Cockroach Labs recommends enabling Egress Perimeter Controls on CockroachDB Advanced clusters to mitigate the risk of data exfiltration when accessing external resources, such as cloud storage for change data capture or backup and restore operations. See for detail and setup instructions.
URL format
URLs for the files you want to import must use the format shown below. For examples, see Example file URLs.You can disable the use of implicit credentials when accessing external cloud storage services for various operations by using the .
disabled, then imports from local directories and NFS drives are disabled.
2 Using a nodeID is required and the data files will be in the extern directory of the specified node. In most cases (including single-node clusters), using nodelocal://1/<path is sufficient. If every node has the flag pointed to a common NFS mount, or other form of network-backed, shared, or synchronized storage, you can use the word self instead of a node ID to indicate that each node should write individual data files to its own extern directory.
3 The AWS_REGION parameter is optional since it is not a required parameter for most S3-compatible services. Specify the parameter only if your S3-compatible service requires it.
Example file URLs
Example URLs for , , or given a bucket or container name ofacme-co and an employees subdirectory:
For detail on forming the URLs and the different authentication methods, refer to the page.
Example URLs for and given a bucket or container name of
acme-co and a filename of employees:
Example URLs for :
HTTP storage can only be used for and .
Encryption
Transport Layer Security (TLS) is used for encryption in transit when transmitting data to or from Amazon S3, Google Cloud Storage, and Azure. For encryption at rest, if your cloud provider offers transparent data encryption, you can use that to ensure that your backups are not stored on disk in cleartext. CockroachDB also provides client-side encryption of backup data, for more information, see .Storage permissions
This section describes the minimum permissions required to run CockroachDB operations. While we provide the required permissions for Amazon S3 and Google Cloud Storage, the provider’s documentation provides detail on the setup process and different options regarding access management. Depending on the actions an operation performs, it will require different access permissions to a cloud storage bucket. This table outlines the actions that each operation performs against the storage bucket:- Amazon S3
- Google Cloud Storage
These actions are the minimum access permissions to be set in an Amazon S3 bucket policy:
See Policies and Permissions in Amazon S3 for detail on setting policies and permissions in Amazon S3.An example S3 bucket policy for a backup:
Additional cloud storage feature support
Immutable storage
To complete a backup successfully,BACKUP requires to cloud storage buckets. Delete and overwrite permissions are not required. As a result, you can write backups to cloud storage buckets with object locking enabled. This allows you to store backup data using a write-once-read-many (WORM) model, which refers to storage that prevents any kind of deletion, encryption or modification to the objects once written.
We recommend enabling object locking in cloud storage buckets to protect the validity of a backup for restores.
- AWS S3 Object Lock
- Retention policies and Bucket Lock in Google Cloud Storage
- Immutable storage in Azure Storage
Amazon S3 storage classes
When storing objects in Amazon S3 buckets during , , and , you can specify theS3_STORAGE_CLASS={class} parameter in the URI to configure a storage class type.
The following S3 connection URI uses the INTELLIGENT_TIERING storage class:
Incremental backups and archive storage classes
are not compatible with the S3 Glacier Flexible Retrieval or Glacier Deep Archive storage classes. Incremental backups require the reading of previous backups on an ad-hoc basis, which is not possible with backup files already in Glacier Flexible Retrieval or Glacier Deep Archive. This is because these storage classes do not allow immediate access to an S3 object without first restoring the archived object to its S3 bucket. Refer to the AWS documentation on Restoring an archived object for steps. When you are restoring archived backup files from Glacier Flexible Retrieval or Glacier Deep Archive back to an S3 bucket, you must restore both the full backup and incremental backup layers for that backup. By default, CockroachDB stores the incremental backup layers in a separate top-level directory at the backup’s storage location. Refer to for detail on the backup directory structure at its storage location. Once you have restored all layers of a backup’s archived files back to its S3 bucket, you can then the backup to your CockroachDB cluster.Supported storage classes
This table lists the valid CockroachDB parameters that map to an S3 storage class:
You can view an object’s storage class in the Amazon S3 Console from the object’s Properties tab. Alternatively, use the AWS CLI to list objects in a bucket, which will also display the storage class:

