From 51bc8426e049a296bb0eb7a628a15a17bab12e74 Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 24 Dec 2025 17:52:14 +0800 Subject: [PATCH 1/3] add storage access configuration --- .../premium/backup-and-restore-premium.md | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index fad03aa08df14..11bf724132e9c 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -197,6 +197,11 @@ To restore backups from cloud storage, do the following: - **Access Key ID**: enter your access key ID. - **Access Key Secret**: enter your access key secret. +> **Tip:** +> +> To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). + + 3. Click **Verify Backup and Next**. 4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance. @@ -208,3 +213,85 @@ To restore backups from cloud storage, do the following: ## Limitations Currently, manual backups are not supported for {{{ .premium }}} instances. + +## References + +### Configure Amazon S3 access using an AWS access key + +It is recommended that you use an IAM user (instead of the AWS account root user) to create an access key. + +Take the following steps to configure an access key: + +1. **Create an IAM user and access key.** + - Create an IAM user. For more information, see [creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). + - Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam). + - Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). + +2. **Grant permissions to the IAM user.** + Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: + - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. + + The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowGetBucketLocation", + "Effect": "Allow", + "Action": "s3:GetBucketLocation", + "Resource": "arn:aws:s3:::" + }, + { + "Sid": "AllowListPrefix", + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::", + "Condition": { + "StringLike": { + "s3:prefix": "/*" + } + } + }, + { + "Sid": "AllowReadObjectsInPrefix", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3::://*" + } + ] + } + ``` + + > **Tip:** + > + > In the policy above, replace `` and `` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by restricting access to only the necessary backup files. + +> **Note:** +> +> TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. + +### Configure Alibaba Cloud Object Storage Service (OSS) access + +To allow TiDB Cloud to access your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket. + +Take the following steps to configure an AccessKey pair: + +1. Create a RAM user and get the AccessKey pair. For more information, see [Create a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-ram-user). + + In the **Access Mode** section, select **Using permanent AccessKey to access**. + +2. Create a custom policy with the required permissions. For more information, see [Create custom policies](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-custom-policy). + + - In the **Effect** section, select **Allow**. + - In the **Service** section, select **Object Storage Service**. + - In the **Action** section, select the permissions as needed. + - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. + - In the **Resource** section, select the bucket and the objects in the bucket. + + > **Tip** + > + > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + +3. Attach the custom policies to the RAM user. For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user). From 1e988598606d2a3ecc9b4d3dee4d80ddc00bb607 Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 24 Dec 2025 18:19:18 +0800 Subject: [PATCH 2/3] add an json example --- .../premium/backup-and-restore-premium.md | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 11bf724132e9c..77cd75328a499 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -288,10 +288,36 @@ Take the following steps to configure an AccessKey pair: - In the **Service** section, select **Object Storage Service**. - In the **Action** section, select the permissions as needed. - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. - - In the **Resource** section, select the bucket and the objects in the bucket. - > **Tip** - > - > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + The following is a **JSON example for a Restore task**. This example restricts access to a specific bucket and backup folder: + + ```json + { + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": "oss:ListObjects", + "Resource": "acs:oss:*:*:", + "Condition": { + "StringLike": { + "oss:Prefix": "/*" + } + } + }, + { + "Effect": "Allow", + "Action": "oss:GetObject", + "Resource": "acs:oss:*:*://*" + } + ] + } + ``` + + > **Tip:** + > + > For **restore** operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + + - In the **Resource** section, select the bucket and the objects in the bucket. 3. Attach the custom policies to the RAM user. For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user). From 2ad5028a10960d810728313b1c748c84b2281702 Mon Sep 17 00:00:00 2001 From: xixirangrang Date: Thu, 25 Dec 2025 09:13:53 +0800 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/backup-and-restore-premium.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 77cd75328a499..98ab06726de99 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -201,7 +201,6 @@ To restore backups from cloud storage, do the following: > > To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). - 3. Click **Verify Backup and Next**. 4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance. @@ -231,7 +230,7 @@ Take the following steps to configure an access key: Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. - The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. + The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. ```json { @@ -253,7 +252,7 @@ Take the following steps to configure an access key: "s3:prefix": "/*" } } - }, + } { "Sid": "AllowReadObjectsInPrefix", "Effect": "Allow", @@ -272,7 +271,7 @@ Take the following steps to configure an access key: > > TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. -### Configure Alibaba Cloud Object Storage Service (OSS) access +### Configure Alibaba Cloud Object Storage Service (OSS) access To allow TiDB Cloud to access your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket.