Using Replication

Replication provides protection from regional outages, aids in disaster recovery efforts, and addresses data redundancy compliance requirements. Maintaining multiple copies of data in regional locations closer to user access can also reduce latency.

This topic describes Object Storage replication and provides details on how to replicate the objects in one bucket to another bucket in the same region or a different region.

About Object Storage Replication

Enabling Object Storage replication is as simple as creating a replication policy on the source bucket that identifies the region and the bucket to replicate to. After the replication policy is created, the destination bucket is read-only and updated only by replication from the source bucket. Objects uploaded to a source bucket after policy creation are asynchronously replicated to the destination bucket. Objects uploaded to a source bucket before policy creation are not replicated.

Replication overwrites any object in the destination bucket that has the same name as an object in the source bucket. A replicated object has the same name, metadata, ETag, and MD5 value as the object in the source bucket. The creation timestamp, modified timestamp, and archival state can be different, so these attributes are not replicated from the source.

Required IAM Policies

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

If you're new to policies, see Getting Started with Policies and Common Policies.

Warning

Replication does not work if you do not authorize the Object Storage service to replicate objects on your behalf. See Service Permissions for more information.

User Permissions

You must have the required access to both the source and destination buckets when configuring replication. You must also have permissions to manage objects in the source and destination buckets.

For administrators:

  • You can create a policy that lets the specified IAM group manage Object Storage namespaces, buckets, and their associated objects in all compartments in the tenancy. For example, here is a simple user access policy that lets a StorageAdmins group do anything with the Object Storage service resources in the tenancy:

    Allow group StorageAdmins to manage object-family in tenancy
  • Alternatively, you can create policies that reduce the scope of access. For example, you can create the policies to let the StorageAdmins group manage buckets and objects in a compartment called ObjectStore in the tenancy:

    Allow group StorageAdmins to manage buckets in compartment ObjectStore
    Allow group StorageAdmins to manage objects in compartment ObjectStore

For more information about other alternatives for writing policies, see Details for Object Storage, Archive Storage, and Data Transfer.

Service Permissions

Because Object Storage is a regional service, you must authorize the Object Storage service for each region carrying out replication on your behalf. For example, you might authorize the Object Storage service in region US East (Ashburn) to manage objects on your behalf. Once you authorize the Object Storage service, you can replicate the objects in a bucket in US East (Ashburn) to a bucket in another region.

To determine the region identifier value of an Oracle Cloud Infrastructure region, see Regions and Availability Domains.

For administrators:

To enable replication, you must authorize the service to manage objects on your behalf:

  • For example, here is a service access policy that lets the Object Storage service do anything with the resources in the tenancy in the US West (Phoenix) region:

    Allow service objectstorage-us-phoenix-1 to manage object-family in tenancy
  • Alternatively, you can create policies that reduce the scope of access. For example, you can create a policy that lets the Object Storage service do anything with the resources in a compartment called ObjectStore in the US West (Phoenix) region:

    Allow service objectstorage-us-phoenix-1 to manage object-family in compartment ObjectStore
  • If you create more restrictive policies that grant individual permissions, BUCKET_READ, BUCKET_UPDATE, OBJECT_READ, OBJECT_INSPECT, OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_RESTORE, OBJECT_DELETE are required for replication.

Scope and Constraints

  • Replication policy creation does not automatically create a destination bucket. Create the destination bucket before creating the replication policy on the source bucket.
  • A source or destination bucket can be in the Standard (Object Storage) or Archive Storage tier.
  • Maximum of one replication policy per bucket.
  • Maximum of one destination for each replication source bucket.
  • A destination bucket cannot also be a replication source. Chained replication is not supported.
  • After the replication policy is created, the destination bucket is read-only and updated only by replication from the source bucket.

Interaction Between Replication and Other Object Storage Features

This section describes some key things you need to know about the interaction between replication and other Object Storage features.

Lifecycle Management

You can combine replication with Lifecycle Management policies that manage the archiving and deletion of objects. Lifecycle policies must, however, honor the read-only properties of the replication destination bucket. A lifecycle policy that deletes objects from the replication destination bucket does not work. Carefully review and test any combination replication and lifecycle policies that you implement.

Here are examples of combination policies that might benefit you:

  • You can create a lifecycle policy on the source that deletes objects with certain file extensions after a specified number of days. The result of that deletion would also be reflected in the replication destination.
  • You can create a lifecycle policy on the destination that archives objects after a specified number of days. If you do not need immediate access to those objects, you could benefit from reduced storage costs.

Server-Side Encryption Using Your Own Keys

Replication cannot replicate objects that have been encrypted with an SSE-C key. For more information, see Using Your Own Keys for Server-Side Encryption.

Stopping Replication

Stopping replication can be initiated from either the replication source or the destination.

  • To stop replication from the source, delete the replication policy. Deleting a replication policy is permanent. You cannot recover a deleted policy. If you want to replicate to that target destination again, create a new policy.
  • To stop replication from the destination, make the destination bucket writable again. When you make the bucket writable, the destination bucket no longer accepts replication requests from the source. Replication status on the source changes from active to a client error state. If you want this destination to again be the target replication destination, delete the policy on the source bucket and create a new policy.

Troubleshooting Replication

This topic provides troubleshooting solutions for issues you might encounter using replication.

Unable to create a replication policy on the source bucket
Policy is in error on the source bucket
Unable to stop replication on the destination bucket and make the bucket writable

Using the Console

To create a replication policy
To view the source replication policy details
To view the destination replication policy details
To stop replication on the destination bucket and make the bucket writable
To delete the replication policy on the source bucket

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see the Command Line Reference.

To create a replication policy
To view the replication policy details
To list replication policies
To list the replication source for a destination bucket
To stop replication on the destination bucket and make the bucket writable
To delete the replication policy on the source bucket

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to use and manage replication: