| title | Configure object REST API in Azure NetApp Files |
|---|---|
| description | Learn how to configure object REST API to manage S3 objects in Azure NetApp Files. |
| services | azure-netapp-files |
| author | b-ahibbard |
| ms.service | azure-netapp-files |
| ms.topic | how-to |
| ms.date | 10/29/2025 |
| ms.author | anfdocs |
Azure NetApp Files supports access to S3 objects with the object REST API feature. With the object REST API feature, you can connect to services including Azure AI Search, Microsoft Foundry, Azure Databricks, OneLake, and others.
The object REST API feature in Azure NetApp Files is currently in preview. You must submit a waitlist request to use the object REST API feature. Activation takes approximately one week. An email notification is sent to confirm your enrollment in the preview.
You must generate a PEM-formatted SSL certificate. You can create the SSL certificate in the Azure portal or with a script.
See the Azure Key Vault documentation for adding a certificate to Key Vault.
When creating the certificate, ensure:
- the Content Type is set to PEM
- the Subject field is set to the IP address or fully qualified domain name (FQDN) of your Azure NetApp Files endpoint using the format
"CN=<IP or FQDN>" - the DNS Names entry specifies the IP address or FQDN
:::image type="content" source="./media/object-rest-api-access-configure/create-certificate.png" alt-text="Screenshot of create certificate options." lightbox="./media/object-rest-api-access-configure/create-certificate.png":::
This script creates a certificate locally. Set the computer name CN= to the IP address or fully qualified domain name (FQDN) of your object REST API-enabled endpoint. This script creates a folder that includes the necessary PEM file and private keys.
Create and run the following script:
#!/bin/sh
# Define certificate details
CERT_DAYS=365
RSA_STR_LEN=2048
CERT_DIR="./certs"
KEY_DIR="./certs/private"
CN="mylocalsite.local"
# Create directories if they don't exist
mkdir -p $CERT_DIR
mkdir -p $KEY_DIR
# Generate private key
openssl genrsa -out $KEY_DIR/server-key.pem $RSA_STR_LEN
# Generate Certificate Signing Request (CSR)
openssl req -new -key $KEY_DIR/server-key.pem -out $CERT_DIR/server-req.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=$CN"
# Generate self-signed certificate
openssl x509 -req -days $CERT_DAYS -in $CERT_DIR/server-req.pem -signkey $KEY_DIR/server-key.pem -out $CERT_DIR/server-cert.pem
echo "Self-signed certificate created at $CERT_DIR/server-cert.pem"To enable object REST API, you must create a bucket.
-
From your NetApp volume, select Buckets.
-
To create a bucket, select +Create.
-
Provide the following information for the bucket:
-
Name
Specify the name for your bucket. Refer to Naming rules and restrictions for Azure resources for naming conventions.
-
Path
The subdirectory path for object REST API. For full volume access, leave this field blank or use
/for the root directory. -
User ID (UID)
The UID used to read the bucket.
-
Group ID (GID)
The GID used to read the bucket.
-
Permissions
Select Read or Read-Write.
:::image type="content" source="./media/object-rest-api-access-configure/create-bucket.png" alt-text="Screenshot of create a bucket menu." lightbox="./media/object-rest-api-access-configure/create-bucket.png":::
-
-
If you haven't provided a certificate, upload your PEM file.
To upload a certificate, provide the following information:
-
Fully qualified domain name
Enter the fully qualified domain name.
-
Certificate source
Upload the appropriate certificate. Only PEM files are supported.
Select Save.
-
-
Select Create.
After you create a bucket, you need to generate credentials to access the bucket.
You can modify a bucket's access management settings.
- From your NetApp volume, select Buckets.
- Select +Create.
- Enter the name of the bucket you want to modify.
- Change the access management settings as required.
- You can modify the User ID, Group ID, Username (for SMB or dual-protocol volumes), and Permissions.
- Click Save to modify the existing bucket.
Note
You cannot modify a bucket’s path. To update a bucket’s path, delete and re-create the bucket with the new path.
- Navigate to your newly created bucket. Select Generate keys.
- Enter the desired Access key lifespan in days then select Generate keys. After you select Generate keys, the portal displays the access key and secret access key.
[!IMPORTANT] The access key and secret access key are only displayed once. Store the keys securely. Do not share the keys.
- After you set the credentials, you can generate a new access key and secret access key by selecting the
...menu then selecting Generate access keys. Generating new keys immediately invalidates the existing keys.
Deleting a bucket is a permanent operation. You can't recover the bucket after deleting it.
- In your NetApp account, navigate to Buckets.
- Select the checkbox next to the bucket you want to delete.
- Select Delete.
- In the modal, select Delete to confirm you want to delete the bucket.