Skip to content

add storage access configuration #22232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ti-chi-bot merged 9 commits into from
Dec 29, 2025
Merged

add storage access configuration #22232

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
51bc842
add storage access configuration
wildpcww Dec 24, 2025
1e98859
add an json example
wildpcww Dec 24, 2025
2ad5028
Apply suggestions from code review
hfxsd Dec 25, 2025
45448ea
Update backup and restore guide for clarity and accuracy
hfxsd Dec 29, 2025
7142771
Update backup-and-restore-premium.md
hfxsd Dec 29, 2025
535278d
Update backup-and-restore-premium.md
hfxsd Dec 29, 2025
cb7f19e
Apply suggestions from code review
hfxsd Dec 29, 2025
47210f9
Update backup-and-restore-premium.md
hfxsd Dec 29, 2025
b5e0d22
Update tidb-cloud/premium/backup-and-restore-premium.md
hfxsd Dec 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 115 additions & 1 deletion tidb-cloud/premium/backup-and-restore-premium.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,11 +192,15 @@ To restore backups from cloud storage, do the following:
2. On the **Select Backup Storage Location** page, provide the following information:

- **Cloud Provider**: select the cloud provider where your backup files are stored.
- **Region**: if your cloud provider is Alibaba Cloud OSS, select a Region.
- **Region**: if your cloud provider is Alibaba Cloud OSS, select a region.
- **Backup Files URI**: enter the URI of the top-level folder that contains your backup files.
- **Access Key ID**: enter your access key ID.
- **Access Key Secret**: enter your access key secret.

> **Tip:**
>
> To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud OSS access](#configure-alibaba-cloud-oss-access).

3. Click **Verify Backup and Next**.

4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance.
Expand All @@ -208,3 +212,113 @@ To restore backups from cloud storage, do the following:
## Limitations

Currently, manual backups are not supported for {{{ .premium }}} instances.

## References

This section describes how to configure access for Amazon S3 and Alibaba Cloud OSS.

### Configure Amazon S3 access using an AWS access key

It is recommended that you use an IAM user, rather than the AWS account root user, to create an access key.

Take the following steps to configure an access key:

1. Create an IAM user and access key.

1. Create an IAM user. For more information, see [Create an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).
2. Sign in to the [IAM console](https://console.aws.amazon.com/iam) using your AWS account ID or account alias, and your IAM user name and password.
3. Create an access key. For more information, see [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).

2. Grant permissions to the IAM user.

Create a policy with only the permissions required for your task and attach it to the IAM user. To restore data to a {{{ .premium }}} instance, grant the `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions.

The following is an example policy that allows TiDB Cloud to restore data from a specific folder in your Amazon S3 bucket.

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetBucketLocation",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::<Your S3 bucket name>"
},
{
"Sid": "AllowListPrefix",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<Your S3 bucket name>",
"Condition": {
"StringLike": {
"s3:prefix": "<Your backup folder>/*"
}
}
},
{
"Sid": "AllowReadObjectsInPrefix",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<Your S3 bucket name>/<Your backup folder>/*"
}
]
}
```

In the preceding policy, replace `<Your S3 bucket name>` and `<Your backup folder>` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by limiting access to only the necessary backup files.

> **Note:**
>
> TiDB Cloud does not store your access keys. To maintain security, [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export task is complete.

### Configure Alibaba Cloud OSS access

To grant TiDB Cloud access to your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket.

Take the following steps to configure an AccessKey pair:

1. Create a RAM user and obtain the AccessKey pair. For more information, see [Create a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-ram-user).

In the **Access Mode** section, select **Using permanent AccessKey to access**.

2. Create a custom policy with the required permissions. For more information, see [Create custom policies](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-custom-policy).

- In the **Effect** section, select **Allow**.
- In the **Service** section, select **Object Storage Service**.
- In the **Action** section, select the required permissions. To restore a backup to a TiDB Cloud instance, grant the `oss:ListObjects` and `oss:GetObject` permissions.

> **Tip:**
>
> To enhance security for restore operations, you can restrict access to the specific folder (`oss:Prefix`) where your backup files are stored rather than granting access to the entire bucket.

The following JSON example shows a policy for a restore task. This policy restricts access to a specific bucket and backup folder.

```json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "acs:oss:*:*:<Your bucket name>",
"Condition": {
"StringLike": {
"oss:Prefix": "<Your backup folder>/*"
}
}
},
{
"Effect": "Allow",
"Action": "oss:GetObject",
"Resource": "acs:oss:*:*:<Your bucket name>/<Your backup folder>/*"
}
]
}
```

- In the **Resource** section, select the bucket and the specific objects in the bucket.

3. Attach the custom policies to the RAM user.

For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user).