mc ilm tier update
Changed in version RELEASE.2022-12-24T15-21-38Z: mc ilm tier update replaces mc admin tier edit.
Description
The mc ilm tier update command modifies an existing configured remote tier.
Use mc admin on MinIO Deployments Only
MinIO does not support using mc admin commands with other
S3-compatible services, regardless of their claimed compatibility with MinIO
deployments.
Supported S3 Services
mc ilm tier supports only the following S3-compatible services as a remote target for object tiering:
- MinIO 
- Amazon S3 
- Google Cloud Storage 
- Azure Blob Storage 
Required Permissions
MinIO requires the following permissions scoped to to the bucket or buckets for which you are creating lifecycle management rules.
MinIO also requires the following administrative permissions on the cluster in which you are creating remote tiers for object transition lifecycle management rules:
For example, the following policy provides permission for configuring object transition lifecycle management rules on any bucket in the cluster:.
{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "admin:SetTier",
               "admin:ListTier"
            ],
            "Effect": "Allow",
            "Sid": "EnableRemoteTierManagement"
      },
      {
            "Action": [
               "s3:PutLifecycleConfiguration",
               "s3:GetLifecycleConfiguration"
            ],
            "Resource": [
                        "arn:aws:s3:::*"
            ],
            "Effect": "Allow",
            "Sid": "EnableLifecycleManagementRules"
      }
   ]
}
Transition Permissions
Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, MinIO requires the remote tier credentials provide read, write, list, and delete permissions.
For example, if the remote storage tier implements AWS IAM policy-based access control, the following policy provides the necessary permission for transitioning objects into and out of the remote tier:
{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket"
            ],
            "Sid": ""
      },
      {
            "Action": [
               "s3:GetObject",
               "s3:PutObject",
               "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
               "arn:aws:s3:::MyDestinationBucket/*"
            ],
            "Sid": ""
      }
   ]
}
Modify the Resource for the bucket into which MinIO tiers objects.
Defer to the documentation for the supported tiering targets for more complete information on configuring users and permissions to support MinIO tiering:
Syntax
The following example updates the credentials for an existing remote tier called S3TIER on the myminio deployment.
 mc ilm tier update myminio S3TIER --access-key ACCESS_KEY --secret-key SECRET_KEY
After running this command, lifecycle management rules on the myminio deployment use the tier’s new credentials to transition objects into the remote location.
Options not modified in the command maintain their existing configurations.
The command has the following syntax:
mc ilm tier update TARGET                         \
                   TIER_NAME                      \
                   [--account-key value]          \
                   [--access-key value]           \
                   [--az-sp-tenant-id value]      \
                   [--az-sp-client-id value]      \
                   [--az-sp-client-secret value]  \
                   [--secret-key value]           \
                   [--use-aws-role]               \
                   [--credentials-file value]
- Brackets - []indicate optional parameters.
- Parameters sharing a line are mutually dependent. 
- Parameters separated using the pipe - |operator are mutually exclusive.
Copy the example to a text editor and modify as-needed before running the command in the terminal/shell.
Parameters
The command accepts the following arguments:
- TARGET
- RequiredThe aliasof a configured MinIO deployment.
- TIER_NAME
- RequiredThe name of the remote tier the command modifies. The value corresponds to the mc ilm tier add TIER_NAMEspecified when creating the remote tier.
- --access-key
- OptionalThe access key for a user on the remote S3 or MinIO tier. The user must have permission to perform read/write/list/delete operations on the remote bucket or bucket prefix. This option only applies to remote storage tiers with TIER_TYPEiss3orminio. This option has no effect for any otherTIER_TYPE.
- --secret-key
- OptionalThe secret key for a user on the remote s3orminiotier.This option only applies to remote storage tiers with TIER_TYPEiss3orminio. This option has no effect for any otherTIER_TYPE.
- --use-aws-role
- OptionalUse the access permission for the locally configured AWS Role. This option only applies if TIER_TYPEiss3orminio. This option has no effect for any other value ofTIER_TYPE.
- --account-key
- OptionalThe account key for a user on a remote Azure tier. Required for Azure tier types. Use this option to rotate the credentials for the --account-nameassociated to the remote tier.This option only applies to remote storage tiers with TIER_TYPEisazure. This option has no effect for any other type of login.
- --az-sp-tenant-id
- OptionalNew in version mc: RELEASE.2024-07-03T20-17-25Z Directory ID for the Azure service principal account. This option only applies to remote storage tiers with TIER_TYPEisazure. This option has no effect for any other type of login.
- --az-sp-client-id
- OptionalNew in version mc: RELEASE.2024-07-03T20-17-25Z Client ID of the Azure service principal account. Requires --az-sp-client-secret.This option only applies to remote storage tiers with TIER_TYPEisazure. This option has no effect for any other type of login.
- --az-sp-client-secret
- OptionalNew in version mc: RELEASE.2024-07-03T20-17-25Z The secret for the Azure service principal account. Requires --az-sp-client-id.This option only applies to remote storage tiers with TIER_TYPEisazure. This option has no effect for any other type of login.
- --credentials-file
- OptionalRequired for Google Cloud Storage tier types. The credential file for a user on the remote GCS tier. The user must have permission to perform read/write/list/delete operations on the remote bucket or bucket prefix. This option only applies to remote storage tiers with TIER_TYPEisgcs. This option has no effect for any other type of login.
Global Flags
This command supports any of the global flags.
Examples
Rotate Credentials for an S3 Remote Tier
The following example updates the credentials for an S3 remote tier called S3TIER on the myminio deployment.
mc ilm tier update myminio S3TIER --access-key ACCESS_KEY --secret-key SECRET_KEY
- Replace - S3TIERwith the name for your Amazon Simple Storage Solution tier.
- Replace - ACCESS_KEYwith the updated access key for your S3 storage.
- Replace - SECRET_KEYwith the updated secret key for the access key provided.
Rotate Credentials for an Azure Blob Storage Remote Tier
The following example updates the credentials for an Azure remote tier called AXTIER on the myminio deployment.
mc ilm tier update myminio AZTIER --account-key ACCOUNT-KEY
- Replace - AZTIERwith the name for your Azure tier.
- Replace - ACCOUNT-KEYwith the updated key for your Azure storage.
Rotate Credentials for a Google Cloud Storage Remote Tier
The following example updates the credentials for a Google Cloud Storage remote tier called GCSTIER on the myminio deployment.
 mc ilm tier update myminio GCSTIER --credentials-file /path/to/credentials.json
- Replace - GCSTIERwith the name for your Google Cloud Storage tier.
- Replace - /path/to/credentials.jsonwith the path of the updated credential file to use to access the remote storage.
S3 Compatibility
The mc commandline tool is built for compatibility with the AWS S3 API and is tested with MinIO and AWS S3 for expected functionality and behavior.
MinIO provides no guarantees for other S3-compatible services, as their S3 API implementation is unknown and therefore unsupported. While mc commands may work as documented, any such usage is at your own risk.
Required Permissions
For permissions required to modify a tier, refer to the required permissions on the parent command.
