IBM Cloud Docs
Creating file shares and mount targets

Creating file shares and mount targets

Create file shares and mount targets in the console, CLI, API, or Terraform.

Before you get started, and try to create mount targets for file shares, make sure that you created a VPC.

You can create file shares and mount targets either of the following ways:

  • Create a file share and mount target together,
  • Create a file share and add mount target later.

When you create a mount target, its transit encryption type must reflect the share's allowed transit encryption modes. You can create multiple mount targets for the share if it's to be used by resources in different VPCs. You can create one mount target per VPC for the file share.

Customers with special access to preview the new regional file share offering can use the rfs profile to create file shares with regional availability and adjustable throughput values.

Creating a file share in the console

In the IBM Cloud console, you can create a file share with or without a mount target. However, you need to create a mount target when you want to mount the share on a virtual server instance.

Creating a file share in the console

  1. In the IBM Cloud console, click the Navigation menu icon menu icon > Infrastructure VPC icon > Storage > File storage shares. A list of file shares displays.

  2. On the File storage shares for VPC page, click Create. Select Create file share.

  3. Enter the following information.

    Values for creating a file share
    Field Value
    Availability New Beta If you're a customer with special access to preview the new regional file share offering, you can choose between Regional and Single zone data availability. You can't change this property after the share is created.
    If you're account is not allow-listed, this field does not appear. Select the location for your zonal file share.
    Location Beta If you chose Single zone availability, select the geography, region, and zone for the new file share, for example, North America, Dallas (us-south), us-south-2. If you chose regional availability, select the region. For example, Dallas (us-south).
    Details
    Name Specify a meaningful name for your file share. The file share name can be up to 63 lowercase alpha-numeric characters and include the hyphen (-), and must begin with a lowercase letter. You can later edit the name if you want.
    Resource Group Use the default resource group or specify a Resource group. Resource groups help organize your account resources for access control and billing purposes.
    Tags (optional) Enter any user tags to apply to this file share. As you type, existing tags appear that you can select. For more information about tags, see Add user tags to a file share.
    Access Management Tags (optional) Enter access management tags that you created in IAM to apply them to this file share. For more information about access management tags, see Access management tags for file shares.
    Profile

    The profile is auto-populated based on your data availability selection. For more information, see file Storage profiles.

    • If you chose Single zone availability, your file share uses the dp2 profile. Select the size and IOPS for your file share. You can increase the capacity later, and you can also adjust the IOPS as needed.
    • Beta If you chose regional availability, your file share uses the rfs profile. Select the size and bandwidth for your file share. You can increase the capacity later, and you can also adjust the bandwidth as needed.
    Mount target access mode Select how you want to manage access to this file share:
    Security group: Access to the file share is based on security group rules. This option can be used to restrict access to specific virtual server instances. You can also use this option if you want to mount the file share to a virtual server instance in another zone. This option is recommended as you have more control over who can access the data that is stored on the file share. When you choose this type of access, you can also specify the allowed transit encryption modes.
    Virtual private cloud: Access to the file share is granted to any virtual server instance in the same region. Cross-zone mounting, encryption in transit, cross-zone mounting, and snapshots are not supported when this access mode is selected. Beta This legacy access mode is not supported for regional shares.
    Allowed transit encryption modes As the share owner, you can specify how you want clients within your account and authorized accounts to connect to your file share. You can select none if you do not want them to use encryption in transit. If you want them to use encryption in transit, select IPsec for a zonal share or Beta stunnel for a regional share. If you select both available options, then the transit encryption type of the first mount target decides the transit encryption types of all future mount targets within the account.
  4. The creation of mount targets is optional. You can skip this step if you do not want to create a mount target now. Otherwise, click Create. You can create one mount target per VPC per file share.

    • If you selected security group as the access mode, enter the information as described in the Table 2. This action creates and attaches a virtual network interface to your mount target that identifies the file share with a reserved IP address and applies the rules of the selected Security group. This mount target supports encryption-in-transit and cross-zone mounting.

      1. Provide a mount target name. The name can be up to 63 lowercase alpha-numeric characters and include the hyphen (-), and must begin with a lowercase letter. You can later edit the name if you want.
      2. Select an available VPC. The list includes only those VPCs with a subnet in the selected location. The location selection is inherited from the file share (for example, us-south-2).
      3. A default virtual network interface is generated. You can customize it by clicking the Edit icon Edit icon. You can change the name or subnet if you have multiple subnets in the zone.
      4. Click Next.
      5. Encryption in transit is disabled by default for zonal shares, and it is enabled by default for regional shares. Click the toggle to change the preset value. For more information about this feature, see Encryption in transit - Securing mount connections between file share and host.
      6. Then, click Next.
      7. Review your selection, and either click Back to return and update your choices or click Create.
    • If you selected VPC as the access mode, provide a name for the mount target and select a VPC from the list. This mount target can be used to mount the file share on any virtual server instance of the selected VPC in the same zone as the file share. Cross-zone mounting is not supported.

  5. Encryption at rest. By default, all file shares are encrypted by IBM-managed keys. You can also choose to create an envelop-encryption for your shares with your own keys. If you want to use your own keys, select one of the key management services.

    Values for customer-managed encryption for file shares.
    Field Value
    Encryption To use customer-managed encryption, select either Key Protect or Hyper Protect Crypto Services. The key management service (KMS) instance includes the root key that is imported to or created in that KMS instance.
    Encryption service instance If you provisioned multiple KMS instances in your account, select the one that includes the root key that you want to use for customer-managed encryption.
    Key name Select the root key within the KMS instance that you want to use for encrypting the share.
    Key ID The field shows the key ID that is associated with the data encryption key that you selected.

    Customer-managed encryption is not supported during the beta release of the regional file share profile.

  6. When all the required information is entered, click Create file share. You return to the File Storage for VPC page, where a message indicates that the file share is provisioning. When the transaction completes, the share status changes to Active.

If you're not ready to order yet or just looking for pricing information, you can add the information that you see in the side panel to an Estimate. For more information about how this feature works, see Estimating your costs.

Creating a mount target in the console

  1. In the IBM Cloud console, click the Navigation menu icon menu icon > Infrastructure VPC icon > Storage > File storage shares.

  2. Select a file share from the list.

  3. On the File shares details page, under Mount targets, click Create.

    You must have at least one VPC to create a mount target. If you don't have one, first create a VPC.

  4. Depending on the mount target access mode of the share, the Create mount target form looks different.

    • If the share has security group access mode, enter the following information. This action creates and attaches a virtual network interface to your mount target that identifies the file share with a reserved IP address and applies the rules of the selected security group. This mount target supports encryption-in-transit and cross-zone mounting.

      1. Provide a mount target name. The name can be up to 63 lowercase alpha-numeric characters and include the hyphen (-), and must begin with a lowercase letter. You can later edit the name if you want.
      2. Select an available VPC. The list includes only those VPCs with a subnet in the selected location. The location selection is inherited from the file share (for example, us-south-2).
      3. A default virtual network interface is generated. You can customize it by clicking the Edit icon Edit icon. You can change the name or subnet if you have multiple subnets in the location.
      4. Click Next.
      5. Encryption in transit is disabled by default for zonal shares, and it is enabled by default for regional shares. Click the toggle to change the preset value. For more information about this feature, see Encryption in transit - Securing mount connections between file share and host.
      6. Then, click Next.
    • If the zonal share has VPC as the access mode, provide a name for the mount target and select a VPC from the list. This mount target can be used to mount the file share on any virtual server instance of the selected VPC in the same zone as the file share. Cross-zone mounting is not supported.

  5. Click Create.

Creating a file share from the CLI

Before you begin

Before you can use the CLI, you must install the IBM Cloud CLI and the VPC CLI plug-in. For more information, see the CLI prerequisites.

If you are a customer with special access to preview the regional file share profile, you can use the rfs profile to create a file share. To access the beta feature, you must set the appropriate environmental variable with the following command.

export IBMCLOUD_IS_FEATURE_SHARE_DENALI_REGIONAL_AVAILABILITY=true

The CLI returns the properties for "Allowed Access Protocols", "Availability Mode", "Bandwidth", and "Storage Generation" only when this environmental variable is set to "true".

Gathering information from the CLI

Before you run the ibmcloud is share-create command, you can gather information that you need for provisioning a share by viewing information about other file shares, mount targets, and file storage profiles.

Details for creating file shares.
Details Listing options What it provides
File shares ibmcloud is shares List all shares in a region.
File share details ibmcloud is share SHARE_ID Review details of a share.
File share snapshots ibmcloud is share-snapshots List available snapshots in the zone.
File share profiles ibmcloud is share-profiles List all file share profiles in a region. Only dp2 can be used to create file shares.
Mount targets ibmcloud is share-mount-targets SHARE_ID List all mount targets for a file share.
Subnets ibmcloud is subnets List all subnets.
Reserved IP addresses ibmcloud is subnet-reserved-ips List all reserved IP addresses in the subnet.
Security Groups ibmcloud is security-groups List all security groups.

Creating a zonal file share without a mount target from the CLI

You can use the ibmcloud is share-create command to provision a zonal file share in your selected zone with the dp2 profile, with your specific capacity and IOPS values. The following example shows how to create 1000-GB file share with 1000 IOPS in the us-south-2 zone. This file share is created with the default security group access mode and with provider-managed encryption.

$ ibmcloud is share-create --name my-file-share --zone us-south-1 --profile dp2 --size 40 --iops 100
Creating file share my-file-share under account Test Account as user test.user@ibm.com...
                                      
ID                                 r006-a08c2505-b933-4dce-a771-efff2e1a59e1   
Name                               my-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-1:a/a1234567::share:r006-a08c2505-b933-4dce-a771-efff2e1a59e1   
Lifecycle state                    stable   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   user_managed,none   
Zone                               us-south-1   
Profile                            dp2   
Size(GB)                           40   
IOPS                               100   
Encryption                         provider_managed   
Mount Targets                      ID                          Name      
                                   No mounted targets found.      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T20:10:35+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -   

Beta Customers with special access to preview the regional file share offering can access the beta features by setting the environmental variable to true first.

Then, you can use the same command to create the zonal file share. The response shows ipsec instead of user_managed as allowed value for the transit encryption. The response also shows the Allowed Access Protocols, Availability Mode, Bandwidth, and Storage Generation properties.

$ export IBMCLOUD_IS_FEATURE_SHARE_DENALI_REGIONAL_AVAILABILITY=true
$ ibmcloud is share-create --name my-file-share --zone us-south-1 --profile dp2 --size 40 --iops 100 --allowed-access-protocols nfs4 --atem ipsec,none

Creating file share my-file-share under account Kranthi's Test Account as user Viktoria.Muirhead@ibm.com...
                                      
ID                                 r006-a08c2505-b933-4dce-a771-efff2e1a59e1   
Name                               my-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-1:a/a1234567::share:r006-a08c2505-b933-4dce-a771-efff2e1a59e1   
Lifecycle state                    pending   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   ipsec,none   
Zone                               us-south-1   
Profile                            dp2   
Size(GB)                           40   
IOPS                               100   
Encryption                         provider_managed   
Mount Targets                      ID                          Name      
                                   No mounted targets found.      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T20:10:35+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -   
Allowed Access Protocols           nfs4   
Availability Mode                  zonal   
Bandwidth(Mbps)                    1   
Storage Generation                 1  

Security group access mode is the default and recommended setting. However, you can choose to create a file share with the VPC access mode that allows every Compute host in the VPC to mount the file share. See the following example.

$ ibmcloud is share-create --name my-vpc-file-share --zone us-south-2 --profile dp2 --size 1000 --iops 500 --access-control-mode vpc
Creating file share my-vpc-file-share under account Test Account as user test.user@ibm.com...
                                
ID                                 r006-83100dcb-24d8-45a6-91f3-256e5c17233f       
Name                               my-vpc-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-2:a/efe5afc483594adaa8325e2b4d1290df::share:r006-83100dcb-24d8-45a6-91f3-256e5c17233f    
Lifecycle state                    pending   
Access control mode                vpc   
Accessor binding role              none
Allowed transit encryption modes   user_managed,none
Zone                               us-south-2   
Profile                            dp2   
Size(GB)                           1000   
IOPS                               500  
Encryption                         provider_managed   
Mount Targets                      ID                                 Name      
                                   No mounted targets found.      
                                
Resource group                     ID                                 Name      
                                   11caaa983d9c4beb82690daab08717e9  Default      
                                
Created                            2025-04-18T19:22:41+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -  

Creating a regional file share without a mount target from the CLI

Beta Customers with special access to preview the new regional file share offering can use the rfs profile to create file shares with regional availability and adjustable throughput values.

Before you begin, remember to set the environmental variable:

export IBMCLOUD_IS_FEATURE_SHARE_DENALI_REGIONAL_AVAILABILITY=true

The CLI returns the properties for "Allowed Access Protocols", "Availability Mode", "Bandwidth", and "Storage Generation" only when this environmental variable is set to "true".

The following example shows how to create 40-GB regional file share with 125 MBps bandwidth. This file share is created with security group access mode and with provider-managed encryption. The file share is created in the region that you selected when you logged in, no location selection is required.

$ ibmcloud is share-create --name my-regional-file-share --profile rfs --size 40 --bandwidth 125 --allowed-access-protocols nfs4 --atem stunnel,none 
Creating file share my-regional-file-share under account Test Account as user test.user@ibm.com...
                                
                                      
ID                                 r006-749d05eb-9779-4414-b902-553a4fd1421d   
Name                               my-regional-file-share   
CRN                                crn:v1:bluemix:public:is:us-south:a/a1234567::share:r006-749d05eb-9779-4414-b902-553a4fd1421d   
Lifecycle state                    pending   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   stunnel,none   
Zone                               -   
Profile                            rfs   
Size(GB)                           40   
IOPS                               35000   
Encryption                         provider_managed   
Mount Targets                      ID                          Name      
                                   No mounted targets found.      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T20:20:09+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     -   
Snapshot size                      -   
Source snapshot                    -   
Allowed Access Protocols           nfs4   
Availability Mode                  regional   
Bandwidth(Mbps)                    125   
Storage Generation                 2

Security group access mode is the default setting. The VPC access mode is not supported for the file shares with regional availability.

For more information about the command options, see ibmcloud is share-create.

Creating a mount target for a file share from the CLI

To create a mount target for the file share, run the share-mount-target-create command. Before you begin, gather some necessary information.

When you create a mount target, you must specify the file share that it is for. You can use the file share's name or ID. You must specify the VPC, too, either with its ID or name. The VPC must be unique to each mount target. You must also specify the security access group that's going to be used to manage access to the share. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share.

Lastly, you must specify values for the options that are needed to create a virtual network interface for the mount target. Use the appropriate CLI commands to list the available subnets, reserved IP addresses in a subnet, security groups to get the information that you need.

The following example creates a mount target with a virtual network interface for a file share that has security group access mode.

$ ibmcloud is share-mount-target-create my-file-share --subnet my-subnet --name my-cli-share-mount-target-1 --vni-name my-share-vni-1  --resource-group-id 6edefe513d934fdd872e78ee6a8e73ef  --access-protocol nfs4 --transit-encryption none --vpc my-vpc
Mounting target for share r006-b696742a-92ee-4f6a-bfd7-921d6ddf8fa6 under account Test Account as user test.user@ibm.com...
                               
ID                          r006-72c81658-35ae-40b7-abab-8480e5050857   
Name                        my-cli-share-mount-target-1   
VPC                         ID                                          Name      
                            r006-243394d6-b192-4e05-bfab-5d0b4e77cf81   my-vpc      
                               
Access control mode         security_group   
Resource type               share_mount_target   
Virtual network interface   ID                                          Name             Protocol State Filtering Mode      
                            0717-6dedcf6f-7596-4274-b158-c01f08edb697   my-share-vni-1   auto      
                               
Lifecycle state             pending   
Mount path                  -   
Transit Encryption          none   
Created                     2025-08-01T20:28:50+00:0

Beta When the same command is used to create a mount target for a regional file share, the output looks very similar. The Access Protocol property is also shown.

$ ibmcloud is share-mount-target-create my-regional-file-share --subnet my-subnet --name my-regional-share-mount-target-1 --vni-name my-share-vni-2  --resource-group-id 6edefe513d934fdd872e78ee6a8e73ef  --access-protocol nfs4 --transit-encryption none --vpc my-vpc

Mounting target for share r006-749d05eb-9779-4414-b902-553a4fd1421d under account Test Account as user test.user@ibm.com...

ID                          r006-bc95a3c2-b84b-4186-8c5a-e3dd220abefa   
Name                        my-regional-share-mount-target-1   
VPC                         ID                                          Name      
                            r006-243394d6-b192-4e05-bfab-5d0b4e77cf81   my-vpc      
                               
Access control mode         security_group   
Resource type               share_mount_target   
Virtual network interface   ID                                          Name             Protocol State Filtering Mode      
                            0717-24e7dcac-e30f-43cf-9bee-3cab93692690   my-share-vni-2   auto      
                               
Lifecycle state             pending   
Mount path                  -   
Transit Encryption          none   
Created                     2025-08-01T20:45:14+00:00   
Access Protocol             nfs4   

The following example creates a mount target for a zonal file share that has VPC access mode.

$ ibmcloud is share-mount-target-create my-vpc-file-share --vpc cli-vpc-3 --name my-vpc-mount-target --access-protocol nfs4 --transit-encryption none
Mounting target for share r006-10e82e16-ff7f-4ca4-b543-d24084fc03cf under account Test Account as user test.user@ibm.com...
                         
ID                        r006-71fd953c-8e49-48e8-ab49-5977c324a365   
Name                      my-vpc-mount-target   
VPC                       ID                                          Name      
                          r006-060fbfe6-4d0f-47b0-b9c5-94da8e719e22   cli-vpc-3      
                         
Access control mode       vpc   
Resource type             share_mount_target
Virtual network interface   
Lifecycle state           pending   
Created                   2025-07-22T22:15:15+00:00
Mount path                -    
Transit Encryption        none 

For more information about the command options, see ibmcloud is share-mount-target-create.

Creating a file share with a mount target from the CLI

You can create a file share with one or more mount targets in one step by using the ibmcloud is share-create command. You need to provide the zone name, the file share profile, the file share size, and the IOPS. You can also specify a name, user tags, and even the initial owner UID. To create the mount target, you need to provide the mount target information in JSON format.

The following example shows how to create a zonal file share with 40 GB capacity and 100 IOPS in the us-south-1 zone. The file share is tagged with env:dev and has security group access control mode. The file share can be mounted on authorized virtual servers by using the mount target my-target1.

$ ibmcloud is share-create --name my-new-file-share --zone us-south-2 --profile dp2 --size 500 --iops 2000 --allowed-transit-encryption-modes user_managed,none --user-tags env:dev --mount-targets '[{"name":"my-new-mount-target","virtual_network_interface": {"name":"my-vni","subnet": {"id":"0717-c66032c9-048d-4c35-aa83-c932e24afdbb"}}}]'

Creating file share my-new-file-share under account Test Account as user test.user@ibm.com...
                                
ID                                 r006-201487a2-cf35-4b2a-a4fe-f480803e1e80   
Name                               my-new-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-2:a/a1234567::share:r006-201487a2-cf35-4b2a-a4fe-f480803e1e80   
Lifecycle state                    pending   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   user_managed,none   
Zone                               us-south-2   
Profile                            dp2   
Size(GB)                           500   
IOPS                               2000   
User Tags                          env:dev   
Encryption                         provider_managed   
Mount Targets                      ID                                          Name      
                                   r006-c8952df9-f479-49a8-a66b-85bf112e0831   my-new-mount-target      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T21:17:25+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -                            

Beta The following example shows how you can create a regional file share with a mount target from the CLI. Before you run the command, make sure that you set the environmental variable to true. Note that while the command specifies a low bandwidth value, the system auto-corrects the configuration to provide at least 1 Mbps for every 20 GB of capacity.

$ $ ibmcloud is share-create --name my-regional-file-share --profile rfs --size 5000 --bandwidth 125 --allowed-access-protocols nfs4 --atem stunnel --mount-targets '[{"name":"my-new-mount-target","virtual_network_interface": {"name":"my-regional-vni","subnet": {"id":"0717-c66032c9-048d-4c35-aa83-c932e24afdbb"}}}]'
Creating file share my-regional-file-share under account under account Test Account as user test.user@ibm.com...
                                      
ID                                 r006-770ff2f9-3211-459d-918b-fbf0b4a4f999   
Name                               my-regional-file-share   
CRN                                crn:v1:bluemix:public:is:us-south:a/a1234567::share:r006-770ff2f9-3211-459d-918b-fbf0b4a4f999   
Lifecycle state                    pending   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   stunnel   
Zone                               -   
Profile                            rfs   
Size(GB)                           5000   
IOPS                               35000   
Encryption                         provider_managed   
Mount Targets                      ID                                          Name      
                                   r006-f7c84cb2-0e82-4f9e-b729-6e51ea437df6   my-new-mount-target      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T21:27:07+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     -   
Snapshot size                      -   
Source snapshot                    -   
Allowed Access Protocols           nfs4   
Availability Mode                  regional   
Bandwidth(Mbps)                    250   
Storage Generation                 2

The following example creates a file share with VPC access mode and a mount target that can be used by any virtual server instance within the VPC.

$ ibmcloud is share-create --name my-file-share-8 --zone us-south-1 --profile dp2 --size 40 --iops 2000 --user-tags env:dev --mount-targets '[{"name": "my-new-mount-target","vpc": {"name": "my-vpc"}}]'
Creating file share my-file-share-8 under account Test Account as user test.user@ibm.com...

ID                           r006-95ec87ba-c5fd-4178-a114-2a55c4d907d4   
Name                         my-file-share-8   
CRN                          crn:v1:bluemix:public:is:us-south-1:a/a1234567::share:r006-95ec87ba-c5fd-4178-a114-2a55c4d907d4   
Lifecycle state              pending   
Access control mode          vpc   
Accessor binding role        none   
Zone                         us-south-1   
Profile                      dp2   
Size(GB)                     40   
IOPS                         2000   
User Tags                    env:dev   
Encryption                   provider_managed   
Mount Targets                ID                                          Name      
                             r006-8b917757-ad19-4bec-8417-83157b047cea   my-new-mount-target      
                                
Resource group               ID                                 Name      
                             6edefe513d934fdd872e78ee6a8e73ef   Default    
                                
Created                      2025-04-18T19:36:35+00:00 

Replication role             none   
Replication status           none   
Replication status reasons   Status code   Status message      
                             -             -      
                                
Snapshot count               0   
Snapshot size                0   
Source snapshot              -  

Creating a file share with customer-managed encryption from the CLI

By default, File Storage for VPC shares are encrypted with IBM-managed encryption. However, you can also create an envelop-encryption for your file shares by using one of the supported key management services to create or import your own root keys. For more information, see Protecting data with envelope encryption

For more information about how to create a file share with customer-managed encryption, see Creating file shares with customer-managed encryption.

Creating a file share with a replica in another zone from the CLI

For more information about how to create a file share with a replica simultaneously, see Create a file share with replication from the CLI.

File shares with regional availability serve data in every zone of the region. Async replication within a region is not applicable to these shares.

Creating a file share from a snapshot from the CLI

You can use a snapshot of a file share to create another file share in the same zone. To create a file share based on a snapshot, run the ibmcloud is share-create command.

You can specify the name, the ID, or the CRN of the snapshot. If you choose to specify the name of the snapshot, you need to also specify the name or the ID of the file share that the snapshot belongs to. Snapshot names must be unique at the file share level, but another file share can have a snapshot with the same name.

ibmcloud is share-create --snapshot r026-7647ba64-9728-4bb4-be2f-d958f738fdae 

For more information about how to create a file share from a snapshot with other examples, see Restoring data from a file share snapshot.

Beta During the beta phase, snapshots are not supported for file shares with regional data availability. First- and second-generation file share profiles in the defined performance profile family are not interchangeable. You can't use first-generation file share's snapshot to create a share with the rfs profile.

Adding supplemental IDs when you create a file share with the CLI

With the CLI, you can set UID and GID values for the --initial-owner-uid and --initial-owner-gid property to control access to your file shares. Wherever you mount the file share, the root folder uses that user ID and group ID owner. You can set the UID or GID, or both when you create a share.

If you change the supplemental IDs (UID or GID) from the virtual server instance, it is not possible to determine that it was changed. As a result, initial_owner changes only in the file storage system, but the change isn't reflected in the CLI or API responses.

Table 1 shows UID and GID values that you can set and values that are reserved.

Unix/Linux® supplemental ID values.
ID value Description
UID
UID 0 Reserved for root.
UID 1–99 Reserved for predefined accounts.
UID 100–999 Reserved by the system for administrative system accounts and groups.
UID 1000–10000 Used by applications account.
UID 10000+ Available for user accounts.
GID
GID 0 Reserved for root.
GID 1–99 Reserved for the system and application use.
GID 100+ Allocated for the user’s group.

To set supplemental IDs when you create a share, run the ibmcloud is share-create command and specify the --initial-owner-gid and --initial-owner-gid properties with the supplemental IDs. See the following example.

$ ibmcloud is share-create --name my-file-share --zone us-south-2 --profile dp2 --size 1000 --iops 1000 --initial-owner-gid 101 --initial-owner-uid 10001
Creating file share my-file-share under account Test Account as user test.user@ibm.com...
                                
ID                                 r006-bc73917f-b86e-4f6d-b919-6997a88c8031   
Name                               my-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-2:a/a1234567::share:r006-bc73917f-b86e-4f6d-b919-6997a88c8031   
Lifecycle state                    stable   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   none,user_managed   
Zone                               us-south-2   
Profile                            dp2   
Size(GB)                           1000   
IOPS                               1000   
Encryption                         provider_managed   
Mount Targets                      ID                          Name      
                                   No mounted targets found.      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T21:42:38+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -  

Beta When the IBMCLOUD_IS_FEATURE_SHARE_DENALI_REGIONAL_AVAILABILITY variable is set to true, the same command produces a slightly different response.

$ ibmcloud is share-create --name my-file-share --zone us-south-2 --profile dp2 --size 1000 --iops 1000 --initial-owner-gid 101 --initial-owner-uid 10001
Creating file share my-file-share under account Test Account as user test.user@ibm.com...

ID                                 r006-bc73917f-b86e-4f6d-b919-6997a88c8031   
Name                               my-file-share   
CRN                                crn:v1:bluemix:public:is:us-south-2:a/a1234567::share:r006-bc73917f-b86e-4f6d-b919-6997a88c8031   
Lifecycle state                    pending   
Access control mode                security_group   
Accessor binding role              none   
Allowed transit encryption modes   none,ipsec   
Zone                               us-south-2   
Profile                            dp2   
Size(GB)                           1000   
IOPS                               1000   
Encryption                         provider_managed   
Mount Targets                      ID                          Name      
                                   No mounted targets found.      
                                      
Resource group                     ID                                 Name      
                                   6edefe513d934fdd872e78ee6a8e73ef   defaults      
                                      
Created                            2025-08-01T21:42:38+00:00   
Replication role                   none   
Replication status                 none   
Replication status reasons         Status code   Status message      
                                   -             -      
                                      
Snapshot count                     0   
Snapshot size                      0   
Source snapshot                    -   
Allowed Access Protocols           nfs4   
Availability Mode                  zonal   
Bandwidth(Mbps)                    1   
Storage Generation                 1

Creating a file share with the API

You can create file shares and mount targets by directly calling the REST APIs.

Before you begin

Set up your API environment. Define variables for the IAM token, API endpoint, and API version. For instructions, see Setting up your API and CLI environment.

You must provide the generation parameter and specify generation=2. For more information, see Generation in the Virtual Private Cloud API reference.

A good way to learn more about the API is to click Get sample API call on the provisioning pages in IBM Cloud console. You can view the correct sequence of API requests and better understand actions and their dependencies.

Creating a zonal file share with the API

Make a POST /shares request to create a file share. Specify the size of the file share, a name, the IOPS profile, and zone. If you want to be able to create a file share with granular access authorization, specify security_group as the access mode. Shares with security group access mode can be configured to support encryption in transit, cross-zone mounts, snapshots, and backups, too. See the following example.

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2024-05-06&generation=2"\
-H "Authorization: $iam_token" \
-d '{
    "access_control_mode": "security-group",
    "allowed_transit_encryption_modes": ["none", "user-managed"],
    "size": 4800,
    "iops": 3000,
    "name": "myshare-1",
    "profile": {"name": "dp2"},
    "zone": {"name": "us-south-1"}
}

Make sure that when you create the mount target, you also specify a virtual network interface that is a member of the security group that your virtual server instance belongs to.

The following example shows a request to create a 4800 GB file share. It specifies the access control mode vpc, which enables all clients in each mount target's VPC to have access to this file share. This option is less secure, and does not support newer features.

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2023-08-08&generation=2"\
-H "Authorization: $iam_token" \
-d '{
    "size": 4800,
    "iops": 3000,
    "name": "myshare-1",
    "profile": {"name": "dp2"},
    "access_control_mode": "vpc",
    "zone": {"name": "us-south-1"}
  }'

A successful response looks like the following example.

{
  "access_control_mode": "vpc",
  "created_at": "2023-08-08T22:31:50Z",
  "crn": "crn:[...]",
  "encryption": "provider_managed",
  "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/acd96d70-b8d3-4b56-ad7f-9c1035df93b2",
  "id": "acd96d70-b8d3-4b56-ad7f-9c1035df93b2",
  "initial_owner": {
    "gid": 0,
    "uid": 0
  },
  "iops": 3000,
  "lifecycle_state": "pending",
  "name": "myshare-1",
  "profile": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/share/profiles/dp2",
    "name": "dp2",
    "resource_type": "share_profile"
  },
  "replication_role": "none",
  "replication_status": "none",
  "replication_status_reasons": [],
  "resource_group": {
    "crn": "crn:v1:public:resource-controller::a/e2f80b84-bc75-4f53-8737-8193ef1d1a7b::resource-group:e96d1fa9-76f2-4c87-a737-dbab3a947b24",
    "href": "https://resource-controller.cloud.ibm.com/v2/resource_groups/e96d1fa9-76f2-4c87-a737-dbab3a947b24",
    "id": "e96d1fa9-76f2-4c87-a737-dbab3a947b24",
    "name": "Default"
  },
  "resource_type": "share",
  "size": 4800,
  "mount_targets": [],
  "zone": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/regions/us-south/zones/us-south-1",
    "name": "us-south-1"
  }
}

Creating a regional file share with the API

Customers with special access to preview the new regional file share offering can use the rfs profile to create file shares with regional availability and adjustable throughput values.

The following example shows how to create 1000-GB regional file share with 60 MBps bandwidth. This file share is created with the default security group access mode and with provider-managed encryption. The file share is created in the region that you selected when you logged in, no location selection is required.

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2025-07-22&generation=2&maturity=beta"\
-H "Authorization: $iam_token" \
-d '{
  "name": "my-regional-share-1",
  "mount_targets": [],
  "profile": {"name": "rfs"},
  "size": 1000,
  "bandwidth": 60,
  "allowed_transit_encryption_modes": ["none","stunnel"],
  "resource_group": {"id": "db8e8d865a83e0aae03f25a492c5b39e"},
  "access_control_mode": "security_group"
}'

Creating a mount target for a file share with the API

This request creates or adds a mount target to an existing file share. In this example, the vpc property is specified because the file share's access control mode is vpc. Data encryption in transit cannot be enabled.

Access control modes of the mount target and the share must match. Both must be either vpc or security_group. When you create a mount target with security_group access mode, pay attention to the share's allowed_transit_encryption_modes. The transit_encryption value must reflect what is allowed for the share.

curl -X POST \
"$vpc_api_endpoint/v1/shares/$share_id/mount_targets?version=2023-08-08&generation=2"\
-H "Authorization: Bearer $iam_token"\
-H 'Content-Type: application/json'\
-d '{
    "access_control_mode": "vpc"
    "name": "mount-target-name1",
    "vpc": {"id": "6e01bc24-4a6e-4a0c-a1bd-4caa0c8159e7"},
    "transit_encryption": "none"
  }'

A successful response looks like the following example.

{
  "access_control_mode": "vpc",
  "created_at": "2023-08-08T23:31:59Z",
  "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/ff859972-8c39-4528-91df-eb9160eae918/mount_targets/9fdf4438-f5b4-4b6f-8bca-602494fd6c31",
  "id": "9fdf4438-f5b4-4b6f-8bca-602494fd6c31",
  "lifecycle_state": "pending",
  "mount_path": "domain.com:/vol_xyz_2891fd0a_63aa_4deb_9ed5_1159e37cb5aa",
  "name": "mount-target-name1",
  "resource_type": "share_target",
  "transit_encryption": "none",
  "vpc": {
    "crn": "crn:[...]",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/e6ff7b61-feb4-4c87-94aa-277d6f93e164",
    "id": "e6ff7b61-feb4-4c87-94aa-277d6f93e164",
    "name": "vpc-name1",
    "resource_type": "vpc"
  }
}

Adding a mount target to an existing file share by specifying a subnet and security group

Make a POST /shares/{share_id}/mount_targets request and specify a subnet and security group for the mount target network interface. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share.

This example adds a mount target to an existing zonal file share, which is identified by ID, and provides a subnet and security group to define the network interface. Encryption in transit is enabled.

 curl -X POST "$vpc_api_endpoint/v1/shares/f1ab81ef-dd30-459a-85e0-9094164978b1/mount_targets/?version=2023-07-18&generation=2"\
 -d '{
     "virtual_network_interface": {
        "subnet": {"id": "1a0b3d75-8a62-4c78-9263-f9bcd25a8759"},
        "security_groups": [{"id": "b2599112-7027-480e-ad1b-fd917d2fcb84"}]
     },
     "transit_encryption": "user_managed"
}'

Beta

Customers with special access to review the regional file share offering can use the Beta VPC API to create regional mount targets for their file shares. When you want to enable encryption in transit, specify "ipsec" for zonal shares and "stunnel" for regional shares.

 curl -X POST "$vpc_api_endpoint/v1/shares/f1ab81ef-dd30-459a-85e0-9094164978b1/mount_targets/?version=2025-07-22&generation=2&maturity=beta"\
 -d '{
     "virtual_network_interface": {
        "subnet": {"id": "1a0b3d75-8a62-4c78-9263-f9bcd25a8759"},
        "security_groups": [{"id": "b2599112-7027-480e-ad1b-fd917d2fcb84"}]
     },
     "transit_encryption": "ipsec"
}'

Creating a file share and mount target together with the API

The following example request creates a file share that has the VPC-wide access mode and a mount target that can be used by every virtual server instance in the specified VPC. It also adds user tags to the share.

Access to the mount target is VPC wide; all instances in the VPC have access to this file share. Newer features such as cross-zone mounting and data encryption in transit are not supported.

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2025-04-08&generation=2\
-H "Authorization: Bearer $iam_token"\
-H 'Content-Type: application/json'\
-d '{
    "access_control_mode": "vpc",
    "size": 4800,
    "iops": 48000,
    "mount_targets": [
      {
        "name": "mount-target-name1",
        "vpc": {"id": "a1fb6c4f-6a63-4d34-8bf6-55fab89e932a"}
      }
    ],
    "name": "share-name1",
    "profile": {"name": "dp2"},
    "user_tags": [
      "env:test",
      "env:prod"
    ],
    "resource_group": {},
    "zone": {"name": "us-south-1"}
  }'

A successful response looks like the following example.

{
  "access_control_mode": "vpc",
  "allowed_transit_encryption_modes": "none",
  "created_at": "2025-04-08T23:31:59Z",
  "crn": "crn:[...]",
  "encryption": "provider_managed",
  "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/ff859972-8c39-4528-91df-eb9160eae918",
  "id": "ff859972-8c39-4528-91df-eb9160eae918",
  "iops": 48000,
  "lifecycle_state": "stable",
  "name": "share-name1",
  "profile": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/share/profiles/dp2",
    "name": "dp2",
    "resource_type": "share_profile"
    },
  "replication_role": "none",
  "replication_status": "none",
  "replication_status_reasons": [],
  "resource_group": {
    "crn": "crn:[...]",
    "href": "https://resource-controller.cloud.ibm.com/v2/resource_groups/6b45d0aa-e0a6-478b-a5d9-bb45b106676d",
    "id": "6b45d0aa-e0a6-478b-a5d9-bb45b106676d",
    "name": "Default"
    },
  "resource_type": "share",
  "size": 4800,
  "mount_targets": [
    {
      "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/ff859972-8c39-4528-91df-eb9160eae918/mount_targets/9fdf4438-f5b4-4b6f-8bca-602494fd6c31",
      "id": "9fdf4438-f5b4-4b6f-8bca-602494fd6c31",
      "name": "mount-target-name1",
      "resource_type": "share_target",
      "vpc": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/e6ff7b61-feb4-4c87-94aa-277d6f93e164",
        "id": "e6ff7b61-feb4-4c87-94aa-277d6f93e164",
        "name": "vpc-name1",
        "resource_type": "vpc"
      }
    }
  ],
  "user_tags": ["env:test","env:prod"],
  "zone": {
    "href": "https://us-south.iaas.cloud.ibm.com/v1/regions/us-south/zones/us-south-1",
    "name": "us-south-1"
  }
}

Creating a file share and mount target by specifying a subnet

The default access control mode for file shares is security_group. It's more secure than the vpc-wide options and supports newer features. To create the mount target with the network interface at the same time that the file share is created, make a POST /shares request and specify a subnet. Specifying the subnet property is required when you're not specifying a virtual network interface.

The following example creates and attaches a virtual network interface to your mount target with a reserved IP address and applies the rules of the selected security group. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share.

In this example, the mount target section specifies a subnet ID. The system picks a reserved IP from that subnet for the virtual network interface when the mount target is created.

curl -X POST "$vpc_api_endpoint/v1/shares?version=2023-08-08&generation=2"\
-H "Authorization: $iam_token"\
-d '{
    "allowed_transit_encryption_modes": ["user-managed"],
    "size": 10,
    "name": "my-share-1",
    "profile": {"name": "dp2"},
     "zone": {"name": "us-south-1"},
     "mount_targets": [{
         "virtual_network_interface": {"subnet": {"id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde"}},
         "transit_encryption": {"user_managed"}}]
}'

When the transit_encryption property is set to user_managed, encryption in transit with an instance identity certificate is enabled. The default value for the transit_encryption property is none, which disables encryption in transit. However, if the allowed_transit_encryption_modes is specified as user-managed, then the mount target must have user_managed as the value of transit_encryption.

A successful response looks like the following example.

 {
    "access_control_mode": "security_group",
    "allowed_transit_encryption_modes": ["user-managed"],
    "created_at": "2023-08-08T12:15:12Z",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/90c4bb62-1724-47bd-8c45-f7d37d7c3508/mount_targets/7e5bdb52-676d-43b2-991f-2053cf6855eb",
    "id": "7e5bdb52-676d-43b2-991f-2053cf6855eb",
    "lifecycle_state": "pending",
    "mount_path": "",
    "name": "myshare-1",
    "primary_ip": {"address": ""},
    "resource_type": "share_target",
    "size": 10,
    "snapshot_count": 0, 
    "snapshot_size": 0,
    "subnet": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/subnets/4e95744c-7e64-48c9-b5d2-3b6481b1dfde",
        "id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde",
        "name": "subnet-2",
        "resource_type": "subnet"
    },
    "transit_encryption": "user-managed",
    "virtual_network_interface": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/virtual_network_interface/710y-b8aa945c-7eac-4c15-bad6-a56db9d1e9bd",
        "id": "710y-b8aa945c-7eac-4c15-bad6-a56db9d1e9bd",
        "name": "enlace-traverse-oat-console",
        "resource_type": "VirtualNetworkInterface"
    },
    "vpc": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/82fa21ae-a645-4dd5-9136-d48a723bf00e",
        "id": "82fa21ae-a645-4dd5-9136-d48a723bf00e",
        "name": "my-vpc-2",
        "resource_type": "vpc"
    },
    "user_tags": []
}

Customers with special access to review the regional file share offering can use the Beta VPC API to create regional mount targets for their regional file shares. When you want to enable encryption in transit, specify "stunnel" for regional shares.

curl -X POST "$vpc_api_endpoint/v1/shares?version=2025-07-22&generation=2"&maturity=beta"\
-H "Authorization: $iam_token"\
-d '{
    "allowed_transit_encryption_modes": ["stunnel,none"],
    "size": 5000,
    "name": "my-regional-share-1",
    "profile": {"name": "rfs"},
     "mount_targets": [{
         "virtual_network_interface": {"subnet": {"id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde"}},
         "transit_encryption": {"stunnel"}}]
}'

When the transit_encryption property is set to stunnel, encryption in transit is enabled, and you must complete a few configuration steps on the compute host to mount the file share securely. In the example the allowed_transit_encryption_modes is specified as stunnel,none, then the mount target can have either one of those values as the value of transit_encryption.

A successful response looks like the following example.

 {
    "access_control_mode": "security_group",
    "accessor_binding_role": "none",
    "allowed_access_protocols": ["nfs4"],
    "allowed_transit_encryption_modes": ["stunnel"],
    "availability_mode": "regional",
    "access_control_mode": "security_group",
    "bandwidth": 2000,
    "created_at": "2025-07-22T12:15:12Z",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/90c4bb62-1724-47bd-8c45-f7d37d7c3508/mount_targets/7e5bdb52-676d-43b2-991f-2053cf6855eb",
    "id": "7e5bdb52-676d-43b2-991f-2053cf6855eb",
    "lifecycle_state": "pending",
    "mount_path": "",
    "name": "my-regional-share-1",
    "primary_ip": {"address": ""},
    "resource_type": "share_target",
    "size": 5000,
    "snapshot_count": 0, 
    "snapshot_size": 0,
    "storage_generation": 2,
    "subnet": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/subnets/4e95744c-7e64-48c9-b5d2-3b6481b1dfde",
        "id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde",
        "name": "subnet-2",
        "resource_type": "subnet"
    },
    "transit_encryption": "stunnel",
    "virtual_network_interface": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/virtual_network_interface/710y-b8aa945c-7eac-4c15-bad6-a56db9d1e9bd",
        "id": "710y-b8aa945c-7eac-4c15-bad6-a56db9d1e9bd",
        "name": "enlace-traverse-oat-console",
        "resource_type": "VirtualNetworkInterface"
    },
    "vpc": {
        "crn": "crn:[...]",
        "href": "https://us-south.iaas.cloud.ibm.com/v1/vpcs/82fa21ae-a645-4dd5-9136-d48a723bf00e",
        "id": "82fa21ae-a645-4dd5-9136-d48a723bf00e",
        "name": "my-vpc-2",
        "resource_type": "vpc"
    },
    "user_tags": []
}

Creating a file share and mount target by specifying a subnet and security group

To create the mount target network interface, make a POST /shares request and specify a subnet and security group. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share.

In this example, the mount_targets property specifies a subnet ID and security group ID. When the transit_encryption property is set to user_managed, it enables encryption in transit by using an instance identity certificate. The default value is none, which disables encryption in transit.

curl -X POST "$vpc_api_endpoint/v1/shares?version=2023-08-08&generation=2"\
-H "Authorization: $iam_token" \
-d '{
    "size": 20,
    "iops": 100,
    "name": "myshare-3",
    "profile": {"name": "dp2"},
    "zone": {"name": "us-south-1"},
    "allowed_transit_encryption_modes": ["user-managed"],
    "mount_targets": [{
        "virtual_network_interface": {
            "subnet": {"id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde"},
            "security_groups": [{"id": "34c09abb-37bf-4ef6-88bb-f63a0ef28915"}]
        },
        "transit_encryption": {"user_managed"}}
      ]
    }'

The following response shows that access control mode is security_group, which is the default value.

{
    "access_control_mode": "security_group",
    "allowed_transit_encryption_modes": ["user-managed"],
    "created_at": "2023-08-08T12:55:40Z",
    "crn": "crn:[...]",
    "encryption": "provider_managed",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/r006-56f91d4a-2801-470a-b368-176bde64e954",
    "id": "r006-56f91d4a-2801-470a-b368-176bde64e954",
    "initial_owner": {
        "gid": 0,
        "uid": 0
    },
    "iops": 100,
    "lifecycle_state": "pending",
    "name": "myshare-3",
    "mount_targets": [
        {
            "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/r006-56f91d4a-2801-470a-b368-176bde64e954/mount_targets/r006-b8573e2c-60ee-4ecc-9eae-c52f890a8195",
            "id": "r006-b8573e2c-60ee-4ecc-9eae-c52f890a8195",
            "name": "sticky-idealist-spoiled-sloppily",
            "resource_type": "share_target",
            "transit_encryption": {"user_managed"}
        }
    ],
    "profile": {
        "href": "https://us-south.iaas.cloud.ibm.com/v1/share/profiles/dp2",
        "name": "dp2",
        "resource_type": "share_profile"
    },
    "replication_role": "none",
    "replication_status": "none",
    "replication_status_reasons": [],
    "resource_group": {
        "crn": "crn:[...]",
        "href": "https://resource-controller.cloud.ibm.com/v2/resource_groups//678523bcbe2b4eada913d32640909956",
        "id": "678523bcbe2b4eada913d32640909956",
        "name": "Default"
    },
    "resource_type": "share",
    "size": 20,
    "snapshot_count": 10, 
    "snapshot_size": 10,
    "user_tags": [],
    "zone": {
        "href": "https://us-south.cloud.ibm.com/v1/regions/us-south/zones/us-south-1",
        "name": "us-south-1"
    }
}

Customers with special access to review the regional file share offering can use the Beta VPC API to create file shares. In the following example, the mount_targets property specifies a subnet ID and security group ID. When the transit_encryption property is set to ipsec, it enables encryption in transit by using an instance identity certificate. This option is applicable only for zonal shares. For regional shares, the allowed transit_encryption type is stunnel.

curl -X POST "$vpc_api_endpoint/v1/shares?version=2025-07-22&generation=2&maturity=beta"\
-H "Authorization: $iam_token" \
-d '{
    "size": 20,
    "iops": 100,
    "name": "my-share-3",
    "profile": {"name": "dp2"},
    "zone": {"name": "us-south-1"},
    "allowed_transit_encryption_modes": ["ipsec"],
    "mount_targets": [{
        "virtual_network_interface": {
            "subnet": {"id": "4e95744c-7e64-48c9-b5d2-3b6481b1dfde"},
            "security_groups": [{"id": "34c09abb-37bf-4ef6-88bb-f63a0ef28915"}]
        },
        "transit_encryption": {"ipsec"}}
      ]
    }'

The following response shows that access control mode is security_group, which is the default value.

{
    "access_control_mode": "security_group",
    "accessor_binding_role": "none",
    "allowed_access_protocols": ["nfs4"],
    "allowed_transit_encryption_modes": ["ipsec"],
    "availability_mode": "zonal",
    "created_at": "2025-07-22T12:55:40Z",
    "crn": "crn:[...]",
    "encryption": "provider_managed",
    "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/r006-56f91d4a-2801-470a-b368-176bde64e954",
    "id": "r006-56f91d4a-2801-470a-b368-176bde64e954",
    "initial_owner": {
        "gid": 0,
        "uid": 0
    },
    "iops": 100,
    "lifecycle_state": "pending",
    "name": "myshare-3",
    "mount_targets": [
        {
            "href": "https://us-south.iaas.cloud.ibm.com/v1/shares/r006-56f91d4a-2801-470a-b368-176bde64e954/mount_targets/r006-b8573e2c-60ee-4ecc-9eae-c52f890a8195",
            "id": "r006-b8573e2c-60ee-4ecc-9eae-c52f890a8195",
            "name": "sticky-idealist-spoiled-sloppily",
            "resource_type": "share_target",
            "transit_encryption": {"user_managed"}
        }
    ],
    "profile": {
        "href": "https://us-south.iaas.cloud.ibm.com/v1/share/profiles/dp2",
        "name": "dp2",
        "resource_type": "share_profile"
    },
    "replication_role": "none",
    "replication_status": "none",
    "replication_status_reasons": [],
    "resource_group": {
        "crn": "crn:[...]",
        "href": "https://resource-controller.cloud.ibm.com/v2/resource_groups//678523bcbe2b4eada913d32640909956",
        "id": "678523bcbe2b4eada913d32640909956",
        "name": "Default"
    },
    "resource_type": "share",
    "size": 20,
    "snapshot_count": 10, 
    "snapshot_size": 10,
    "storage_generation": 1,
    "user_tags": [],
    "zone": {
        "href": "https://us-south.cloud.ibm.com/v1/regions/us-south/zones/us-south-1",
        "name": "us-south-1"
    }
}

Creating a file share and mount target by specifying a virtual network interface

To perform this operation, you must already have a virtual network interface and that virtual network interface must not be attached to another resource.

Make a POST /shares request and create a mount target with a virtual network interface. Specify the ID of an unattached virtual network interface in the mount target's virtual_network_interface property.

curl -X POST "$vpc_api_endpoint/v1/shares?version=2023-08-08&generation=2" \
-H "Authorization: $iam_token" \
-d '{
    "size": 10,
    "name": "my-share-sc-2",
    "profile": {"name": "dp2"},
    "zone": {"name": "us-south-3"},
    "allowed_transit_encryption_modes": ["none"],
    "mount_targets": [{
        "name": "mount-target-1",
        "transit_encryption": {"none"},
        "virtual_network_interface": {"id": "0767-fa41aecb-4f21-423d-8082-630bfba1e1d9"}
      }]
    }'

Creating a file share from a snapshot with the API

For more information about how to create a file share from a snapshot, see Restoring data from a file share snapshot.

Adding supplemental IDs when you create a file share with the API

With the API, you can set UID and GID values for the initial_owner property to control access to your file shares. Wherever you mount the file share, the root folder uses that user ID and group ID owner. You set the UID or GID, or both when you create a share in a POST /shares call.

If you change the supplemental IDs (UID or GID) from the virtual server instance, it is not possible to determine that it was changed. As a result, initial_owner does not change in the API database but changes only in the file storage system.

Table 1 shows UID and GID values that you can set and values that are reserved.

Unix/Linux® supplemental ID values.
ID value Description
UID
UID 0 Reserved for root.
UID 1–99 Reserved for predefined accounts.
UID 100–999 Reserved by the system for administrative system accounts and groups.
UID 1000–10000 Used by applications account.
UID 10000+ Available for user accounts.
GID
GID 0 Reserved for root.
GID 1–99 Reserved for the system and application use.
GID 100+ Allocated for the user’s group.

To set supplemental IDs when you create a share, make a POST /shares call and specify the initial_owner property with the supplemental IDs. See the following example.

curl -X POST \
"$vpc_api_endpoint/v1/shares?version=2023-08-08&generation=2"\
-H "Authorization: $iam_token" \
-d '{
    "initial_owner": {"gid": 101,"uid": 10001},
    "size": 4800,
    "name": "share-name",
    "profile": {"name": "dp2"},
    "zone": {"name": "us-south-1"}
     .
     .
     .
   }'

Creating a file share and mount target with Terraform

To use Terraform, download the Terraform CLI and configure the IBM Cloud® Provider plug-in. For more information, see Getting started with Terraform.

VPC infrastructure services use a specific regional endpoint, which targets to us-south by default. If your VPC is created in another region, make sure to target the appropriate region in the provider block in the provider.tf file.

See the following example of targeting a region other than the default us-south.

provider "ibm" {
   region = "eu-de"
}

Creating a file share with Terraform

To create a file share, use the ibm_is_share resource. The following example creates a share with 200 GB capacity and the dp2 performance profile.

resource "ibm_is_share" "example" {
  allowed_transit_encryption_modes = "none"
  name                             = "my-new-share"
  size                             = "200"
  iops                             = "500"
  profile                          = "dp2"
  zone                             = "us-south-2"
}

Creating a file share with a replica with Terraform

To create a file share, use the ibm_is_share resource. To add a replica, define the replica share similarly to the following example. It creates a share with 220 GB capacity and the dp2 performance profile. The replica_share argument defines the replica share's name, the frequency of replication (in cron spec), the performance profile, and the zone where the replica share is to be created.

resource "ibm_is_share" "example-2" {
  allowed_transit_encryption_modes = "none"
  zone                             = "us-south-1"
  size                             = "220"
  name                             = "my-share"
  profile                          = "dp2"
  replica_share {
    name                           = "my-replica"
    replication_cron_spec          = "0 */5 * * *"
    profile                        = "dp2"
    zone                           = "us-south-3"
  }
}

Creating a file share from a snapshot with Terraform

For more information about how to create a file share from a snapshot, see Restoring data from a file share snapshot.

Creating a mount target with Terraform

To create a mount target for a file share that provides granular authentication with the use of Security groups, use the is_share_mount_target resource. The following example creates a mount target with security_group access control mode. First, specify the share for which the mount target is created. Then, you specify the name of the mount target and define the new virtual network interface by providing an IP address and a name. You must also specify the security group that you want to use to manage access to the file share that the mount target is associated to. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share. The attribute auto_delete = true means that the virtual network interface is to be deleted if the mount target is deleted.

resource "ibm_is_share_mount_target" "target-with-vni" {
     share    = ibm_is_share.is_share.ID
     name     = <share_target_name>
     virtual_network_interface {
             name = <virtual_network_interface_name>
             primary_ip {
             address = “10.240.64.5”
             auto_delete = true
             name = <reserved_ip_name>
     }
     resource_group = <resource_group_id>
     security_groups = [<security_group_ids>]
     transit_encryption = none
   }
}

You can also create a mount target for a file share with the VPC access mode by using the is_share_mount_target resource. The following example creates a mount target with the name my-share-target for the file share that is specified by its ID. When the mount target is created, all virtual server instances in the VPC can mount the share by using it.

resource "ibm_is_share_mount_target" "target-without-vni" {
     share=ibm_is_share.is_share.ID
     name = <share_target_name>
     vpc = <vpc_id>
}

For more information about the arguments and attributes, see ibm_is_share_mount_target.

Creating a file share with a mount target with security group access mode

You don't need to create the file share and the mount target separately. To create a file share with a mount target that allows for security group-based authentication within a VPC, use the ibm_is_share resource. Specify the access control mode as security_group, and define the mount target by providing a name for it, details of the virtual network interface such as name, subnet, or IP address. Also, specify the security groups that you want to use to control access to the file share. The security groups that you associate with a mount target must allow inbound access for the TCP protocol on the NFS port from all servers where you want to mount the share.

resource "ibm_is_share" "share4" {
   zone    = "us-south-2"
   size    = "800"
   name    = "my-share4"
   profile = "dp2"
   allowed_transit_encryption_modes = "user_managed"
   access_control_mode = "security_group"
   mount_target {
       name = "target"
       virtual_network_interface {
       primary_ip {
               address = 10.240.64.5
               auto_delete = true
               name = <reserved_ip_name>
       }
      resource_group = <resource_group_id>
      security_groups = [<security_group_ids>]
      transit_encryption = user_managed
      }
   }
}

For more information about the arguments and attributes, see ibm_is_share.

Creating a file share with a mount target with VPC-wide access mode

To create a file share with a mount target that is accessible to all virtual server instances within a VPC, use the ibm_is_share resource. Specify the access control mode as vpc, and define the mount target by providing a name for it and the VPC where it's going to be used in.

resource "ibm_is_share" "share3" {
    zone    = "us-south-2"
    size    = "700"
    name    = "my-share3"
    profile = "dp2"
    access_control_mode = "vpc" 
    mount_target {
          name = "target"
          vpc = <vpc_id>
    }
}

Cross-zone mounting and encryption in transit are not supported for this type of file share.

The legacy VPC access mode is not supported for regional shares.

Next steps

Mount your file shares. Mounting is a process by which a server's operating system makes files and directories on the storage device available for users to access through the server's file system. For more information, see the following topics:

Manage your file shares and data. For more information, see the following topics: