---
title: "Enterprise File Storage - Getting started with Trident CSI"
description: "Deploy NetApp Trident CSI on OVHcloud Enterprise File Storage to manage volumes and snapshots in Kubernetes"
url: https://docs.ovhcloud.com/en/guides/storage-and-backup/file-storage/enterprise-file-storage/netapp-trident-csi
lang: en
lastUpdated: 2026-06-11
---
# Enterprise File Storage - Getting started with Trident CSI
## Objective
The guide will provide a clear, step-by-step reference for deploying and configuring NetApp Trident CSI on OVHcloud Managed Kubernetes (MKS), enabling seamless access to Enterprise File Storage through the vRack. This guide consolidates best practices, prerequisites, IAM setup, backend configuration, and advanced features such as snapshots and volume management.
## Requirements
- An [Enterprise File Storage](https://www.ovhcloud.com/en-gb/storage-solutions/enterprise-file-storage/) service in your OVHcloud account
- An [OVHcloud Managed Kubernetes](https://www.ovhcloud.com/en-gb/public-cloud/kubernetes/) cluster
- A [vRack](https://www.ovhcloud.com/en-gb/network/vrack/) with [vRack Services](/en/guides/network/vrack-services/global.md) configured
- Familiarity with the [OVHcloud APIs](/en/guides/manage-and-operate/api/first-steps.md) and/or the [OVHcloud CLI](/en/guides/manage-and-operate/cli/getting-started.md)
Before beginning, ensure your environment meets the following criteria:
**vRack**
- **Public Cloud Project and vRack Services** belong to the same vRack
**Region**
- **vRack Services and EFS** are inside the same region
**Network**
- **Same VLAN ID** is used for the vRack Services subnet and the MKS Private Network
- **Same CIDR** is used for vRack Services subnet and MKS Private network subnet
- **MKS Private network Allocation Pool** IPs do not overlap with the vRack Services Service Range
**Connectivity**
- **A Gateway** is required for MKS nodes to reach the OVHcloud API
:::info
**Note:** EFS and MKS regions may differ; be aware that latency between different regions may impact your storage workloads performance.
**It's highly recommended to keep your storage and compute as close as possible.**
:::
## Instructions
### IAM Configuration (Identity and Access Management)
Trident requires a dedicated service account to interact with the OVHcloud API and manage Enterprise File Storage volumes. Follow these steps to configure IAM properly.
#### 1. Service Account Creation (OAuth2)
Create an OAuth2 client with the OVHcloud API or CLI using the `CLIENT_CREDENTIALS` flow.
**Via the API**
Use the following API call:
🇪🇺EU▾
[POST/me/api/oauth2/client](https://eu.api.ovh.com/console/?section=/me&branch=v1#post-/me/api/oauth2/client)
With the following request body:
```json
{
"description": "Service Account for Trident CSI",
"flow": "CLIENT_CREDENTIALS",
"name": "TRIDENT-CSI"
}
```
The API will respond with:
```json
{
"clientId": "EU.xxxxxxxxxxxxxxxx",
"clientSecret": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
}
```
**Via the CLI**
The Service account can be created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the following command (complete it with your values):
```bash
ovhcloud account api oauth2 client create --name "TRIDENT-CSI" --description "Service Account for Trident CSI" --flow "CLIENT_CREDENTIALS"
```
The CLI will respond with the `client ID` and `client secret` values:
```bash
✅ OAuth2 client created successfully (client ID: EU.xxxxxxxxxxxxxxxx, client secret: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)
```
:::info
**Note:** Save the `clientId` and `clientSecret` securely, they are required for backend configuration.
:::
#### 2. IAM Policy Creation
Configure an IAM policy that must contain the following elements: the service account to authorize, the `Enterprise File Storage` service(s) to include, and the actions to grant, which are summarized in the table below:
| Action | Description |
| ------------------------------------------- | ------------------------------- |
| storageNetApp:apiovh:get | List services |
| storageNetApp:apiovh:serviceInfos/get | Get service information |
| storageNetApp:apiovh:share/accessPath/get | Get NFS mount point for a share |
| storageNetApp:apiovh:share/acl/create | Create ACL |
| storageNetApp:apiovh:share/acl/delete | Delete ACL |
| storageNetApp:apiovh:share/acl/get | List ACL for a share |
| storageNetApp:apiovh:share/create | Create a share |
| storageNetApp:apiovh:share/delete | Delete a share |
| storageNetApp:apiovh:share/edit | Update a share |
| storageNetApp:apiovh:share/extend | Extend a share |
| storageNetApp:apiovh:share/get | List shares |
| storageNetApp:apiovh:share/revertToSnapshot | Restore a snapshot |
| storageNetApp:apiovh:share/snapshot/create | Create a snapshot |
| storageNetApp:apiovh:share/snapshot/delete | Delete a snapshot |
| storageNetApp:apiovh:share/snapshot/edit | Update a snapshot |
| storageNetApp:apiovh:share/snapshot/get | List snapshots |
**Via the API**
Use the following API call to create the IAM policy:
🇪🇺EU▾
[POST/iam/policy](https://eu.api.ovh.com/console/?section=/iam&branch=v2#post-/iam/policy)
With the following request body:
:::info
In the `identities` field, replace `xx11111-ovh` with your OVHcloud account ID (NIC handle) and `EU.xxxxxxxxxxxxxxxx` with the `clientId` obtained in step 1.
:::
:::info
In the `resources` field, replace the `urn` value with your Enterprise File Storage (EFS) URN.
You can get your service URN using the following API call:
Use `resourceName={serviceName}` query parameter with your Enterprise File Storage service ID.
In the API response, copy the `urn` value. For example: `urn:v1:eu:resource:storageNetApp:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.
:::
```json
{
"description": "Trident CSI",
"identities": [
"urn:v1:eu:identity:credential:xx11111-ovh/oauth2-EU.xxxxxxxxxxxxxxxx"
],
"name": "trident-policy",
"permissions": {
"allow": [
{
"action": "storageNetApp:apiovh:get"
},
{
"action": "storageNetApp:apiovh:serviceInfos/get"
},
{
"action": "storageNetApp:apiovh:share/accessPath/get"
},
{
"action": "storageNetApp:apiovh:share/acl/create"
},
{
"action": "storageNetApp:apiovh:share/acl/delete"
},
{
"action": "storageNetApp:apiovh:share/acl/get"
},
{
"action": "storageNetApp:apiovh:share/create"
},
{
"action": "storageNetApp:apiovh:share/delete"
},
{
"action": "storageNetApp:apiovh:share/edit"
},
{
"action": "storageNetApp:apiovh:share/extend"
},
{
"action": "storageNetApp:apiovh:share/get"
},
{
"action": "storageNetApp:apiovh:share/revertToSnapshot"
},
{
"action": "storageNetApp:apiovh:share/snapshot/create"
},
{
"action": "storageNetApp:apiovh:share/snapshot/delete"
},
{
"action": "storageNetApp:apiovh:share/snapshot/edit"
},
{
"action": "storageNetApp:apiovh:share/snapshot/get"
}
]
},
"resources": [
{
"urn": "urn:v1:eu:resource:storageNetApp:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
```
The API will respond with the created policy details:
```json
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "trident-policy",
"description": "Trident CSI",
...
}
```
**Via the CLI**
The IAM policy can be created with the [OVHcloud CLI](https://github.com/ovh/ovhcloud-cli) and the following command (complete it with your values):
:::info
In the `identities` field, replace `xx11111-ovh` with your OVHcloud account ID (NIC handle) and `EU.xxxxxxxxxxxxxxxx` with the `clientId` obtained in step 1.
:::
:::info
In the `resources` field, replace the `urn` value with your Enterprise File Storage (EFS) URN.
Run the following command to retrieve your service URN:
```bash
ovhcloud iam resource list --filter 'name=="{serviceName}"' -o json
```
Replace `{serviceName}` with your Enterprise File Storage service ID.
In the command output, copy the `urn` value. For example: `urn:v1:eu:resource:storageNetApp:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.
:::
```bash
cat < trident-values.yaml
tridentSilenceAutosupport: true
operatorImage: "ovhcom/trident-operator:25.02.1-linux-amd64"
tridentImage: "ovhcom/trident:25.02.1-linux-amd64"
EOF
```
Run the installation:
```bash
helm repo add netapp-trident https://netapp.github.io/trident-helm-chart
helm install trident-operator netapp-trident/trident-operator \
--version 100.2502.1 \
--create-namespace \
--namespace trident \
-f trident-values.yaml
```
The output should show that the Helm chart was deployed:
```bash
NAME: trident-operator
LAST DEPLOYED: Tue Feb 17 13:51:15 2026
NAMESPACE: trident
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing trident-operator, which will deploy and manage NetApp's Trident CSI
storage provisioner for Kubernetes.
Your release is named 'trident-operator' and is installed into the 'trident' namespace.
Please note that there must be only one instance of Trident (and trident-operator) in a Kubernetes cluster.
To configure Trident to manage storage resources, you will need a copy of tridentctl, which is
available in pre-packaged Trident releases. You may find all Trident releases and source code
online at https://github.com/NetApp/trident.
To learn more about the release, try:
$ helm status trident-operator
$ helm get all trident-operator
```
Once the installation is complete, verify that all Trident pods are in `Running` state in the trident namespace before proceeding:
```bash
kubectl get pods -n trident
```
The output should show all pods in `Running` state:
```bash
NAME READY STATUS RESTARTS AGE
trident-controller-75869d7499-ffmkt 6/6 Running 0 4m25s
trident-node-linux-4gv6w 2/2 Running 1 (4m24s ago) 4m25s
trident-node-linux-g942s 2/2 Running 1 (4m24s ago) 4m24s
trident-node-linux-tfjc2 2/2 Running 0 4m25s
trident-operator-787b98cb7c-sgtdh 1/1 Running 0 4m26s
```
### Trident Backend Creation
The Trident backend connects NetApp Trident to the OVHcloud Enterprise File Storage service using the IAM credentials previously created.
#### 1. Secret Creation
Create a secret containing the connection information that allows Trident to access the OVHcloud API.
:::warning
Replace `clientID` and `clientSecret` values with the credentials obtained in step 1.
:::
```bash
cat <` 5m34s
```
Once a Pod uses this PVC, the volume will be automatically mounted via the NFS protocol.
### Advanced Features
#### Snapshot Management
NetApp Trident supports on-demand volume snapshots for Enterprise File Storage.
- Define a `VolumeSnapshotClass` to manage snapshot lifecycle:
```bash
cat <`.
- **Network connectivity issues**: Verify that the MKS cluster can reach the Enterprise File Storage service through the vRack.
## Go further
[Enterprise File Storage - Private network configuration](/en/guides/storage-and-backup/file-storage/enterprise-file-storage/netapp-network-config.md)
[Enterprise File Storage - Connect a Public Cloud instance to an EFS Volume via vRack Private Network](/en/guides/storage-and-backup/file-storage/enterprise-file-storage/netapp-pci-connection-via-vrack.md)
[Managing OVHcloud service accounts via the API](/en/guides/manage-and-operate/api/manage-service-account.md)
[Enterprise File Storage - FAQ](/en/guides/storage-and-backup/file-storage/enterprise-file-storage/netapp-faq.md)
If you need training or technical assistance to implement our solutions, contact your sales representative or click on [this link](https://www.ovhcloud.com/en-gb/professional-services/) to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.
Join our [community of users](https://community.ovhcloud.com/).