Using Dell ECS s3 for snapshots

I am trying to configure a snapshot repository to use an on-premise s3 compatible solution - Dell ECS. When I issue the command to add the repository with our internal endpoint, ES still is attempting to connect to AWS as shown in Wireshark capture. Why is it not using the endpoint I specified?

Did you change the endpoint while creating your repository in elasticsearch?

In the documentation you have this example:

PUT _snapshot/my_s3_repository
{
  "type": "s3",
  "settings": {
    "client": "my-client",
    "bucket": "my-bucket",
    "endpoint": "my.s3.endpoint"
  }
}

Here is my attempt to create the repo:

curl --insecure -X PUT -u "elastic:${ELASTIC_PASSWORD}" "https://localhost:9200/_snapshot/s3_repo" -H 'Content-Type: application/json' -d'
{
  "type": "s3",
  "settings": {
    "bucket": "my-bucket",
    "client": "default",
    "endpoint": "my.s3.provider:9020",
    "protocol": "http",
    "base_path": "snapshots"
  }
}
'

The attempt gets a connection timeout error. I ran a Wireshark capture and it is attempting to connect to 54.85.240.191 which is blocked by my org.

It seems similar to this post.

How many nodes do you have? If you have more than one, did you set set access_key and secret_key in all of them?

As suggested in the linked post, try to run the request again with the parameter ?error_trace to get more information in the logs.

Also, share the response you get for the requests.

I found the issue. Originally, I tried to set the keystore secure settings using these commands:
bin/elasticsearch-keystore add s3.client.default.access_key
bin/elasticsearch-keystore add s3.client.default.secret_key

However, when I deleted those and included them in my definition, it works:

curl --insecure -X PUT -u "elastic:${ELASTIC_PASSWORD}" "https://localhost:9200/_snapshot/s3_repo" -H 'Content-Type: application/json' -d'
{
  "type": "s3",
  "settings": {
    "bucket": "my_bucket",
    "client": "default",
    "endpoint": "my.s3.provider:9020",
    "protocol": "http",
    "base_path": "snapshots",
    "path_style_access": "true",
    "canned_acl": "bucket-owner-full-control",
    "access_key": "my-access-key",
    "secret_key": "my-secret-key"
  }
}
'

I think the issue was ES was trying to validate the creds against AWS when they were set in the keystore. When they are set directly in the snapshot repo, it does not attempt to go out to AWS.

Regardless, I got it working.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.