Update AWS S3 blobstore configuration to Storage CLI

Author: jochenehret

common/cc-blobstore-config.html.md.erb

@@ -21,9 +21,9 @@ WebDAV is also supported for an internal blobstore, and blobstores on NFS-mounte
 
 This document describes the following common blobstore configurations:
 
-* [Fog with AWS Credentials](#fog-aws-creds)
-* [Fog with AWS Server Side Encryption](#fog-aws-sse)
-* [Fog with AWS IAM Instance Profiles](#fog-aws-iam)
+* [Storage CLI with AWS Credentials](#storage-cli-aws)
+* [Storage CLI with AWS Server Side Encryption](#storage-cli-aws-sse)
+* [Storage CLI with AWS IAM Instance Profiles](#storage-cli-aws-iam)
 * [Fog with Google Cloud Storage](#fog-gcs)
 * [Fog with Google Cloud Storage Service Accounts](#fog-gcs-service-account)
 * [Storage CLI with AliCloud Storage](#storage-cli-alicloud)
@@ -32,139 +32,182 @@ This document describes the following common blobstore configurations:
 * [Fog with NFS](#fog-local-nfs)
 * [WebDAV](#webdav) internal blobstore
 
-##<a id="fog-aws-creds"></a> Fog with AWS Credentials
+##<a id="storage-cli-aws"></a> Storage CLI with AWS Credentials
 
-To use Fog blobstores with AWS credentials, do the following:
+To use the Storage CLI blobstore interface with AWS credentials, do the following:
 
 1. Insert the following configuration into your manifest under `properties.cc`:
 
     ```
     cc:
       buildpacks:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
-        fog_connection: &fog_connection
+        connection_config:
           aws_access_key_id: AWS-ACCESS-KEY
           aws_secret_access_key: AWS-SECRET-ACCESS-KEY
-          provider: AWS
-          region: us-east-1
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
       droplets:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-DROPLET-BUCKET
       packages:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-PACKAGE-BUCKET
       resource_pool:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-RESOURCE-BUCKET
     ```
-1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials.
+1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials. Replace `AWS-REGION` with the region of your AWS buckets.
 
-1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 
+1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.
 
-1. (Optional) Provide additional configuration through the `fog_connection` hash, which is passed through to the Fog gem.
+1. (Optional) Provide additional configuration through the `connection_config` hash, which is passed through to the Storage CLI. For more information about configuration options, see the [S3-Specific Configuration][storage-cli-s3-options].
 
-##<a id="fog-aws-sse"></a> Fog with AWS Server-Side Encryption
+##<a id="storage-cli-aws-sse"></a> Storage CLI with AWS Server-Side Encryption
 
 AWS S3 offers Server-Side Encryption at rest. For more information, see <a href="http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html">Protecting Data Using Server-Side Encryption</a>.
 
 <strong>AWS SSE-S3 blobstore encryption</strong>
 
 1. Insert the following configuration into your manifest under `properties.cc`:
 
-      ```
-      cc:
-        buildpacks:
-          blobstore_type: fog
-          buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
-          fog_connection: &fog_connection
-            aws_access_key_id: AWS-ACCESS-KEY
-            aws_secret_access_key: AWS-SECRET-ACCESS-KEY
-            provider: AWS
-            region: us-east-1
-          fog_aws_storage_options: &fog_aws_storage_options
-            encryption: 'AES256'
-        droplets:
-          blobstore_type: fog
-          droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-        packages:
-          blobstore_type: fog
-          app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-        resource_pool:
-          blobstore_type: fog
-          resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-      ```
-
-1. Replace `AWS_ACCESS_KEY` and `AWS_SECRET_ACCESS_KEY` with your AWS credentials.
-
-1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 
-
-1. You can provide further configuration through the `fog_connection` hash, which is passed through to the Fog gem.
-
-1. `fog_aws_storage_options` takes a hash with the key `encryption`. Operators can set its value to a type of encryption algorithm. In the configuration information above, `encryption` is set to `AES256` to enable AWS SSE-S3 encryption. 
-
-1. You can provide further configuration through the `fog_aws_storage_options` hash, which is passed through to the Fog gem.
+    ```
+    cc:
+      buildpacks:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
+          server_side_encryption: AES256
+      droplets:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-DROPLET-BUCKET
+          server_side_encryption: AES256
+      packages:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-PACKAGE-BUCKET
+          server_side_encryption: AES256
+      resource_pool:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-RESOURCE-BUCKET
+          server_side_encryption: AES256
+    ```
+
+1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials. Replace `AWS-REGION` with the region of your AWS buckets.
+
+1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.
+
+1. Set the value of the `server_side_encryption` key to a type of encryption algorithm. In the configuration information above, `server_side_encryption` is set to `AES256` to enable AWS SSE-S3 encryption.
+
+1. (Optional) Provide additional configuration through the `connection_config` hash, which is passed through to the Storage CLI. For more information about configuration options, see the [S3-Specific Configuration][storage-cli-s3-options].
 
 <strong>AWS SSE-KMS blobstore encryption</strong>
 
 1. Obtain your KMS Key ID. For information about managing KMS keys, see the <a href='http://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html'>AWS Key Management Service Getting Started guide.</a>
 
 1. Insert the following configuration into your manifest under `properties.cc`:
 
-      ```
-      cc:
-        buildpacks:
-          blobstore_type: fog
-          buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
-          fog_connection: &fog_connection
-            aws_access_key_id: AWS-ACCESS-KEY
-            aws_secret_access_key: AWS-SECRET-ACCESS-KEY
-            provider: AWS
-            region: us-east-1
-          fog_aws_storage_options: &fog_aws_storage_options
-            encryption: 'aws:kms'
-            x-amz-server-side-encryption-aws-kms-key-id: "YOUR-AWS-KMS-KEY-ID"
-        droplets:
-          blobstore_type: fog
-          droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-        packages:
-          blobstore_type: fog
-          app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-        resource_pool:
-          blobstore_type: fog
-          resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
-          fog_connection: *fog_connection
-          fog_aws_storage_options: *fog_aws_storage_options
-      ```
-
-1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials. 
-
-1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets.  Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets. 
-
-1. You can provide further configuration through the `fog_connection` hash, which is passed through to the Fog gem.
-
-1. Replace `YOUR-AWS-KMS-KEY-ID` with your KMS Key ID. 
-
-1. `fog_aws_storage_options` takes a hash with the key `encryption`. Operators can set its value to a type of encryption algorithm. In the configuration information above, `encryption` is set to `aws:kms` to enable AWS SSE-KMS encryption. 
-
-1. You can provide further configuration through the `fog_aws_storage_options` hash, which is passed through to the Fog gem.
-
-##<a id="fog-aws-iam"></a> Fog with AWS IAM Instance Profiles
-
-To configure Fog blobstores to use <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html">AWS IAM Instance Profiles</a>, do the following:
+    ```
+    cc:
+      buildpacks:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
+          server_side_encryption: "aws:kms"
+          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
+      droplets:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-DROPLET-BUCKET
+          server_side_encryption: "aws:kms"
+          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
+      packages:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-PACKAGE-BUCKET
+          server_side_encryption: "aws:kms"
+          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
+      resource_pool:
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
+        resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
+        connection_config:
+          aws_access_key_id: AWS-ACCESS-KEY
+          aws_secret_access_key: AWS-SECRET-ACCESS-KEY
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-RESOURCE-BUCKET
+          server_side_encryption: "aws:kms"
+          x-amz-server-side-encryption-aws-kms-key-id: YOUR-AWS-KMS-KEY-ID
+    ```
+
+1. Replace `AWS-ACCESS-KEY` and `AWS-SECRET-ACCESS-KEY` with your AWS credentials. Replace `AWS-REGION` with the region of your AWS buckets.
+
+1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets.  Do not use periods (`.`) in your AWS bucket names. In the AWS console, you must assign your credentials an IAM policy that allows all S3 actions on all of these buckets.
+
+1. Set the `server_side_encryption` key to the value `aws:kms`. Replace `YOUR-AWS-KMS-KEY-ID` with your KMS Key ID.
+
+1. (Optional) Provide additional configuration through the `connection_config` hash, which is passed through to the Storage CLI. For more information about configuration options, see the [S3-Specific Configuration][storage-cli-s3-options].
+
+##<a id="storage-cli-aws-iam"></a> Storage CLI with AWS IAM Instance Profiles
+
+To configure the Storage CLI to use <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html">AWS IAM Instance Profiles</a>, do the following:
 
 1. Configure an additional <code>cloud-controller</code> IAM role with the following policy to give access to the S3 buckets you plan to use:
 
@@ -227,29 +270,44 @@ To configure Fog blobstores to use <a href="http://docs.aws.amazon.com/IAM/lates
     ```
     cc:
       buildpacks:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         buildpack_directory_key: YOUR-AWS-BUILDPACK-BUCKET
-        fog_connection: &fog_connection
-          provider: AWS
-          region: us-east-1
-          use_iam_profile: true
+        connection_config:
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-BUILDPACK-BUCKET
+          credentials_source: cloud-controller
       droplets:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         droplet_directory_key: YOUR-AWS-DROPLET-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-DROPLET-BUCKET
+          credentials_source: cloud-controller
       packages:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         app_package_directory_key: YOUR-AWS-PACKAGE-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-PACKAGE-BUCKET
+          credentials_source: cloud-controller
       resource_pool:
-        blobstore_type: fog
+        blobstore_provider: AWS
+        blobstore_type: storage-cli
         resource_directory_key: YOUR-AWS-RESOURCE-BUCKET
-        fog_connection: *fog_connection
+        connection_config:
+          region: AWS-REGION
+          bucket_name: YOUR-AWS-RESOURCE-BUCKET
+          credentials_source: cloud-controller
     ```
 
-    Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names.
+1. Replace `AWS-REGION` with the region of your AWS buckets.
 
-1. (Optional) Provide other configuration with the `fog_connection` hash, which is passed through to the Fog gem.
+1. Replace `YOUR-AWS-BUILDPACK-BUCKET`, `YOUR-AWS-DROPLET-BUCKET`, `YOUR-AWS-PACKAGE-BUCKET`, and `YOUR-AWS-RESOURCE-BUCKET` with the names of your AWS buckets. Do not use periods (`.`) in your AWS bucket names.
+
+1. (Optional) Provide additional configuration through the `connection_config` hash, which is passed through to the Storage CLI. For more information about configuration options, see the [S3-Specific Configuration][storage-cli-s3-options].
 
 ##<a id="fog-gcs"></a>Fog with Google Cloud Storage
 
@@ -622,3 +680,4 @@ To configure your blobstores to use the WebDAV protocol, perform the steps below
 [azure-name-restrictions]: https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions#storage
 [alicloud-name-restrictions]: https://www.alibabacloud.com/help/en/oss/user-guide/bucket-naming-conventions
 [alicloud-regions-and-endpoints]: https://www.alibabacloud.com/help/en/oss/user-guide/regions-and-endpoints
+[storage-cli-s3-options]: https://github.com/cloudfoundry/storage-cli/tree/main/s3