Cloud Volumes APIs

Last reviewed 2024-04-25 UTC

The cloud volumes capabilities that are available through the web UI are also available through RESTful APIs. The APIs enable you to programmatically create and manage cloud volumes. They also provide the capability to develop scripts and tools for provisioning and support other service workflows.

View the NetApp Cloud Volumes API Swagger specification

To view the NetApp Cloud Volumes API Swagger specification with Swagger Editor, do the following:

  1. Go to Swagger Editor.
  2. Select File > Import URL.
  3. Enter the following URL:

    https://cloudvolumesgcp-api.netapp.com/swagger.json

  4. Click OK.

    The Cloud Volumes APIs (CVS-GCP) are displayed.

Create your service account and private key

  1. In Cloud Shell, create a service account in your project:

    gcloud iam service-accounts create serviceaccountname \
        --description "Admin SA for CVS API access" \
        --display-name "cloudvolumes-admin-sa"
    
  2. Assign the NetApp cloud volumes admin role to the service account. Replace projectid and serviceaccount@projectid with your project ID and with the service account you just created:

    gcloud projects add-iam-policy-binding projectid \
        --member='serviceAccount:serviceaccount@projectid.iam.gserviceaccount.com' \
        --role='roles/netappcloudvolumes.admin'
    
  3. Confirm the role bindings for the service account and project:

    gcloud projects get-iam-policy projectid
    

    The output looks something like this:

    output from get-iam-policy

Manage API authentication

Cloud Volumes Service APIs use bearer authentication. Before you can make any API calls, you must fetch a valid JSON web token (JWT) from Identity and Access Management.

There are two ways to obtain valid tokens from Identity and Access Management: by using service account impersonation or by using a service account key.

Authenticate using service account impersonation

You can use service account impersonation to allow principals and resources to act as an IAM service account. This method of authentication is more secure than using a service account key for this purpose. For more information, see Service account impersonation.

When you use service account impersonation, the code runs with Application Default Credentials (ADC).

Examples of Application Default Credentials include the following:

  • The identity or principal used for gcloud auth application-default login, such as your Google user access credentials
  • The service account attached to a Compute Engine virtual machine
  • The service account attached to a Cloud Run function
  • The service account attached to a Cloud Build job
  • The IAM service account on a GKE cluster using Workload Identity Federation for GKE

For more information, see Attaching a service account to a resource.

When you use service account impersonation, use the Fetch a JSON web token using service account impersonation example code to generate JSON web tokens.

  1. To grant the iam.serviceAccountTokenCreator role to your ADC user on the service account that you created in the previous section, follow the instructions in Allowing a principal to impersonate a single service account.

    Example:

    gcloud iam service-accounts add-iam-policy-binding \
      serviceaccount@projectid.iam.gserviceaccount.com \
      --member=user:my-gcloud-user@example.com \
      --role=roles/iam.serviceAccountTokenCreator
    

    This binding grants the my-gcloud-user@example.com user the permissions to impersonate the service account serviceaccount@projectid.iam.gserviceaccount.com.

    Only the serviceaccount@projectid.iam.gserviceaccount.com account needs the permissions of the roles/netappcloudvolumes.admin role.

Authenticate using a service account key

You can create a JSON key for the service account created in the previous section and use the key to obtain a JSON web token. This method of authentication is less secure than using service account impersonation. Google recommends against using service account keys for this purpose. For more information, see Best practices for working with service accounts.

  1. To create and download a private JSON key file, run the following command:

    gcloud iam service-accounts keys create key_file_name --iam-account serviceaccount@projectid
    

Examples of using the Cloud Volumes APIs

The examples in this section use Python 3.6 or later to interact with the Cloud Volumes Service APIs.

To use these examples, install the required Python modules:

pip3 install requests google google.auth \
google-api-python-client google-cloud-iam

Fetch a JSON web token by using service account impersonation

The following example fetches a JSON web token (JWT) using service account impersonation. This example also defines the get_headers helper function, which is used in other examples on this page.

This example requires that the iamcredentials.googleapis.com API is enabled.

def get_headers(token: str) -> dict:
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer " + token
        }
    return headers


def get_token(service_account_name) -> str:
    import datetime
    import json
    from google.cloud import iam_credentials_v1

    token_expiration_time_seconds = 30*60 # 30 minutes lifetime
    audience = 'https://cloudvolumesgcp-api.netapp.com/'
    client = iam_credentials_v1.IAMCredentialsClient()
    service_account_path = client.service_account_path('-', service_account_name)

    # Build the claims set
    curr_time = datetime.datetime.now()
    expiration = curr_time + datetime.timedelta(seconds=token_expiration_time_seconds)
    claims = {
        "iss": service_account_name,
        "aud": audience,
        "iat": int(curr_time.timestamp()),
        "exp": int(expiration.timestamp()),
        "sub": service_account_name,
    }
    response = client.sign_jwt(request={"name": service_account_path,"payload": json.dumps(claims)})
    return response.signed_jwt

token = get_token("serviceaccount@projectid.iam.gserviceaccount.com")

Fetch a JSON web token by using a service account key

The following example fetches a JSON web token (JWT) by using a service account JSON key. This example also defines the get_headers helper function, which is used in other examples on this page.

def get_headers(token: str) -> dict:
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer " + token
        }
    return headers

def get_token(service_account_file: str) -> str:
    import google.auth.transport.requests
    from google.oauth2 import service_account
    from google.auth import jwt

    audience = 'https://cloudvolumesgcp-api.netapp.com'

    # Create credential object from private key file
    svc_creds = service_account.Credentials.from_service_account_file(service_account_file)

    # Create JWT
    jwt_creds = jwt.Credentials.from_signing_credentials(svc_creds, audience=audience)

    # Issue request to get auth token
    request = google.auth.transport.requests.Request()
    jwt_creds.refresh(request)

    # Extract token
    return jwt_creds.token.decode('utf-8')

token = get_token("key.json")

Determine the project number

Cloud Volumes Service APIs use automatically generated Google Cloud project numbers to identify projects, but users often use human-readable and customizable project IDs. You can look up project numbers in the Google Cloud console, or you can use the function in the following example to get the project number associated with the project ID in your key file. This get_google_project_number function is used in other examples in this section.

To use this function, the user must have the resourcemanager.projects.get permission, and the Cloud Resource Manager API (cloudresourcemanager.googleapis.com) must be enabled.

def get_google_project_number(service_account_identifier: str) -> str:
    import re, json
    from google.auth import default
    from googleapiclient import discovery, errors

    # Is string passed a service account name?
    user_managed_sa_regex = "^[a-z]([-a-z0-9]*[a-z0-9])@[a-z0-9-]+\.iam\.gserviceaccount\.com$"
    if re.match(user_managed_sa_regex, service_account_identifier):
        project_id = service_account_identifier.split('@')[1].split('.')[0]
    else:
        with open(service_account_identifier) as json_file:
            content = json.load(json_file)
        project_id = content['project_id']

    credentials, _ = default()
    service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials)
    request = service.projects().get(projectId=project_id)
    try:
        response = request.execute()
        return response["projectNumber"]
    except errors.HttpError as e:
        print("Unable to resolve JSON keyfile to project number. Missing resourcemanager.projects.get permissions?")
        return ""

# Call using a key file
project_number = get_google_project_number("key.json")
# Call using  a service account name
project_number = get_google_project_number("serviceaccount@projectid.iam.gserviceaccount.com")

Create a storage pool

def create_pool(token:str, project_number: str, region: str, payload: dict):
    import requests

    server = 'https://cloudvolumesgcp-api.netapp.com'
    post_url = f"{server}/v2/projects/{project_number}/locations/{region}/Pools"

    # POST request to create the pool
    r = requests.post(post_url, json=payload, headers=get_headers(token))
    r.raise_for_status()

    if not (r.status_code == 201 or r.status_code == 202):
        print(f"ERROR: HTTP code: {r.status_code} {r.reason} for url: {r.url}")
        return

    pool = r.json()['response']['AnyValue']
    # Get pool attributes
    # Note that process might take some minutes and some
    # attributes are only available after it is finished
    poolname = pool["name"]
    sizeGiB = int(pool["sizeInBytes"] / 1024**3)
    region = pool["region"]
    numvols = pool["numberOfVolumes"]
    print(f"poolname: {poolname:30} size: {sizeGiB:>7} GiB region: {region} # of Vols: {numvols}")

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)

poolname = "ok-pooltest"
region = "europe-west1"
network = "ncv-vpc"
regionalHA = False

payload = {
    "name": poolname,
    "region": region,
    "serviceLevel": "ZoneRedundantStandardSW" if regionalHA == True else "StandardSW", # "StandardSW" or "ZoneRedundantStandardSW"
    "storageClass": "software",
    "zone": f"{region}-b", # use zone b in desired region
    # "secondaryZone": f"{region}-c", # omit for zonal pool
    "regionalHA": regionalHA,  # set "True" for multi-zone and specify secondaryZone
    "sizeInBytes": 1024*1024**3, # 1024 GiB
    "network": f"projects/{project_number}/global/networks/{network}",
}

create_pool(token, project_number, region, payload)

Output

The output should be similar to the following:

poolname: ok-pooltest        size:    1024 GiB region: europe-west1 # of Vols: 0

In this example, the script prints the details of all storage pools in a given project:

def print_pools(token:str, project_number: str, region: str='-'):
    import requests

    server = 'https://cloudvolumesgcp-api.netapp.com'
    get_url = f"{server}/v2/projects/{project_number}/locations/{region}/Pools"

    r = requests.get(get_url, headers=get_headers(token))
    r.raise_for_status()

    print(f"Pools in region: {region}")
    for pool in r.json():
        # Get volume attributes
        poolname = pool["name"]
        sizeGiB = int(pool["sizeInBytes"] / 1024**3)
        region = pool["region"]
        numvols = pool["numberOfVolumes"]
        print(f"poolname: {poolname:30} size: {sizeGiB:>7} GiB region: {region} #ofVolumes: {numvols}")

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
print_pools(token, project_number, "-")

Output

The result of running this script varies based on what pools exist in your project. The output should be similar to the following:

Pools in region: -
poolname: okpool3     size:    2000 GiB region: europe-west1 #ofVolumes: 1

In this example, the script makes a call to get all volumes in a given project and print their details:

def print_volumes(token:str, project_number: str, region: str='-'):
    import requests

    server = 'https://cloudvolumesgcp-api.netapp.com'
    get_url = f"{server}/v2/projects/{project_number}/locations/{region}/Volumes"

    r = requests.get(get_url, headers=get_headers(token))
    r.raise_for_status()

    print(f"Volume in region: {region}")
    for vol in r.json():
        # Get volume attributes
        volname = vol["name"]
        volsizeGiB = int(vol["quotaInBytes"] / 1024**3)
        region = vol["region"]
        print(f"volname: {volname:30} size: {volsizeGiB:>7} GiB region: {region}")

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
print_volumes(token, project_number, "-")

Output

The result of running this script varies based on what volumes exist in your project. The output should be similar to the following:

Volume in region: -
volname: smbvolume                      size:    1024 GiB region: us-east4
volname: datalake                       size:    1024 GiB region: us-east4
volname: sapshared                      size:    1024 GiB region: us-central1
volname: catiarepo                      size:    1024 GiB region: europe-west2

Create a volume

The following create_volume helper function is used by other examples in this section for creating volumes:

def create_volume(token:str, project_number: str, region: str, payload: dict):    import requests

    server = 'https://cloudvolumesgcp-api.netapp.com'
    post_url = f"{server}/v2/projects/{project_number}/locations/{region}/Volumes"

    # POST request to create the volume
    r = requests.post(post_url, jsonpayload, headers=get_headers(token))
    r.raise_for_status()

    if not (r.status_code == 201 or r.status_code == 202):
        print(f"ERROR: HTTP code: {r.status_code} {r.reason} for url: {r.url}")
        return

    vol = r.json()['response']['AnyValue']
    # Get volume attributes.
    # The process can take several minutes. Some
    # attributes are only available after it is finished.
    volname = vol["name"]
    volsizeGiB = int(vol["quotaInBytes"] / 1024**3)
    region = vol["region"]
    volume_id = vol["volumeId"]
    print(f"Created volume: {volname:30} size: {volsizeGiB:>7} GiB region: {region} UUID: {volume_id}")

Create a CVS-Performance volume with NFSv3

def create_volume_nfsv3(token:str, project_number: str, region: str, network: str, volume_name: str):
    payload = {
        "name": volume_name,
        "creationToken": volume_name, # mount path
        "region": region,
        "serviceLevel": "low", # low/medium/high = standard/premium/extreme
        "storageClass": "hardware", # hardware for CVS-Performance, software for CVS
        "quotaInBytes": 1024*1024**3, # 1024 GiB
        "network": f"projects/{project_number}/global/networks/{network}",
        "protocolTypes": [
            "NFSv3" # NFSv3, NFSv4, CIFS
        ],
        "snapshotPolicy": {
            "dailySchedule": {
                "hour": 1,
                "minute": 10,
                "snapshotsToKeep": 5
            }
        },
        "exportPolicy": {
            "rules": [
                {
                    "access": "ReadWrite",
                    "allowedClients": "0.0.0.0/0",
                    "nfsv3": {
                        "checked": True
                    }
                }
            ]
        }
    }
    create_volume(token, project_number, region, payload)

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
create_volume_nfsv3(token, project_number, "us-east4", "my-vpc", "nfsv3-volume")

Output

The output should be similar to the following:

Created volume: nfsv3-volume  size: 1024 GiB  region: us-east4  UUID: d85f6c26-1604-cdc6-1213-b1d6468e6980

Create a CVS Standard-SW volume with NFSv3

def create_volume_cvs(token:str, project_number: str, region: str, network: str, volume_name: str, pool_id: str):
    payload = {
        "name": volume_name,
        "creationToken": volume_name, # mount path
        "quotaInBytes": 1024*1024**3, # 1024 GiB
        "region": region,
        "storageClass": "software",  # software for CVS
        "poolId": pool_id, # UUID of storage pool to create volume within

        "serviceLevel": "basic",
        "regionalHA": False,
        "zone": f"{region}-b",
        "network": f"projects/{project_number}/global/networks/{network}",
        "protocolTypes": [
            "NFSv3" # NFSv3, NFSv4, CIFS
        ],
        "exportPolicy": {
            "rules": [
                {
                    "access": "ReadWrite",
                    "allowedClients": "0.0.0.0/0",
                    "nfsv3": {
                        "checked": True
                    }
                }
            ]
        }
    }
    create_volume(token, project_number, region, payload)

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
create_volume_cvs(token, project_number, "europe-west1", "ncv-vpc", "nfsv3-volume", "9760acf5-4638-11e7-9bdb-020073ca7773")

Output

The output should be similar to the following:

Created volume: nfsv3-volume  size: 1024 GiB  region: europe-west1  UUID: e1d9afb6-d727-2643-6c04-bc544d7ad765

Create a volume with NFSv4

def create_volume_nfsv4(token:str, project_number: str, region: str, network: str, volume_name: str):
    payload = {
        "name": volume_name,
        "creationToken": volume_name, # mount path
        "region": region,
        "serviceLevel": "low", # low/medium/high = standard/premium/extreme
        "storageClass": "hardware",  # hardware for CVS-Performance, software for CVS
        "quotaInBytes": 1024*1024**3, # 1024 GiB
        "network": f"projects/{project_number}/global/networks/{network}",
        "protocolTypes": [
            "NFSv4" # NFSv3, NFSv4, CIFS
        ],
        "exportPolicy": {
            "rules": [
                {
                    "access": "ReadWrite",
                    "allowedClients": "0.0.0.0/0",
                    "nfsv3": {
                        "checked": False
                    },
                    "nfsv4": {
                        "checked": True
                    }
                }
            ]
        }
    }
    create_volume(token, project_number, region, payload)

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
create_volume_nfsv4(token, project_number, "us-east4", "ncv-vpc", "nfsv4-volume")

Output

The output should be similar to the following:

Created volume: nfsv4-volume  size: 1024 GiB  region: us-east4  UUID: 2222c128-1772-c89f-540a-0ff48d519f75

Create a volume with SMB (continuously available, non-browsable, with encryption enabled)

def create_volume_smb(token:str, project_number: str, region: str, network: str, volume_name: str):
    payload = {
        "name": volume_name,
        "creationToken": volume_name, # mount path
        "region": region,
        "serviceLevel": "medium", # low/medium/high = standard/premium/extreme
        "storageClass": "hardware",  # hardware for CVS-Performance, software for CVS
        "quotaInBytes": 1024*1024**3, # 1024 GiB
        "network": f"projects/{project_number}/global/networks/{network}",
        "protocolTypes": [
            "CIFS" # NFSv3, NFSv4, CIFS
        ],
        "smbShareSettings": [
            "continuously_available",
            "encrypt_data",
            "non_browsable"
        ]
    }
    create_volume(token, project_number, region, payload)

keyfile = "key.json"
project_number = get_google_project_number(keyfile)
token = get_token(keyfile)
create_volume_smb(token, project_number, "us-east4", "ncv-vpc", "smb-volume")

Output

The output should be similar to the following:

Created volume: smb-volume  size: 1024 GiB  region: us-east4  UUID: 6327df5e-1b75-3d4a-8d59-0093c9423d57

Get volume details

def get_volume_details(token:str, project_number