From 51bc8426e049a296bb0eb7a628a15a17bab12e74 Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 24 Dec 2025 17:52:14 +0800 Subject: [PATCH 1/6] add storage access configuration --- .../premium/backup-and-restore-premium.md | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index fad03aa08df14..11bf724132e9c 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -197,6 +197,11 @@ To restore backups from cloud storage, do the following: - **Access Key ID**: enter your access key ID. - **Access Key Secret**: enter your access key secret. +> **Tip:** +> +> To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). + + 3. Click **Verify Backup and Next**. 4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance. @@ -208,3 +213,85 @@ To restore backups from cloud storage, do the following: ## Limitations Currently, manual backups are not supported for {{{ .premium }}} instances. + +## References + +### Configure Amazon S3 access using an AWS access key + +It is recommended that you use an IAM user (instead of the AWS account root user) to create an access key. + +Take the following steps to configure an access key: + +1. **Create an IAM user and access key.** + - Create an IAM user. For more information, see [creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). + - Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam). + - Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). + +2. **Grant permissions to the IAM user.** + Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: + - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. + + The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. + + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowGetBucketLocation", + "Effect": "Allow", + "Action": "s3:GetBucketLocation", + "Resource": "arn:aws:s3:::" + }, + { + "Sid": "AllowListPrefix", + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::", + "Condition": { + "StringLike": { + "s3:prefix": "/*" + } + } + }, + { + "Sid": "AllowReadObjectsInPrefix", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "arn:aws:s3::://*" + } + ] + } + ``` + + > **Tip:** + > + > In the policy above, replace `` and `` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by restricting access to only the necessary backup files. + +> **Note:** +> +> TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. + +### Configure Alibaba Cloud Object Storage Service (OSS) access + +To allow TiDB Cloud to access your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket. + +Take the following steps to configure an AccessKey pair: + +1. Create a RAM user and get the AccessKey pair. For more information, see [Create a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-ram-user). + + In the **Access Mode** section, select **Using permanent AccessKey to access**. + +2. Create a custom policy with the required permissions. For more information, see [Create custom policies](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-custom-policy). + + - In the **Effect** section, select **Allow**. + - In the **Service** section, select **Object Storage Service**. + - In the **Action** section, select the permissions as needed. + - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. + - In the **Resource** section, select the bucket and the objects in the bucket. + + > **Tip** + > + > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + +3. Attach the custom policies to the RAM user. For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user). From 1e988598606d2a3ecc9b4d3dee4d80ddc00bb607 Mon Sep 17 00:00:00 2001 From: Cheng Weiwei <65707268+wildpcww@users.noreply.github.com> Date: Wed, 24 Dec 2025 18:19:18 +0800 Subject: [PATCH 2/6] add an json example --- .../premium/backup-and-restore-premium.md | 34 ++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 11bf724132e9c..77cd75328a499 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -288,10 +288,36 @@ Take the following steps to configure an AccessKey pair: - In the **Service** section, select **Object Storage Service**. - In the **Action** section, select the permissions as needed. - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. - - In the **Resource** section, select the bucket and the objects in the bucket. - > **Tip** - > - > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + The following is a **JSON example for a Restore task**. This example restricts access to a specific bucket and backup folder: + + ```json + { + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": "oss:ListObjects", + "Resource": "acs:oss:*:*:", + "Condition": { + "StringLike": { + "oss:Prefix": "/*" + } + } + }, + { + "Effect": "Allow", + "Action": "oss:GetObject", + "Resource": "acs:oss:*:*://*" + } + ] + } + ``` + + > **Tip:** + > + > For **restore** operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + + - In the **Resource** section, select the bucket and the objects in the bucket. 3. Attach the custom policies to the RAM user. For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user). From 2ad5028a10960d810728313b1c748c84b2281702 Mon Sep 17 00:00:00 2001 From: xixirangrang Date: Thu, 25 Dec 2025 09:13:53 +0800 Subject: [PATCH 3/6] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- tidb-cloud/premium/backup-and-restore-premium.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 77cd75328a499..98ab06726de99 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -201,7 +201,6 @@ To restore backups from cloud storage, do the following: > > To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). - 3. Click **Verify Backup and Next**. 4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance. @@ -231,7 +230,7 @@ Take the following steps to configure an access key: Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. - The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. + The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. ```json { @@ -253,7 +252,7 @@ Take the following steps to configure an access key: "s3:prefix": "/*" } } - }, + } { "Sid": "AllowReadObjectsInPrefix", "Effect": "Allow", @@ -272,7 +271,7 @@ Take the following steps to configure an access key: > > TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. -### Configure Alibaba Cloud Object Storage Service (OSS) access +### Configure Alibaba Cloud Object Storage Service (OSS) access To allow TiDB Cloud to access your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket. From 45448ea16c5deb779186deddd698e9570521999a Mon Sep 17 00:00:00 2001 From: houfaxin Date: Mon, 29 Dec 2025 08:31:48 +0800 Subject: [PATCH 4/6] Update backup and restore guide for clarity and accuracy Revised section titles and references for Amazon S3 and Alibaba Cloud OSS access configuration. Improved step formatting, clarified permission requirements, and updated example policy instructions for both cloud providers. Enhanced overall readability and consistency in the backup and restore documentation. --- .../premium/backup-and-restore-premium.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 98ab06726de99..820f9f96468db 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -199,7 +199,7 @@ To restore backups from cloud storage, do the following: > **Tip:** > -> To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud Object Storage Service (OSS) access](#configure-alibaba-cloud-object-storage-service-oss-access). +> To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud OSS access](#configure-alibaba-cloud-oss-access). 3. Click **Verify Backup and Next**. @@ -215,22 +215,25 @@ Currently, manual backups are not supported for {{{ .premium }}} instances. ## References +This section describes how to configure Amazon S3 access using an AWS access key and Alibaba Cloud OSS access. + ### Configure Amazon S3 access using an AWS access key It is recommended that you use an IAM user (instead of the AWS account root user) to create an access key. Take the following steps to configure an access key: -1. **Create an IAM user and access key.** - - Create an IAM user. For more information, see [creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). - - Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam). - - Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). +1. Create an IAM user and access key. + + 1. Create an IAM user. For more information, see [Create an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). + 2. Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam). + 3. Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). + +2. Grant permissions to the IAM user. -2. **Grant permissions to the IAM user.** - Create a policy and attach it to the IAM user. Ensure the policy includes the required permissions based on your task: - - **To restore data** to a TiDB Cloud instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. + Create a policy and attach it to the IAM user. Ensure that the policy includes the required permissions based on your task. To restore data to a {{{ .premium }}} instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. - The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your S3 bucket. + The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your Amazon S3 bucket. ```json { @@ -263,15 +266,13 @@ Take the following steps to configure an access key: } ``` - > **Tip:** - > - > In the policy above, replace `` and `` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by restricting access to only the necessary backup files. + In the preceding policy, replace `` and `` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by restricting access to only the necessary backup files. > **Note:** > > TiDB Cloud does not store your access keys. It is recommended that you [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export is complete. -### Configure Alibaba Cloud Object Storage Service (OSS) access +### Configure Alibaba Cloud OSS access To allow TiDB Cloud to access your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket. @@ -285,10 +286,9 @@ Take the following steps to configure an AccessKey pair: - In the **Effect** section, select **Allow**. - In the **Service** section, select **Object Storage Service**. - - In the **Action** section, select the permissions as needed. - - To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. + - In the **Action** section, select the permissions as needed. To restore a backup to a TiDB Cloud instance, grant `oss:ListObjects` and `oss:GetObject` permissions. - The following is a **JSON example for a Restore task**. This example restricts access to a specific bucket and backup folder: + The following is a JSON example for a Restore task. This example restricts access to a specific bucket and backup folder. ```json { From 71427712dce46a89d2c7c17deecc34e4aa9117e1 Mon Sep 17 00:00:00 2001 From: houfaxin Date: Mon, 29 Dec 2025 09:02:06 +0800 Subject: [PATCH 5/6] Update backup-and-restore-premium.md --- tidb-cloud/premium/backup-and-restore-premium.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 820f9f96468db..08a9fb03a6887 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -227,13 +227,13 @@ Take the following steps to configure an access key: 1. Create an IAM user. For more information, see [Create an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console). 2. Use your AWS account ID or account alias, and your IAM user name and password to sign in to [the IAM console](https://console.aws.amazon.com/iam). - 3. Create an access key. For more information, see [creating an access key for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). + 3. Create an access key. For more information, see [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). 2. Grant permissions to the IAM user. Create a policy and attach it to the IAM user. Ensure that the policy includes the required permissions based on your task. To restore data to a {{{ .premium }}} instance, grant `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions. - The following is an example policy that allows TiDB Cloud to **restore** data from a specific folder in your Amazon S3 bucket. + The following is an example policy that allows TiDB Cloud to restore data from a specific folder in your Amazon S3 bucket. ```json { From 535278d320015482188a8d5c8c2e32d80f6a9dcf Mon Sep 17 00:00:00 2001 From: houfaxin Date: Mon, 29 Dec 2025 09:03:12 +0800 Subject: [PATCH 6/6] Update backup-and-restore-premium.md --- tidb-cloud/premium/backup-and-restore-premium.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md index 08a9fb03a6887..3aafdf951b4f1 100644 --- a/tidb-cloud/premium/backup-and-restore-premium.md +++ b/tidb-cloud/premium/backup-and-restore-premium.md @@ -315,7 +315,7 @@ Take the following steps to configure an AccessKey pair: > **Tip:** > - > For **restore** operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. + > For restore operations, you can enhance security by restricting access to only the specific folder (prefix) where your backup files are stored, rather than granting access to the entire bucket. - In the **Resource** section, select the bucket and the objects in the bucket.