Backup Storages

TiDB supports storing backup data to Amazon S3, Google Cloud Storage (GCS), Azure Blob Storage, and NFS. Specifically, you can specify the URI of backup storage in the--storageor-sparameter ofbrcommands. This document introduces theURI formatandauthenticationof different external storage services, andserver-side encryption.

Send credentials to TiKV

CLI parameter	Description	Default value
`--send-credentials-to-tikv`	Controls whether to send credentials obtained by BR to TiKV.	`true`

By default, BR sends a credential to each TiKV node when using Amazon S3, GCS, or Azure Blob Storage as the storage system. This behavior simplifies the configuration and is controlled by the parameter--send-credentials-to-tikv(or-cin short).

Note that this operation is not applicable to cloud environments. If you use IAM Role authorization, each node has its own role and permissions. In this case, you need to configure--send-credentials-to-tikv=false(or-c=0in short) to disable sending credentials:


              
               ./br backup full -c=0 -u pd-service:2379 --storage's3://bucket-name/prefix'

If you back up or restore data using theBACKUPandRESTOREstatements, you can add theSEND_CREDENTIALS_TO_TIKV = FALSEoption:


              
               BACKUP DATABASE*
               TO
               's3://bucket-name/prefix'SEND_CREDENTIALS_TO_TIKV=
               FALSE;

URI format

URI format description

This section describes the URI format of the storage services:


              
               [scheme]://[host]/[path]?[parameters]

Amazon S3
GCS
Azure Blob Storage

scheme:s3
host:bucket name
parameters:
- access-key: Specifies the access key.
- secret-access-key: Specifies the secret access key.
- session-token: Specifies the temporary session token. BR does not support this parameter yet.
- use-accelerate-endpoint: Specifies whether to use the accelerate endpoint on Amazon S3 (defaults tofalse).
- endpoint: Specifies the URL of custom endpoint for S3-compatible services (for example,).
- force-path-style: Use path style access rather than virtual hosted style access (defaults totrue).
- storage-class: Specifies the storage class of the uploaded objects (for example,STANDARDorSTANDARD_IA).
- sse: Specifies the server-side encryption algorithm used to encrypt the uploaded objects (value options: `,AES256, oraws:kms`).
- sse-kms-key-id: Specifies the KMS ID ifsseis set toaws:kms.
- acl: Specifies the canned ACL of the uploaded objects (for example,privateorauthenticated-read).
- role-arn: When you need to access Amazon S3 data from a third party using a specifiedIAM role, you can specify the correspondingAmazon Resource Name (ARN)of the IAM role with therole-arnURL query parameter, such asarn:aws:iam::888888888888:role/my-role. For more information about using an IAM role to access Amazon S3 data from a third party, seeAWS documentation.
- external-id: When you access Amazon S3 data from a third party, you might need to specify a correctexternal IDto assumethe IAM role. In this case, you can use thisexternal-idURL query parameter to specify the external ID and make sure that you can assume the IAM role. An external ID is an arbitrary string provided by the third party together with the IAM role ARN to access the Amazon S3 data. Providing an external ID is optional when assuming an IAM role, which means if the third party does not require an external ID for the IAM role, you can assume the IAM role and access the corresponding Amazon S3 data without providing this parameter.

scheme:gcsorgs
host:bucket name
parameters:
- credentials-file: Specifies the path to the credentials JSON file on the migration tool node.
- storage-class: Specifies the storage class of the uploaded objects (for example,STANDARDorCOLDLINE)
- predefined-acl: Specifies the predefined ACL of the uploaded objects (for example,privateorproject-private)

scheme:azureorazblob
host:container name
parameters:
- account-name: Specifies the account name of the storage.
- account-key: Specifies the access key.
- access-tier: Specifies the access tier of the uploaded objects, for example,Hot,Cool, orArchive. The value isHotby default.

URI examples

This section provides some URI examples by usingexternalas thehostparameter (bucket nameorcontainer namein the preceding sections).

Amazon S3
GCS
Azure Blob Storage

Back up snapshot data to Amazon S3


               
                ./br backup full -u"${PD_IP}:2379"\ --storage"s3://external/backup-20220915?access-key=${access-key}&secret-access-key=${secret-access-key}"

Restore snapshot data from Amazon S3


               
                。/ br休息ore full -u"${PD_IP}:2379"\ --storage"s3://external/backup-20220915?access-key=${access-key}&secret-access-key=${secret-access-key}"

Back up snapshot data to GCS


               
                ./br backup full --pd"${PD_IP}:2379"\ --storage"gcs://external/backup-20220915?credentials-file=${credentials-file-path}"

Restore snapshot data from GCS


               
                。/ br休息ore full --pd"${PD_IP}:2379"\ --storage"gcs://external/backup-20220915?credentials-file=${credentials-file-path}"

Back up snapshot data to Azure Blob Storage


               
                ./br backup full -u"${PD_IP}:2379"\ --storage"azure://external/backup-20220915?account-name=${account-name}&account-key=${account-key}"

Restore thetestdatabase from snapshot backup data in Azure Blob Storage


               
                。/ br休息ore db --dbtest-u"${PD_IP}:2379"\ --storage"azure://external/backup-20220915account-name=${account-name}&account-key=${account-key}"

Authentication

When storing backup data in a cloud storage system, you need to configure authentication parameters depending on the specific cloud service provider. This section describes the authentication methods used by Amazon S3, GCS, and Azure Blob Storage, and how to configure the accounts used to access the corresponding storage service.

Amazon S3
GCS
Azure Blob Storage

Before backup, configure the following privileges to access the backup directory on S3.

Minimum privileges for TiKV and Backup & Restore (BR) to access the backup directories during backup:s3:ListBucket,s3:PutObject, ands3:AbortMultipartUpload
Minimum privileges for TiKV and BR to access the backup directories during restore:s3:ListBucket,s3:GetObject, ands3:PutObject. BR writes checkpoint information to the./checkpointssubdirectory under the backup directory. When restoring log backup data, BR writes the table ID mapping relationship of the restored cluster to the./pitr_id_mapssubdirectory under the backup directory.

If you have not yet created a backup directory, refer toCreate a bucketto create an S3 bucket in the specified region. If necessary, you can also create a folder in the bucket by referring toCreate a folder.

It is recommended that you configure access to S3 using either of the following ways:

Method 1: Specify the access key
If you specify an access key and a secret access key in the URI, authentication is performed using the specified access key and secret access key. Besides specifying the key in the URI, the following methods are also supported:
- BR reads the environment variables$AWS_ACCESS_KEY_IDand$AWS_SECRET_ACCESS_KEY.
- BR reads the environment variables$AWS_ACCESS_KEYand$AWS_SECRET_KEY.
- BR reads the shared credentials file in the path specified by the environment variable$AWS_SHARED_CREDENTIALS_FILE.
- BR reads the shared credentials file in the~/.aws/credentialspath.

Method 2: Access based on the IAM role

联系了我的角色,可以访问S3和EC2instances where the TiKV and BR nodes run. After the association, BR can directly access the backup directories in S3 without additional settings.


                 
                  br backup full --pd"${PD_IP}:2379"\ --storage"s3://${host}/${path}"

You can configure the account used to access GCS by specifying the access key. If you specify thecredentials-fileparameter, the authentication is performed using the specifiedcredentials-file. Besides specifying the key in the URI, the following methods are also supported:

BR reads the file in the path specified by the environment variable$GOOGLE_APPLICATION_CREDENTIALS
BR reads the file~/.config/gcloud/application_default_credentials.json.
BR obtains the credentials from the metadata server when the cluster is running in GCE or GAE.

Method 1: Specify the access key
If you specifyaccount-nameandaccount-keyin the URI, the authentication is performed using the specified access key and secret access key. Besides the method of specifying the key in the URI, BR can also read the key from the environment variable$AZURE_STORAGE_KEY.

Method 2: Use Azure AD for backup and restore

Configure the environment variables$AZURE_CLIENT_ID,$AZURE_TENANT_ID, and$AZURE_CLIENT_SECRETon the node where BR is running.

When the cluster is started using TiUP, TiKV uses the systemd service. The following example shows how to configure the preceding three environment variables for TiKV:

Note

If this method is used, you need to restart TiKV in step 3. If your cluster cannot be restarted, useMethod 1: Specify the access keyfor backup and restore.
1. Suppose that the TiKV port on this node is24000, that is, the name of the systemd service istikv-24000:
```
                     
                      systemctl edit tikv-24000
```
2. Edit the TiKV configuration file to configure the three environment variables:
```
                     
                      [Service] Environment="AZURE_CLIENT_ID=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" Environment="AZURE_TENANT_ID=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" Environment="AZURE_CLIENT_SECRET=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
```
3. Reload the configuration and restart TiKV:
```
                     
                      systemctl daemon-reload systemctl restart tikv-24000
```

To configure the Azure AD information for TiKV and BR started with command lines, you only need to check whether the environment variables$AZURE_CLIENT_ID,$AZURE_TENANT_ID, and$AZURE_CLIENT_SECRETare configured in the operating environment by running the following commands:


                   
                    echo
                    $AZURE_CLIENT_ID
                    echo
                    $AZURE_TENANT_ID
                    echo
                    $AZURE_CLIENT_SECRET

Use BR to back up data to Azure Blob Storage:


                   
                    ./br backup full -u"${PD_IP}:2379"\ --storage"azure://external/backup-20220915?account-name=${account-name}"

Server-side encryption

Amazon S3 server-side encryption

BR supports server-side encryption when backing up data to Amazon S3. You can also use an AWS KMS key you create for S3 server-side encryption using BR. For details, seeBR S3 server-side encryption.

停止支持的其他特性rage service

BR v6.3.0 supports AWSS3 Object Lock. You can enable this feature to prevent backup data from being tampered with or deleted.

Download PDF Request docs changes Ask questions on Discord

Playground

New

One-stop & interactive experience of TiDB's capabilities WITHOUT registration.