pbs_s3_client_create
Create a persistent PBS S3 client configuration for object storage access. Dry-run generates a plan; confirm=True executes the API call.
Instructions
MUTATION: create a PBS S3 client configuration.
RISK_MEDIUM: creates a PERSISTENT CREDENTIAL-BEARING entry (mirrors pbs_remote_create, not the LOW-rated additive-config pattern of e.g. pbs_tape_pool_create). SECRET CONTRACT: secret-key is NEVER written to the audit ledger or the dry-run PLAN — it is forwarded RAW only to the real PBS API on confirm=True (the create must actually work). access-key is NOT redacted (schema-confirmed non-secret). Dry-run by default (returns a PLAN); confirm=True executes (POST /config/s3, synchronous — PBS returns null) and returns {"status": "ok", "result": None}. Needs PROXIMO_PBS_* config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| port | No | Port to access the S3 object store (1-65535). | |
| s3_id | Yes | New S3 client config id (3-32 chars, alnum/underscore start, then alnum/./_/-). | |
| region | No | Region to access the S3 object store (lowercase alnum/underscore/hyphen, <=32 chars). | |
| confirm | No | False (default) returns a dry-run PLAN only; True executes the creation. | |
| rate_in | No | Inbound rate limit as a byte size with unit, e.g. '10MB' (1-64 chars). | |
| burst_in | No | Inbound burst limit as a byte size with unit (1-64 chars). | |
| endpoint | Yes | Endpoint hostname/IPv4/IPv6 to access the S3 object store (may use {{bucket}}./{{region}} templating). | |
| rate_out | No | Outbound rate limit as a byte size with unit (1-64 chars). | |
| burst_out | No | Outbound burst limit as a byte size with unit (1-64 chars). | |
| access_key | Yes | Access key for the S3 object store. NOT treated as secret — PBS itself returns this unredacted on every read (AWS convention: identifies the credential pair, is not itself the credential). | |
| path_style | No | Use path-style bucket addressing instead of vhost-style. | |
| secret_key | Yes | Secret key for the S3 object store. SECRET — never written to the audit ledger or the dry-run PLAN. | |
| fingerprint | No | X509 certificate fingerprint (sha256, 32 colon-separated hex byte-pairs) to pin the endpoint's TLS cert. | |
| proximo_target | No | Which configured Proxmox target to run this call against — a target name from your multi-target config (a specific PVE/PBS/PMG/PDM box). Omit to use the single/default target from the environment; the selection applies only to this call. | |
| provider_quirks | No | Provider-specific implementation quirks: 'skip-if-none-match-header' and/or 'delete-objects-via-delete-object'. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |