Merge pull request #314446 from MicrosoftDocs/main

Auto Publish – main to live - 2026-04-08 11:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-netapp-files/media/object-rest-api-access-configure/create-bucket.png

@@ -5,39 +5,78 @@ services: azure-netapp-files
 author: b-ahibbard
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 10/29/2025
+ms.date: 02/16/2026
 ms.author: anfdocs
 ---
 
-# Configure object REST API in Azure NetApp Files (preview)
+# Configure object REST API for Azure NetApp Files (preview)
 
-Azure NetApp Files supports access to S3 objects with the [object REST API](object-rest-api-introduction.md) feature. With the object REST API feature, you can connect to services including Azure AI Search, Microsoft Foundry, Azure Databricks, OneLake, and others.
+Azure NetApp Files supports access to S3 objects with the [object REST API](object-rest-api-introduction.md) feature. With the object REST API, you can connect to services such as Azure AI Search, Microsoft Fabric, Microsoft Foundry, Azure Databricks, OneLake, and other S3‑compatible clients.
+
+This article describes how to configure object REST API access and walks you through the two supported certificate workflows. Choose the workflow that best matches your security and operational requirements.
 
 ## Register the feature 
 
-The object REST API feature in Azure NetApp Files is currently in preview. You must submit a [waitlist request](https://aka.ms/ANF-object-REST-API-signup) to use the object REST API feature. Activation takes approximately one week. An email notification is sent to confirm your enrollment in the preview. 
+The object REST API feature in Azure NetApp Files is currently in preview. You must submit a [waitlist request](https://aka.ms/ANF-object-REST-API-signup) to use this feature. Activation takes approximately one week, and you receive an email notification once the enrollment is complete. 
 
 ## Create the self-signed certificate
 
-You must generate a PEM-formatted SSL certificate. You can create the SSL certificate in the Azure portal or with a script.  
+Azure NetApp Files supports two certificate options for object REST API access:
 
-<!-- DNS? -->
+1. **Azure Key Vault–based certificates (recommended)**: Certificates are created and stored in Azure Key Vault and the certificate is retrieved directly from Azure Key Vault during bucket creation. 
 
-### [Portal](#tab/portal)
+1. **Direct certificate upload**: PEM certificates are generated and uploaded manually during bucket creation. 
 
-See the [Azure Key Vault documentation for adding a certificate to Key Vault](/azure//key-vault/certificates/quick-create-portal#add-a-certificate-to-key-vault). 
+> [!IMPORTANT]
+> The options you select determines the certificate format you must generate (PKCS#12 vs PEM), and how the certificate is supplied during bucket creation.
 
-When creating the certificate, ensure:
+You must select one of the following options:
+
+### Option 1 (recommended): Azure Key Vault–based certificate
+
+Use this option if you want Azure NetApp Files to read the certificate directly from Azure Key Vault during bucket creation. 
 
-* the **Content Type** is set to PEM
-* the **Subject** field is set to the IP address or fully qualified domain name (FQDN) of your Azure NetApp Files endpoint using the format `"CN=<IP or FQDN>"`
-* the **DNS Names** entry specifies the IP address or FQDN
+See the [Azure Key Vault documentation for adding a certificate to Key Vault](/azure//key-vault/certificates/quick-create-portal#add-a-certificate-to-key-vault).
+
+When creating the certificate in Azure Key Vault, ensure:
+
+* **Content Type**: PKCS#12 
+* **Subject**: IP address or fully qualified domain name (FQDN) of your Azure NetApp Files endpoint using the format `"CN=<IP or FQDN>"`
+* **DNS Names**: IP address or FQDN
 
 :::image type="content" source="./media/object-rest-api-access-configure/create-certificate.png" alt-text="Screenshot of create certificate options." lightbox="./media/object-rest-api-access-configure/create-certificate.png":::
 
-### [Script](#tab/script)
+Once the certificate is successfully created, click on the certificate from the list and review the properties.
+
+* In the Certificate identifier field, note the URI of the vault “https://<vault_name>.azure.net”
+* Note the name of the certificate 
+
+### Required Azure Key Vault permissions
 
-This script creates a certificate locally. Set the computer name `CN=` to the IP address or fully qualified domain name (FQDN) of your object REST API-enabled endpoint. This script creates a folder that includes the necessary PEM file and private keys. 
+To avoid bucket creation failures, ensure that the Azure NetApp Files service has permission to read the certificate from Azure Key Vault. 
+
+At a minimum, the following permissions must be granted:
+
+* Certificates: Get, List, Update, Create, Import, Manage Certificate Authorities, Get Certificate Authorities, List Certificate Authorities, Set Certificate Authorities, Delete Certificate Authorities   
+* Secrets: Get, List, Set, Delete 
+
+> [!NOTE]
+> If these permissions are missing, bucket creation fails when Azure NetApp Files attempts to retrieve the certificate.
+
+
+### Option 2: Direct certificate upload
+
+Use this option if you plan to generate the certificate and upload it manually during bucket creation.
+
+When creating the certificate, ensure:
+
+* **Content Type**: PEM 
+* **Subject**: IP address or fully qualified domain name (FQDN) of your Azure NetApp Files endpoint using the format `"CN=<IP or FQDN>"`
+* **DNS Names**: IP address or FQDN
+
+## Generate the certificate
+
+Use the provided script to generate a self‑signed PEM certificate. The script creates both the certificate and private key files required for upload. Set the computer name `CN=` to the IP address or fully qualified domain name (FQDN) of your object REST API-enabled endpoint. This script creates a folder that includes the necessary PEM file and private keys. 
 
 Create and run the following script:
 
@@ -65,84 +104,172 @@ openssl x509 -req -days $CERT_DAYS -in $CERT_DIR/server-req.pem -signkey $KEY_DI
 
 echo "Self-signed certificate created at $CERT_DIR/server-cert.pem"
 ```
---- 
+After the certificate is created, you will need to create a bucket.
 
 ## Create a bucket
 
-To enable object REST API, you must create a bucket. 
+To enable object REST API, you must create a bucket on an Azure NetApp Files volume. 
 
 1. From your NetApp volume, select **Buckets**. 
-1. To create a bucket, select **+Create**. 
-1. Provide the following information for the bucket:
+1. Select **+Create or update bucket**. 
+1. In Create or update bucket, provide the following information for the bucket:
+
+    **Bucket configuration**
+
     * **Name**
 
         Specify the name for your bucket. Refer to [Naming rules and restrictions for Azure resources](../azure-resource-manager/management/resource-name-rules.md#microsoftnetapp) for naming conventions.
     * **Path**
 
         The subdirectory path for object REST API. For full volume access, leave this field blank or use `/` for the root directory.
 
-    * **User ID (UID)**
+    **Protocol access**
+
+    * **NFS volume**
+
+        * **User ID (UID)**
 
-        The UID used to read the bucket.
+             The UID used to access the bucket.
 
-    * **Group ID (GID)**
+        * **Group ID (GID)**
 
-        The GID used to read the bucket.
+            The GID used to access the bucket.
 
-    * **Permissions**
+    * **SMB volume**
 
-        Select Read or Read-Write. 
+        * **Username**
+
+             The ID used to read the bucket.
+
+    * **Permissions**   
+
+        Select Read-only or Read and write.
 
     :::image type="content" source="./media/object-rest-api-access-configure/create-bucket.png" alt-text="Screenshot of create a bucket menu." lightbox="./media/object-rest-api-access-configure/create-bucket.png":::
 
-1. If you haven't provided a certificate, upload your PEM file. 
+1. Select **Save**. 
 
-    To upload a certificate, provide the following information:
+    Additional details are needed to create the first bucket on a set of volumes sharing the same IP address.
+    
+    **Certificate management**
 
     * **Fully qualified domain name**
 
-        Enter the fully qualified domain name. 
+        Enter the endpoint FQDN used by clients to access the buckets. 
+
+    **Certificate source**
+
+    * **Azure Key Vault**
+
+        * **Vault URI**
+
+            Select the name from the drop-down list.
 
-    * **Certificate source**
+        * **Secret name**
 
-        Upload the appropriate certificate. Only PEM files are supported. 
+            Enter the name of the certificate.
+           
+    * **Upload certificate**
 
-    Select **Save**. 
+        Select the **certificate** option to upload a certificate file directly.      
 
-1. Select **Create**. 
+        If you haven't provided a certificate, upload the PEM file.
+        
+        * **Certificate source**. 
+
+            Upload the appropriate certificate. Only PEM files are supported.
+                     
+    **Credentials storage**
+
+    * **Azure Key Vault**
+
+        * **Vault URI**
+
+            Select the name from the drop-down list.
+
+        * **Secret name**
+
+            Enter the name of the secret. The secret name is user-defined and can be any value, that meets the naming guidelines. 
+            
+    * **Access key**
+
+        When selecting this option, access keys are generated after the bucket is created and are displayed once in the Azure portal. You must manually copy both these values and store them securely.
+
+1. Select **Save** to validate the configuration.
+
+1. Select **Create** to provision the bucket.
 
 After you create a bucket, you need to generate credentials to access the bucket.
 
+## Generate credentials
+
+The credential generation behavior depends on the credential storage option you selected.
+
+1. Navigate to the newly created bucket. 
+
+1. Select **Generate credentials**.
+
+1. Enter the desired access key lifespan in days and then select **Generate credentials**.
+
+    **Azure Key Vault–based credentials**
+
+    * The credentials are generated and stored securely in Azure Key Vault.
+    * The credentials and are not displayed in the Azure portal. 
+    * You should retrieve the credentials directly from the configured Key Vault.
+
+    After the credentials are generated, perform the following:
+
+    1. Ensure that the secret is created in the specified Key Vault.
+    1. Verify the secret:
+
+        1. Navigate to your key vault in the Azure portal.
+        1. Select **Objects** then select **Secrets**.
+        1. Confirm that <secret_name> has been created.
+
+    **Access key-based credentials**
+
+    When using direct certificate upload:
+
+    * The access key and secret access key are displayed once in the Azure portal.
+    * You should copy and store both the values securely. 
+    * The credentials cannot be retrieved again after the initial display.
+
+    > [!IMPORTANT]
+    > The access key and secret access key are only displayed once. You should copy and store the keys securely. If they are lost, you must generate new credentials.
+
+    **Regenerating credentials**
+
+    After the credentials are set, you can generate new credentials by selecting the three dots (`…`) on the bucket and selecting **Generate credentials**.
+
+    > [!IMPORTANT]
+    > Generating new credentials immediately invalidates existing credentials.
+
 ## Update bucket access
 
 You can modify a bucket's access management settings.
 
+* User ID / Username
+* Group ID
+* Permissions
+
 1. From your NetApp volume, select **Buckets**.
-1.	Select **+Create**.
+1.	Select **+Create or update bucket**.
 1.	Enter the name of the bucket you want to modify.
 1.	Change the access management settings as required.
-1.	You can modify the User ID, Group ID, Username (for SMB or dual-protocol volumes), and Permissions.
 1.	Click **Save** to modify the existing bucket.
 
 > [!NOTE]
 > You cannot modify a bucket’s path. To update a bucket’s path, delete and re-create the bucket with the new path.
 
-## Generate credentials
-
-1. Navigate to your newly created bucket. Select **Generate keys**.
-1. Enter the desired Access key lifespan in days then select **Generate keys**. After you select **Generate keys**, the portal displays the access key and secret access key. 
-    >[!IMPORTANT]
-    >The access key and secret access key are only displayed once. Store the keys securely. Do not share the keys.
-1. After you set the credentials, you can generate a new access key and secret access key by selecting the `...` menu then selecting **Generate access keys**. Generating new keys immediately invalidates the existing keys. 
 
 ## Delete a bucket
 
-Deleting a bucket is a permanent operation. You can't recover the bucket after deleting it. 
+Deleting a bucket permanently removes it and all associated configurations. You can't recover the bucket after deleting it. 
 
 1. In your NetApp account, navigate to **Buckets**. 
-1. Select the checkbox next to the bucket you want to delete. 
+1. Select the three dots (`…`) next to the bucket you want to delete. 
 1. Select **Delete**. 
-1. In the modal, select **Delete** to confirm you want to delete the bucket. 
+1. In the Delete bucket window, select **Delete** to confirm you want to delete the bucket. 
 
 ## Next steps 
 

articles/azure-netapp-files/media/object-rest-api-access-configure/create-certificate.png

@@ -19,6 +19,12 @@ Azure NetApp Files is updated regularly. This article provides a summary about t
 
 ## April 2026
 
+* [Secure object REST API access using Azure Key Vault certificates and credentials](object-rest-api-access-configure.md) (preview)
+
+    Azure NetApp Files now supports Azure Key Vault–based certificates and credentials for the object REST API, enabling secure, S3‑compatible access to volumes. Certificates can be generated and stored directly in Azure Key Vault and automatically retrieved during bucket creation, while S3 access credentials are securely managed in Key Vault, eliminating the need to manually upload or store sensitive information.
+
+    This native integration with Azure Key Vault simplifies certificate lifecycle management, centralizes certificate and credential storage, strengthens security, and aligns Object REST API access with enterprise key and credential management best practices.
+     
 * [Storage with cool access enhancement](cool-access-introduction.md#throughput-for-premium-and-ultra-service-levels) for Premium and Ultra service levels (preview)
 
     Azure NetApp Files introduces an enhancement to storage with cool access for Premium and Ultra service levels that more precisely aligns throughput with data tiering. When cool access is enabled, maximum throughput is dynamically calculated based on the amount of data tiered to cool access storage, rather than applying a fixed reduction. Hot data retains its configured performance, and throughput is adjusted only when data is tiered to the cool tier. This enhancement delivers more predictable QoS behavior while optimizing performance and cost as data access patterns evolve, without requiring manual tuning or reconfiguration.
@@ -29,7 +35,7 @@ Azure NetApp Files is updated regularly. This article provides a summary about t
 
     Large volumes operational improvement no longer requires a support ticket to increase a large volume past the 30% imposed limit. This allows customer to automate their large volume size increases without waiting for approval and human intervention.
 
-## January 2026
+  ## January 2026
 
 * [Elastic zone-redundant storage service level](elastic-zone-redundant-concept.md) (preview)
 

articles/azure-netapp-files/object-rest-api-access-configure.md

@@ -18,15 +18,15 @@ Decide whether you're deploying Azure IoT Operations to a single-node or multi-n
 
 ## Platform
 
-Currently, K3s on Ubuntu 24.04 is the only generally available platform for deploying Azure IoT Operations in production.
+Use a [supported environment](../overview-support.md#supported-environments) for deploying Azure IoT Operations in production.
 
 ## Cluster setup
 
 Ensure that your hardware setup is sufficient for your scenario and that you begin with a secure environment.
 
 ### System configuration
 
-Create an Arc-enabled K3s cluster that meets the system requirements.
+Create an Arc-enabled cluster that meets the system requirements.
 
 * Use a [supported environment for Azure IoT Operations](../overview-support.md#supported-environments).
 * [Configure the cluster](./howto-prepare-cluster.md) according to documentation.
@@ -88,15 +88,12 @@ In the Azure portal deployment wizard, the schema registry and its required stor
 
 * The storage account must have hierarchical namespace enabled.
 * The schema registry's managed identity must have contributor permissions for the storage account.
-* The storage account is only supported with public network access enabled.
-
-For production deployments, scope the storage account's public network access to allow traffic only from trusted Azure services. For example:
-
-1. In the [Azure portal](https://portal.azure.com), navigate to the storage account that your schema registry uses.
-1. Select **Security + networking > Networking** from the navigation menu.
-1. For the public network access setting, select **Enabled from selected virtual networks and IP addresses**.
-1. In the **Exceptions** section of the networking page, ensure that the **Allow trusted Microsoft services to access this resource** option is selected.
-1. Select **Save** to apply the changes.
+* For production deployments, scope the storage account's public network access to allow traffic only from trusted Azure services. For example:
+  1. In the [Azure portal](https://portal.azure.com), navigate to the storage account that your schema registry uses.
+  1. Select **Security + networking > Networking** from the navigation menu.
+  1. For the public network access setting, select **Enabled from selected virtual networks and IP addresses**.
+  1. In the **Exceptions** section of the networking page, ensure that the **Allow trusted Microsoft services to access this resource** option is selected.
+  1. Select **Save** to apply the changes.
 
 For more information, see [Configure Azure Storage firewalls and virtual networks > Grant access to trusted Azure services](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services).