When backing up to and/or restoring from external cloud storage, generally speaking, both YugabyteDB Anywhere (YBA) and database nodes require permissions to write to and read from the external storage.

When backing up to an NFS storage target, only database nodes need access to the NFS storage.

When backing up to and/or restoring from NFS storage, the NFS storage system must be configured to allow the following access:

  • The yugabyte user (and its UID) on the database cluster nodes needs to have read and write permissions for the NFS volume.
  • The NFS volume must be mounted on the database cluster nodes.

(This guidance is intentionally repeated in Prepare Servers for On-Premises provider, where it may be more suitable for some readers.)

When backing up to and/or restoring from AWS S3, YBA and DB nodes must be able to write to and read from the S3 storage bucket.

To grant the required access, you can do one of the following:

  • Provide a service account with the following permissions.
  • Create the EC2 VM instances (for both the YBA VM and the DB nodes VMs) with an IAM role with the required permissions.

The following permissions are required:

"s3:DeleteObject",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"

The Access key ID and Secret Access Key for the service account are used when creating a backup storage configuration for S3.

Save for later To configure
Service account Access key ID and Secret Access Key Storage configuration for S3

When backing up to and/or restoring from GCP GCS, YBA and database nodes must be able to write to and read from the GCS storage bucket.

To grant the required access, create a GCP service account with IAM roles for cloud storage with the following permissions:

roles/storage.admin

The credentials for this account (in JSON format) are used when creating a backup storage configuration for GCS.

Save for later To configure
Storage service account JSON credentials Storage configuration for GCS

For database clusters deployed to GKE, you can alternatively assign the appropriate IAM roles to the YugabyteDB Anywhere VM and the YugabyteDB nodes.

When backing up to and/or restoring from Azure Storage, YBA and DB nodes must be able to write to and read from the storage blob.

To grant the required access, create a Shared Access Signature (SAS) token with the permissions as shown in the following illustration.

Azure Shared Access Signature page

The Connection string and SAS token are used when creating a backup storage configuration for Azure.

Save for later To configure
Azure storage Connection string and SAS token Storage configuration for Azure