The cloud volumes capabilities that are available through the web UI are also available through RESTful APIs. The APIs enable you to programmatically create and manage cloud volumes. They also provide the capability to develop scripts and tools for provisioning and support other service workflows.
View the NetApp Cloud Volumes API Swagger specification
To view the NetApp Cloud Volumes API Swagger specification with Swagger Editor, do the following:
- Go to Swagger Editor.
- Select File > Import URL.
Enter the following URL:
https://cloudvolumesgcp-api.netapp.com/swagger.json
Click OK.
The Cloud Volumes APIs (
CVS-GCP
) are displayed.
Create your service account and private key
In Cloud Shell, create a service account in your project:
gcloud iam service-accounts create serviceaccountname \ --description "Admin SA for CVS API access" \ --display-name "cloudvolumes-admin-sa"
Assign the NetApp cloud volumes admin role to the service account. Replace projectid and serviceaccount@projectid with your project ID and with the service account you just created:
gcloud projects add-iam-policy-binding projectid \ --member='serviceAccount:serviceaccount@projectid.iam.gserviceaccount.com' \ --role='roles/netappcloudvolumes.admin'
Confirm the role bindings for the service account and project:
gcloud projects get-iam-policy projectid
The output looks something like this:
Manage API authentication
Cloud Volumes Service APIs use bearer authentication. Before you can make any API calls, you must fetch a valid JSON web token (JWT) from Identity and Access Management.
There are two ways to obtain valid tokens from Identity and Access Management: by using service account impersonation or by using a service account key.
Authenticate using service account impersonation
You can use service account impersonation to allow principals and resources to act as an IAM service account. This method of authentication is more secure than using a service account key for this purpose. For more information, see Service account impersonation.
When you use service account impersonation, the code runs with Application Default Credentials (ADC).
Examples of Application Default Credentials include the following:
- The identity or principal used for gcloud auth application-default login, such as your Google user access credentials
- The service account attached to a Compute Engine virtual machine
- The service account attached to a Cloud Run function
- The service account attached to a Cloud Build job
- The IAM service account on a GKE cluster using Workload Identity Federation for GKE
For more information, see Attaching a service account to a resource.
When you use service account impersonation, use the Fetch a JSON web token using service account impersonation example code to generate JSON web tokens.
To grant the
iam.serviceAccountTokenCreator
role to your ADC user on the service account that you created in the previous section, follow the instructions in Allowing a principal to impersonate a single service account.Example:
gcloud iam service-accounts add-iam-policy-binding \ serviceaccount@projectid.iam.gserviceaccount.com \ --member=user:my-gcloud-user@example.com \ --role=roles/iam.serviceAccountTokenCreator
This binding grants the
my-gcloud-user@example.com
user the permissions to impersonate the service accountserviceaccount@projectid.iam.gserviceaccount.com
.Only the
serviceaccount@projectid.iam.gserviceaccount.com
account needs the permissions of theroles/netappcloudvolumes.admin
role.
Authenticate using a service account key
You can create a JSON key for the service account created in the previous section and use the key to obtain a JSON web token. This method of authentication is less secure than using service account impersonation. Google recommends against using service account keys for this purpose. For more information, see Best practices for working with service accounts.
To create and download a private JSON key file, run the following command:
gcloud iam service-accounts keys create key_file_name --iam-account serviceaccount@projectid
Examples of using the Cloud Volumes APIs
The examples in this section use Python 3.6 or later to interact with the Cloud Volumes Service APIs.
To use these examples, install the required Python modules:
pip3 install requests google google.auth \
google-api-python-client google-cloud-iam
Fetch a JSON web token by using service account impersonation
The following example fetches a JSON web token (JWT) using service account
impersonation. This example also defines the get_headers
helper function,
which is used in other examples on this page.
This example requires that the iamcredentials.googleapis.com
API is enabled.
def get_headers(token: str) -> dict: headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } return headers def get_token(service_account_name) -> str: import datetime import json from google.cloud import iam_credentials_v1 token_expiration_time_seconds = 30*60 # 30 minutes lifetime audience = 'https://cloudvolumesgcp-api.netapp.com/' client = iam_credentials_v1.IAMCredentialsClient() service_account_path = client.service_account_path('-', service_account_name) # Build the claims set curr_time = datetime.datetime.now() expiration = curr_time + datetime.timedelta(seconds=token_expiration_time_seconds) claims = { "iss": service_account_name, "aud": audience, "iat": int(curr_time.timestamp()), "exp": int(expiration.timestamp()), "sub": service_account_name, } response = client.sign_jwt(request={"name": service_account_path,"payload": json.dumps(claims)}) return response.signed_jwt token = get_token("serviceaccount@projectid.iam.gserviceaccount.com")
Fetch a JSON web token by using a service account key
The following example fetches a JSON web token (JWT) by using a service account
JSON key. This example also defines the get_headers
helper function, which is
used in other examples on this page.
def get_headers(token: str) -> dict: headers = { "Content-Type": "application/json", "Authorization": "Bearer " + token } return headers def get_token(service_account_file: str) -> str: import google.auth.transport.requests from google.oauth2 import service_account from google.auth import jwt audience = 'https://cloudvolumesgcp-api.netapp.com' # Create credential object from private key file svc_creds = service_account.Credentials.from_service_account_file(service_account_file) # Create JWT jwt_creds = jwt.Credentials.from_signing_credentials(svc_creds, audience=audience) # Issue request to get auth token request = google.auth.transport.requests.Request() jwt_creds.refresh(request) # Extract token return jwt_creds.token.decode('utf-8') token = get_token("key.json")
Determine the project number
Cloud Volumes Service APIs use automatically generated
Google Cloud project numbers
to identify projects, but users often use human-readable and customizable
project IDs. You can look up project numbers in the Google Cloud console, or you can
use the function in the following example to get the project number associated
with the project ID in your key file. This get_google_project_number
function
is used in other examples in this section.
To use this function, the user must have the resourcemanager.projects.get
permission, and the Cloud Resource Manager API (cloudresourcemanager.googleapis.com
)
must be enabled.
def get_google_project_number(service_account_identifier: str) -> str: import re, json from google.auth import default from googleapiclient import discovery, errors # Is string passed a service account name? user_managed_sa_regex = "^[a-z]([-a-z0-9]*[a-z0-9])@[a-z0-9-]+\.iam\.gserviceaccount\.com$" if re.match(user_managed_sa_regex, service_account_identifier): project_id = service_account_identifier.split('@')[1].split('.')[0] else: with open(service_account_identifier) as json_file: content = json.load(json_file) project_id = content['project_id'] credentials, _ = default() service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials) request = service.projects().get(projectId=project_id) try: response = request.execute() return response["projectNumber"] except errors.HttpError as e: print("Unable to resolve JSON keyfile to project number. Missing resourcemanager.projects.get permissions?") return "" # Call using a key file project_number = get_google_project_number("key.json") # Call using a service account name project_number = get_google_project_number("serviceaccount@projectid.iam.gserviceaccount.com")
Create a storage pool
def create_pool(token:str, project_number: str, region: str, payload: dict): import requests server = 'https://cloudvolumesgcp-api.netapp.com' post_url = f"{server}/v2/projects/{project_number}/locations/{region}/Pools" # POST request to create the pool r = requests.post(post_url, json=payload, headers=get_headers(token)) r.raise_for_status() if not (r.status_code == 201 or r.status_code == 202): print(f"ERROR: HTTP code: {r.status_code} {r.reason} for url: {r.url}") return pool = r.json()['response']['AnyValue'] # Get pool attributes # Note that process might take some minutes and some # attributes are only available after it is finished poolname = pool["name"] sizeGiB = int(pool["sizeInBytes"] / 1024**3) region = pool["region"] numvols = pool["numberOfVolumes"] print(f"poolname: {poolname:30} size: {sizeGiB:>7} GiB region: {region} # of Vols: {numvols}") keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) poolname = "ok-pooltest" region = "europe-west1" network = "ncv-vpc" regionalHA = False payload = { "name": poolname, "region": region, "serviceLevel": "ZoneRedundantStandardSW" if regionalHA == True else "StandardSW", # "StandardSW" or "ZoneRedundantStandardSW" "storageClass": "software", "zone": f"{region}-b", # use zone b in desired region # "secondaryZone": f"{region}-c", # omit for zonal pool "regionalHA": regionalHA, # set "True" for multi-zone and specify secondaryZone "sizeInBytes": 1024*1024**3, # 1024 GiB "network": f"projects/{project_number}/global/networks/{network}", } create_pool(token, project_number, region, payload)
Output
The output should be similar to the following:
poolname: ok-pooltest size: 1024 GiB region: europe-west1 # of Vols: 0
Print information about storage pools
In this example, the script prints the details of all storage pools in a given project:
def print_pools(token:str, project_number: str, region: str='-'): import requests server = 'https://cloudvolumesgcp-api.netapp.com' get_url = f"{server}/v2/projects/{project_number}/locations/{region}/Pools" r = requests.get(get_url, headers=get_headers(token)) r.raise_for_status() print(f"Pools in region: {region}") for pool in r.json(): # Get volume attributes poolname = pool["name"] sizeGiB = int(pool["sizeInBytes"] / 1024**3) region = pool["region"] numvols = pool["numberOfVolumes"] print(f"poolname: {poolname:30} size: {sizeGiB:>7} GiB region: {region} #ofVolumes: {numvols}") keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) print_pools(token, project_number, "-")
Output
The result of running this script varies based on what pools exist in your project. The output should be similar to the following:
Pools in region: - poolname: okpool3 size: 2000 GiB region: europe-west1 #ofVolumes: 1
Print all volumes
In this example, the script makes a call to get all volumes in a given project and print their details:
def print_volumes(token:str, project_number: str, region: str='-'): import requests server = 'https://cloudvolumesgcp-api.netapp.com' get_url = f"{server}/v2/projects/{project_number}/locations/{region}/Volumes" r = requests.get(get_url, headers=get_headers(token)) r.raise_for_status() print(f"Volume in region: {region}") for vol in r.json(): # Get volume attributes volname = vol["name"] volsizeGiB = int(vol["quotaInBytes"] / 1024**3) region = vol["region"] print(f"volname: {volname:30} size: {volsizeGiB:>7} GiB region: {region}") keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) print_volumes(token, project_number, "-")
Output
The result of running this script varies based on what volumes exist in your project. The output should be similar to the following:
Volume in region: - volname: smbvolume size: 1024 GiB region: us-east4 volname: datalake size: 1024 GiB region: us-east4 volname: sapshared size: 1024 GiB region: us-central1 volname: catiarepo size: 1024 GiB region: europe-west2
Create a volume
The following create_volume
helper function is used by other examples in this
section for creating volumes:
def create_volume(token:str, project_number: str, region: str, payload: dict): import requests server = 'https://cloudvolumesgcp-api.netapp.com' post_url = f"{server}/v2/projects/{project_number}/locations/{region}/Volumes" # POST request to create the volume r = requests.post(post_url, jsonpayload, headers=get_headers(token)) r.raise_for_status() if not (r.status_code == 201 or r.status_code == 202): print(f"ERROR: HTTP code: {r.status_code} {r.reason} for url: {r.url}") return vol = r.json()['response']['AnyValue'] # Get volume attributes. # The process can take several minutes. Some # attributes are only available after it is finished. volname = vol["name"] volsizeGiB = int(vol["quotaInBytes"] / 1024**3) region = vol["region"] volume_id = vol["volumeId"] print(f"Created volume: {volname:30} size: {volsizeGiB:>7} GiB region: {region} UUID: {volume_id}")
Create a CVS-Performance volume with NFSv3
def create_volume_nfsv3(token:str, project_number: str, region: str, network: str, volume_name: str): payload = { "name": volume_name, "creationToken": volume_name, # mount path "region": region, "serviceLevel": "low", # low/medium/high = standard/premium/extreme "storageClass": "hardware", # hardware for CVS-Performance, software for CVS "quotaInBytes": 1024*1024**3, # 1024 GiB "network": f"projects/{project_number}/global/networks/{network}", "protocolTypes": [ "NFSv3" # NFSv3, NFSv4, CIFS ], "snapshotPolicy": { "dailySchedule": { "hour": 1, "minute": 10, "snapshotsToKeep": 5 } }, "exportPolicy": { "rules": [ { "access": "ReadWrite", "allowedClients": "0.0.0.0/0", "nfsv3": { "checked": True } } ] } } create_volume(token, project_number, region, payload) keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) create_volume_nfsv3(token, project_number, "us-east4", "my-vpc", "nfsv3-volume")
Output
The output should be similar to the following:
Created volume: nfsv3-volume size: 1024 GiB region: us-east4 UUID: d85f6c26-1604-cdc6-1213-b1d6468e6980
Create a CVS Standard-SW volume with NFSv3
def create_volume_cvs(token:str, project_number: str, region: str, network: str, volume_name: str, pool_id: str): payload = { "name": volume_name, "creationToken": volume_name, # mount path "quotaInBytes": 1024*1024**3, # 1024 GiB "region": region, "storageClass": "software", # software for CVS "poolId": pool_id, # UUID of storage pool to create volume within "serviceLevel": "basic", "regionalHA": False, "zone": f"{region}-b", "network": f"projects/{project_number}/global/networks/{network}", "protocolTypes": [ "NFSv3" # NFSv3, NFSv4, CIFS ], "exportPolicy": { "rules": [ { "access": "ReadWrite", "allowedClients": "0.0.0.0/0", "nfsv3": { "checked": True } } ] } } create_volume(token, project_number, region, payload) keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) create_volume_cvs(token, project_number, "europe-west1", "ncv-vpc", "nfsv3-volume", "9760acf5-4638-11e7-9bdb-020073ca7773")
Output
The output should be similar to the following:
Created volume: nfsv3-volume size: 1024 GiB region: europe-west1 UUID: e1d9afb6-d727-2643-6c04-bc544d7ad765
Create a volume with NFSv4
def create_volume_nfsv4(token:str, project_number: str, region: str, network: str, volume_name: str): payload = { "name": volume_name, "creationToken": volume_name, # mount path "region": region, "serviceLevel": "low", # low/medium/high = standard/premium/extreme "storageClass": "hardware", # hardware for CVS-Performance, software for CVS "quotaInBytes": 1024*1024**3, # 1024 GiB "network": f"projects/{project_number}/global/networks/{network}", "protocolTypes": [ "NFSv4" # NFSv3, NFSv4, CIFS ], "exportPolicy": { "rules": [ { "access": "ReadWrite", "allowedClients": "0.0.0.0/0", "nfsv3": { "checked": False }, "nfsv4": { "checked": True } } ] } } create_volume(token, project_number, region, payload) keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) create_volume_nfsv4(token, project_number, "us-east4", "ncv-vpc", "nfsv4-volume")
Output
The output should be similar to the following:
Created volume: nfsv4-volume size: 1024 GiB region: us-east4 UUID: 2222c128-1772-c89f-540a-0ff48d519f75
Create a volume with SMB (continuously available, non-browsable, with encryption enabled)
def create_volume_smb(token:str, project_number: str, region: str, network: str, volume_name: str): payload = { "name": volume_name, "creationToken": volume_name, # mount path "region": region, "serviceLevel": "medium", # low/medium/high = standard/premium/extreme "storageClass": "hardware", # hardware for CVS-Performance, software for CVS "quotaInBytes": 1024*1024**3, # 1024 GiB "network": f"projects/{project_number}/global/networks/{network}", "protocolTypes": [ "CIFS" # NFSv3, NFSv4, CIFS ], "smbShareSettings": [ "continuously_available", "encrypt_data", "non_browsable" ] } create_volume(token, project_number, region, payload) keyfile = "key.json" project_number = get_google_project_number(keyfile) token = get_token(keyfile) create_volume_smb(token, project_number, "us-east4", "ncv-vpc", "smb-volume")
Output
The output should be similar to the following:
Created volume: smb-volume size: 1024 GiB region: us-east4 UUID: 6327df5e-1b75-3d4a-8d59-0093c9423d57
Get volume details
def get_volume_details(token:str, project_number