# Linking your cache to a data repository
You can link your Amazon File Cache to data repositories in Amazon S3 or on NFS (Network File System) file systems that support the NFSv3 protocol. The NFS file systems can be on-premises or in-cloud file systems. You create the links when you create your cache.
A link between a directory on your cache and an Amazon S3 or NFS data repository is called a *data repository association (DRA)*. You can create a maximum of 8 data repository associations on a Amazon File Cache resource. Each DRA must have a unique Amazon File Cache directory and an S3 bucket or NFS file system associated with it.
**Note**
An Amazon File Cache resource can link to either S3 or NFS data repositories, but not to both types at the same time. All the DRAs on the cache must link to the same data repository type (S3 or NFS).
By default, Amazon File Cache automatically loads data into the cache when it’s accessed for the first time (lazy load). You can optionally pre-load data into the cache before starting your workload.
**Note**
You shouldn't modify the same file on both the data repository and the cache at the same time, otherwise the behavior is undefined.
# Creating a link to a data repository
The following procedure walks you through the process of creating a data repository association (DRA) while creating an Amazon File Cache resource, using the AWS Management Console. The DRA links the cache to an existing Amazon S3 bucket or NFS file system.
Keep the following in mind when working with DRAs.
+ You can link to a data repository only when you create the cache.
+ You can't update an existing DRA.
+ You can't delete an existing DRA. To remove a link to a data repository, delete the cache and create it again.
+ You can link your cache to either S3 data repositories or NFS data repositories, but not to both types in a single cache.
For information about using the AWS Command Line Interface (AWS CLI) to create a DRA while creating a cache, see [To create a cache (CLI)](managing-caches.md#create-file-system-cli).
## To link an S3 bucket or NFS file system while creating a cache (console)
1. Open the AWS Management Console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. Follow the procedure for creating a new Amazon File Cache described in [Step 1: Create your cache](getting-started-step1.md).
1. In the **Data repository associations (DRAs)** section, the **Create a new data repository association** dialog box displays.
![\[The Data Repository Associations configuration dialog, which is one of the dialogs to configure export and import links for an S3 or NFS data repository.\]](http://docs.aws.amazon.com/fsx/latest/FileCacheGuide/images/create-fs-dra.png)
In the dialog box, provide information for the following fields.
+ **Repository type** – Choose the type of data repository to link to:
+ `NFS` – NFS file system that supports the NFSv3 protocol.
+ `S3` – Amazon S3 bucket
+ **Data repository path** – Enter a path in either an S3 or NFS data repository to associate with your cache.
+ For S3, the path can be an S3 bucket or prefix in the format `s3://myBucket/myPrefix/`. Amazon File Cache will append a trailing "/" to your data repository path if you don't provide one. For example, if you provide a data repository path of `s3://myBucket/myPrefix`, Amazon File Cache will interpret it as `s3://myBucket/myPrefix/`.
+ For NFS, the path to the NFS data repository can be in one of two formats:
+ If you're not using **Subdirectories**, the path is to an NFS Export directory (or one of its subdirectories) in the format `nfs://nfs-domain-name/exportpath`.
+ If you're using **Subdirectories**, the path is the domain name of the NFS file system in the format `nfs://filer-domain-name`, which indicates the root of the NFS Export subdirectories specified with the `NFS Exports` field.
Two data repository associations can't have overlapping data repository paths. For example, if a data repository with path `s3://myBucket/myPrefix/` is linked to the cache, you can't create another data repository association with data repository path `s3://myBucket/myPrefix/mySubPrefix`.
+ **Subdirectories** – (NFS only) You can optionally provide a list of comma-delimited NFS export paths in the NFS data repository. When this field is provided, **Data repository path** can only contain the NFS domain name, indicating the root of the subdirectories.
+ **DNS server IP addresses** – (NFS only) If you provided the domain name of the NFS file system for **Data repository path**, you can specify up to two IPv4 addresses of DNS servers used to resolve the NFS file system domain name. The provided IP addresses can either be the IP addresses of a DNS forwarder or resolver that the customer manages and runs inside the customer VPC, or the IP addresses of the on-premises DNS servers.
+ **Cache path** – Enter the name of a high-level directory (such as `/ns1`) or subdirectory (such as `/ns1/subdir`) within the Amazon File Cache that will be associated with the data repository. The leading forward slash in the path is required. Two data repository associations cannot have overlapping cache paths. The **Cache path** setting must be unique across all the data repository associations for the cache.
**Note**
**Cache path** can only be set to root (/) on NFS DRAs when **Subdirectories** is specified. If you specify root (/) as the **Cache path**, you can create only one DRA on the cache.
**Cache path** cannot be set to root (/) for an S3 DRA.
1. When you finish configuring the DRA, choose **Add**.
1. You can add another data repository association using the same steps. You can create a maximum of 8 data repository associations, which must all be of the same repository type.
1. When you finish adding DRAs, choose **Next**.
1. Continue with the Amazon File Cache creation wizard.
# Working with server-side encrypted Amazon S3 buckets
Amazon File Cache supports Amazon Simple Storage Service (Amazon S3) buckets that use server-side encryption with S3-managed keys (SSE-S3), and with AWS Key Management Service (AWS KMS) stored in AWS KMS (SSE-KMS).
If you want Amazon File Cache to encrypt data when writing to your S3 bucket, you must set the default encryption on your S3 bucket to either SSE-S3 or SSE-KMS. For more information, see [Configuring default encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html) in the *Amazon S3 User Guide*.
When writing files to your S3 bucket, Amazon File Cache follows the default encryption policy of your S3 bucket.
By default, Amazon File Cache supports S3 buckets encrypted using SSE-S3. If you want to link your Amazon File Cache to an S3 bucket encrypted using SSE-KMS encryption, you must add a statement to your customer managed key policy that allows Amazon File Cache to encrypt and decrypt objects in your S3 bucket using your AWS KMS key.
The following statement allows a specific Amazon File Cache to encrypt and decrypt objects for a specific S3 bucket, *bucket\$1name*.
```
{
"Sid": "Allow access through S3 for the FSx SLR to use the KMS key on the objects in the given S3 bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws_account_id:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_file_cache_id"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws_account_id",
"kms:ViaService": "s3.bucket-region.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket_name/*"
}
}
}
```
**Note**
If you're using an AWS KMS with a CMK to encrypt your S3 bucket with S3 Bucket Keys enabled, set the `EncryptionContext` to the bucket ARN, not the object ARN, as in this example:
```
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket_name"
}
```
The following policy statement allows every Amazon File Cache in your account to link to a specific S3 bucket.
```
{
"Sid": "Allow access through S3 for the FSx SLR to use the KMS key on the objects in the given S3 bucket",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws_account_id",
"kms:ViaService": "s3.bucket-region.amazonaws.com"
},
"StringLike": {
"aws:userid": "*:FSx",
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket_name/*"
}
}
}
```
## Accessing server-side encrypted Amazon S3 buckets in a different AWS account
After you create a cache linked to an encrypted Amazon S3 bucket, you must then grant the `AWSServiceRoleForFSxS3Access_fc-01234567890` service-linked role (SLR) access to the AWS KMS key used to encrypt the S3 bucket before reading or writing data from the linked S3 bucket. You can use an IAM role which already has permissions to the AWS KMS key.
**Note**
This IAM role must be in the account that the Amazon File Cache was created in (which is the same account as the S3 SLR), not the account that the AWS KMS key/S3 bucket belongs to.
You use the IAM role to call the following AWS KMS API to create a grant for the S3 SLR so that the SLR gains permission to the S3 objects. In order to find the ARN associated with your SLR, search your IAM roles using your cache ID as the search string.
```
$ aws kms create-grant --region cache_account_region \
--key-id arn:aws:kms:s3_bucket_account_region:s3_bucket_account:key/key_id \
--grantee-principal arn:aws:iam::cache_account_id:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_file-cache-id \
--operations "Decrypt" "Encrypt" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "CreateGrant" "DescribeKey" "ReEncryptFrom" "ReEncryptTo"
```
For more information about service-linked roles, see [Using service-linked roles for Amazon FSx](using-service-linked-roles.md).