  ----                    -----             ----    --------
	   profile                <not set>             None    None
	access_key     ****************c_s3 shared-credentials-file    
	secret_key     ****************Esi7 shared-credentials-file    
		region                               config-file    ~/.aws/config
  1. List-specific profile
# aws configure get aws_access_key_id --profile mc_s3
Output:
      mc_s3
Dealing with SSL connections and error on self signed certificate.  ( [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056))
  1. If using commands on 9021, AWS CLI option --no-verify-ssl is required to bypass the self-signed certificate error.
# aws --profile mc_s3 --endpoint=https://ecshop:9021 s3api list-buckets
Output:
     SSL validation failed for https://ecshop:9021/mc_s3_bkt?acl [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)
  • Run command with --no-verify option to bypass this error
# aws --profile mc_s3 --endpoint=https://ecshop:9021 s3api list-buckets --no-verify-ssl --output text
Output:
      
    /usr/local/aws-cli/v2/2.0.33/dist/urllib3/connectionpool.py:986: InsecureRequestWarning: Unverified HTTPS request is being made to host 'ecshop'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

    BUCKETS 2020-02-24T21:24:29.440000+00:00        mc_s3_bkt
    BUCKETS 2020-05-06T17:23:48.870000+00:00        mc_s3_bkt2_backup
    BUCKETS 2020-05-06T21:16:13.344000+00:00        mc_s3_bkt_nfs
    OWNER   mc_s3   mc_s3
  • The second option would be to download the ECS self-signed certificate saved in PEM format and using the --ca-bundle option
  • Use OpenSSL to obtain ECS certificate for object data access on port 9021 and copy certificate contents using your favorite editor and save including certificate headers per example below.
# openssl s_client -connect ecshop:9021
Where ecshop is the ECS nodes IP or hostname, and xxxxxx should be the entire certificate in your environment. 
Output:

    -----BEGIN CERTIFICATE----- 
    Xxxxxxxxx
    xxxxxxxxx
    ...
    ...
    -----END CERTIFICATE-----
  1. List buckets in table human friendly with ca-bundle option where certificate is saved in PEM file name ecshop_cert_pem 
# aws --profile mc_s3 --endpoint=https://ecshop:9021 s3api list-buckets  --ca-bundle ecshop_cert.pem  --output table
Output:
    -------------------------------------------------------------
    |                        ListBuckets                        |
    +-----------------------------------------------------------+
    ||                         Buckets                         ||
    |+-----------------------------------+---------------------+|
    ||           CreationDate            |        Name         ||
    |+-----------------------------------+---------------------+|
    ||  2020-02-24T21:24:29.440000+00:00 |  mc_s3_bkt          ||
    ||  2020-05-06T17:23:48.870000+00:00 |  mc_s3_bkt2_backup  ||
    ||  2020-05-06T21:16:13.344000+00:00 |  mc_s3_bkt_nfs      ||
    |+-----------------------------------+---------------------+|
    ||                          Owner                          ||
    |+-----------------------------------+---------------------+|
    ||            DisplayName            |         ID          ||
    |+-----------------------------------+---------------------+|
    ||  mc_s3                            |  mc_s3              ||
    |+-----------------------------------+---------------------+|

Basic S3 operations

https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html (External Link)
Performance tuning
  • max_concurrent_requests - The maximum number of concurrent requests
  • max_queue_size - The maximum number of tasks in the task queue
  • multipart_threshold - The size threshold the CLI uses for multipart transfers of individual files.
  • multipart_chunksize - When using multipart transfers, this is the chunk size that the CLI uses for multipart transfers of individual files.
  • max_bandwidth - The maximum bandwidth that is consumed for uploading and downloading data to and from Amazon S3.
Saved in the configuration file as an example: 
# cat .aws/config
Output:
    [profile mc_s3]
    output = json
    s3 =
            endpoint_url = http://ecshop:9020

              max_concurrent_requests = 20
              max_queue_size = 1000
              multipart_threshold = 64MB
              multipart_chunksize = 16MB
              max_bandwidth = 50MB/s
              addressing_style = auto 
Using aws configure set command to set parameters to tune upload speeds 
$ aws configure set default.s3.max_concurrent_requests 20
$ aws configure set default.s3.max_queue_size 10000
$ aws configure set default.s3.multipart_threshold 64MB
$ aws configure set default.s3.multipart_chunksize 16MB
$ aws configure set default.s3.max_bandwidth 50MB/s
$ aws configure set default.s3.addressing_style auto
Steps: 
  1. Create bucket using s3 mb command
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 mb s3://s3_bkt
Output:
    make_bucket: s3_bkt
  1. List buckets using s3 ls and s3api list-buckets command sets lists buckets, for any other operations (referred to in S3 as 'prefixes') (External Link) in a bucket
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 ls
Output:
   2020-07-29 20:34:24 s3_bkt

  #  aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-buckets

#  aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-buckets
Output:		
	 aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-buckets
	{
		"Buckets": [
			{
				"Name": "mc_s3_bkt",
				"CreationDate": "2020-02-24T21:24:29.440000+00:00"
			},
			{
				"Name": "mc_s3_bkt2_backup",
				"CreationDate": "2020-05-06T17:23:48.870000+00:00"
			},
			{
				"Name": "mc_s3_bkt_nfs",
				"CreationDate": "2020-05-06T21:16:13.344000+00:00"
			},
			{
				"Name": "s3_bkt",
				"CreationDate": "2020-07-30T00:34:24.147000+00:00"
			},
  1.  Creating and uploading files for testing 
  • Example creating 1 MB and 4 MB files
# dd if=/dev/zero of=1MB_output.file bs=1024 count=1024
# dd if=/dev/zero of=4MB_output.file bs=1024 count=4096
  • Example creating large file 2GB
# dd if=/dev/urandom of=bigfile_2GB bs=1024k count=2048
  • Upload 1MB file to bucket s3_bkt
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 cp 1MB_output.file s3://s3_bkt
Output:
    upload: ./1MB_output.file to s3://s3_bkt/1MB_output.file
  1. List files in bucket, s3_bkt using profile name mc_s3 using s3 ls, or s3api list-objects command sets 
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 ls s3://s3_bkt
Output:
2020-07-29 20:39:43   16.0 MiB 16MB_output.file
2020-07-29 20:37:25    1.0 MiB 1MB_output.file
2020-07-29 20:39:23    4.0 MiB 4MB_output.file

 # aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-objects --bucket s3_bkt
Output:
	{
		"Contents": [
			{
				"Key": "16MB_output.file",
				"LastModified": "2020-07-30T00:39:43.125000+00:00",
				"ETag": "\"3a2d20e2e504fe056bbaae5b4c2351fd-2\"",
				"Size": 16777216,
				"StorageClass": "STANDARD",
				"Owner": {
					"DisplayName": "mc_s3",
					"ID": "mc_s3"
				}
			},
			{
				"Key": "1MB_output.file",
				"LastModified": "2020-07-30T00:37:25.033000+00:00",
				"ETag": "\"b6d81b360a5672d80c27430f39153e2c\"",
				"Size": 1048576,
				"StorageClass": "STANDARD",
				"Owner": {
					"DisplayName": "mc_s3",
					"ID": "mc_s3"
				}
			},
  1. List object versions
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-object-versions --bucket s3_bkt --output text
  1. Download file, 1MB_output.file from s3_bkt to /tmp directory on local machine.
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 cp s3://s3_bkt/1MB_output.file /tmp/
Output:
     download: s3://s3_bkt/1MB_output.file to ../../tmp/1MB_output.file
  1. Check ACL of a file 1MB_output.file in YAML format for output for readability
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api get-object-acl --bucket s3_bkt --key 1MB_output.file  --output yaml
Output:
        
    Grants:
    - Grantee:
        DisplayName: mc_s3
        ID: mc_s3
        Type: CanonicalUser
      Permission: FULL_CONTROL
    Owner:
      DisplayName: mc_s3
      ID: mc_s3
  1. Check bucket ACL on bucket s3_bkt
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api get-bucket-acl --bucket s3_bkt --output yaml
Output:      
    Grants:
    - Grantee:
        DisplayName: mc_s3
        ID: mc_s3
        Type: CanonicalUser
      Permission: FULL_CONTROL
    Owner:
      DisplayName: mc_s3
      ID: mc_s3
  1. Check bucket version or enable versioning on the bucket
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api get-bucket-versioning --bucket s3_bkt
Output:

    {
        "Status": "Enabled"
    }
  1. Initiate multipart upload using s3api API level with a large file 
  1. Create a 5GB file:
# time dd if=/dev/urandom of=bigfile_5GB bs=1024k count=5096
  1. Start upload
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api create-multipart-upload --bucket s3_bkt --key bigfile_5GB
Output:

    {
        "Bucket": "s3_bkt",
        "Key": "bigfile_5GB",
        "UploadId": "27cb6c45ab5c4c838fb5893263d871d3"
    }
  1. List incomplete multipart file uploads https://aws.amazon.com/premiumsupport/knowledge-center/s3-multipart-upload-cli/ (External Link)
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api list-multipart-uploads --bucket s3_bkt
Output:

	{
	    "Uploads": [
	        {
	            "UploadId": "27cb6c45ab5c4c838fb5893263d871d3",
	            "Key": "bigfile_5GB",
	            "Initiated": "2020-07-31T01:10:56.323000+00:00",
	            "StorageClass": "STANDARD",
	            "Owner": {
	                "DisplayName": "mc_s3",
	                "ID": "mc_s3"
	            }
	        }
	    ]
	}
  1. Improve s3 cp command or bucket to bucket performance recommendations for large files to initiate multipart uploads and changing concurrent threads, see above under performance tuning.
  1. Perform bucket to bucket copy to copy file.txt in mc_s3_bkt to s3_bkt using S3api 
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api copy-object --copy-source mc_s3_bkt/file.txt --key file.txt --bucket s3_bkt
Output:
{
    "VersionId": "1596159769267",
    "CopyObjectResult": {
        "ETag": "\"c789e490a90359de2bd3b09d7e957cfd-128\"",
        "LastModified": "2020-07-31T01:42:49.267000+00:00"
    }
}
  1. List files (objects or keys) in a bucket 
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 ls s3://s3_bkt/file.txt --human-readable  summarize
Output:
      2020-07-30 21:42:49    1.0 GiB file.txt
  1. Copying a file from S3_bkt to mc_s3_bkt using s3 cp high-level command set
The following cp command copies a single s3 object to a specified bucket and key: 
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 cp s3://s3_bkt/file.txt s3://mc_s3_bkt/file2.txt
       Output:
         copy: s3://s3_bkt/file.txt to s3://mc_s3_bkt/file2.txt
  1. Check if versioning is enabled on bucket s3_bkt
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api get-bucket-versioning --bucket s3_bkt
Output: 

      {
          "Status": "Enabled"
      }
  1. Delete bucket using s3 rb command (command has no output)
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3 rm s3://s3_bkt2
  1. The following example deletes all objects and sub folders in the bucket and then removes the bucket. (if versioning is enabled, this command does not remove version objects (review LDS, Life cycle policies)
# aws s3 rb s3://bucket-name --force
  1. Enable versioning on bucket s3_bkt using s3api API level command set (command has not output)
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api put-bucket-versioning --bucket s3_bkt --versioning-configuration Status=Enabled 
  1. Applying Life cycle policy Generate template (Reference ECS Data Access guide) AWS CLI requires json format for life cycle policy
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api put-bucket-lifecycle-configuration --generate-cli-skeleton input --bucket s3_bkt
  1. Apply Bucket life policy on bucket, for more details reference the ECS Data Access Guide
Create policy for AbortIncompleteMultipartUpload, NoncurrentVersionExpiration, and ExpiredObjectDeleteMarker and NoncurrentDays to expire after 7 days. 
#  aws --profile mc_s3 --endpoint http://ecshop:9020 s3api put-bucket-lifecycle --bucket s3_bkt --lifecycle-configuration file://s3_bkt_lifecycle.json
Output:

{
   "Rules": [
   {
      "ID": "expire-non-current-and-dmarkers-and-mpu",
      "Status": "Enabled",
      "Prefix": "/",
      "Expiration": {
         "ExpiredObjectDeleteMarker": true
      },
      "AbortIncompleteMultipartUpload": {
         "DaysAfterInitiation": 7
      },
      "NoncurrentVersionExpiration": {
         "NoncurrentDays": 7
      }
   }
   ]
}
  1. GET life cycle policy
# aws --profile mc_s3 --endpoint http://ecshop:9020 s3api get-bucket-lifecycle --bucket s3_bkt
Output:

{
    "Rules": [
        {
            "Expiration": {
                "Days": 10
            },
            "ID": "DeleteVersion-musa",
            "Prefix": "",
            "Status": "Enabled",
            "NoncurrentVersionExpiration": {
                "NoncurrentDays": 10
            }
        }
    ]
}
  1. Object tagging using key value pair 
  1. Write a file. 
$ aws s3 cp file.txt s3://mc_s3_bkt/aws/tag.txt  --profile mc_s3_emea --endpoint  http://emea:9020
upload: ./file.txt to s3://mc_s3_bkt/aws/tag.txt
  1. Add tag (this command has not output if successful. 
    Single-line command:
$ aws s3api put-object-tagging --profile mc_s3_emea --bucket mc_s3_bkt --key aws/tag.txt --tagging '{"TagSet": [{ "Key": "Product", "Value": "ECS" }]}' --endpoint-url http://emea:9020

Multi-line copy and paste: 

$ aws s3api put-object-tagging \
	 --profile mc_s3_emea \
     --bucket mc_s3_bkt \
     --key aws/tag.txt \
     --tagging '{"TagSet": [{ "Key": "Product", "Value": "ECS" }]}' \
    --endpoint-url http://emea:9020
  1. Get the object tag.
$ aws s3api get-object-tagging --profile mc_s3_emea --bucket mc_s3_bkt --key aws/tag.txt --endpoint http://emea:9020

{
    "TagSet": [
        {
            "Key": "Product",
            "Value": "ECS"
        }
    ]
}
  1. Adding multiple tags values 'key:value' - short form
$ aws s3api put-object-tagging --profile mc_s3_emea --bucket mc_s3_bkt --key aws/tag5.txt --tagging '{"TagSet": [{ "Key": "Product", "Value": "ECS 3.6.1.2" },{"Key": "Company", "Value": "Dell Technologies"}]}' --endpoint-url http://emea:9020
  1. Get the object tag.
$ aws s3api get-object-tagging --profile mc_s3_emea --bucket mc_s3_bkt --key aws/tag5.txt
{
    "TagSet": [
        {
            "Key": "Product",
            "Value": "ECS 3.6.1.2"
        },
        {
            "Key": "Company",
            "Value": "Dell Technologies"
        }
    ]
}
  1. S3 Object Lock
ECS allows you to store objects using a write-once-read-many (WORM) model through S3 Object Lock. This feature prevents objects from being deleted or overwritten for a specified time or indefinitely.
 
Note:
  • ECS S3 Object Lock feature supports only the versioning-enabled buckets.
  • There is no ECS user interface for Object Lock. It can be accessed through ECS Object Lock APIs.
  • The locked objects are protected from life cycle deletions
  • Bucket cannot be File system enabled
  • Object lock works with IAM users and not legacy users 
  • Enabling object lock on the bucket, automatically enable versioning 
  • A patch is required if ADO is enabled and to be addressed in ECS 3.7. See article ECS: Disabling Object-lock feature on ECS for IBM Content Manager


To set an object lock on a bucket.
Use put-object-lock-configuration option is used with AWS CLI.

See: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html 
put-object-lock-configuration — AWS CLI 1.22.24 Command Reference (amazon.com) (External Link)

  • To set an object lock configuration on a bucket
The following put-object-lock-configuration example sets a 1-day object lock on the specified bucket.

$ aws s3api put-object-lock-configuration \
	--profile iam1 \
    --bucket iam-bucket \
    --object-lock-configuration '{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 1 }}}'

This command produces no output.

  • put-object-legal-hold
$ aws s3api put-object-legal-hold --endpoint http://<hostname>:<port_number> --profile iam1 --bucket iam-bucket --key file1.txt --legal-hold "Status=ON"
where:
	--profile: name of profile is profile confirmed in .aws credentials file
	--bucket: Bucket name
	--key: Object name
	--legal-hold: ON or OFF
	--version-id: specifies the version id of the object for Versioned 
	--endpoint: ECS IP and port 9020 or 90201
  • get-object-legal-hold
$ aws s3api get-object-legal-hold --endpoint http://<hostname>:<port_number> --profile iam1 --bucket iam-bucket --key file1.txt
where:
	--bucket: Bucket name
	--key: Object name
	--version-id: specifies the version id of the object
	--endpoint: ECS IP and port 9020 or 90201

Affected Products

Elastic Cloud Storage

Products

ECS Appliance, ECS Appliance Hardware Series, ECS Appliance Software with Encryption, Elastic Cloud Storage
Article Properties
Article Number: 000020564
Article Type: How To
Last Modified: 02 Oct 2025
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.