Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Deduplication Guide
  5. S3 Interface for MSDP
  7. Identity and Access Management (IAM) for S3 interface for MSDP
  9. IAM workflow
NetBackup™ Deduplication Guide

IAM workflow

In this section, the typical workflow of IAM is described. You can install AWS CLI to send IAM-related API request to complete the tasks.

IAM workflow

  1. Reset and get S3 server root user's credentials.

    Create root user credentials. You can use the root user to create users with limited permissions.

    After S3 interface for MSDP is configured, run the following command to create root user's credentials:

    /usr/openv/pdde/vxs3/cfg/script/s3srv_config.sh --reset-iam-root

    You can also use this command if you have lost root user's access keys. The new access key and secret key of root user is available in the command output.

  2. Create a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam create-user --user-name <USER_NAME>

  3. Attach one or more policies to a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document file://<POLICY_DOCUMENT_FILE_PATH>

  4. Create access key for a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam create-access-key [--user-name <USER_NAME>]

    Note:

    If you omit the --user-name option, the access key is created under the user who sends the request.

  5. Delete access key for a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-access-key [--user-name <USER_NAME>] --access-key-id <ACCESS_KEY>

    Note:

    If you omit the --user-name option, the access key is deleted under the user who sends the request. You cannot delete the last active access key of a root user.

  6. List access keys for a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-access-keys [--user-name <USER_NAME>]

    Note:

    If you omit the --user-name option, the access key is listed under the user who sends the request.

  7. Update an access key's status for a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam update-access-key [--user-name <USER_NAME>] --access-key-id <ACCESS_KEY> --status [Active | Inactive]

    If you omit the --user-name option, the access key is updated under the user who sends the request.

    The option --status must follow Active or Inactive parameter (case sensitive).

    You cannot update the last active access key of root user to Inactive status.

  8. Get a specific user policy.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  9. List all attached policies for a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-user-policies --user-name <USER_NAME>

  10. Delete a user policy.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>

  11. Get user information.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam get-user --user-name <USER_NAME>

  12. List all users.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-users

  13. Delete a user.

    aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-user --user-name <USER_NAME>

    Note:

    Before you delete a user, you must delete the user policies and access keys that are attached to the user. You cannot delete a root user.

Feedback

Was this page helpful?
Previous

Signing IAM and S3 API requests

Next

IAM APIs for S3 interface for MSDP

Feedback

Was this page helpful?