add storage access configuration (#22232)

wildpcww · web-flow · commit 68c93802d71b · 2025-12-29T09:16:14.000Z
diff --git a/tidb-cloud/premium/backup-and-restore-premium.md b/tidb-cloud/premium/backup-and-restore-premium.md
@@ -192,11 +192,15 @@ To restore backups from cloud storage, do the following:
 2. On the **Select Backup Storage Location** page, provide the following information:
 
     - **Cloud Provider**: select the cloud provider where your backup files are stored.
-    - **Region**: if your cloud provider is Alibaba Cloud OSS, select a Region.
+    - **Region**: if your cloud provider is Alibaba Cloud OSS, select a region.
     - **Backup Files URI**: enter the URI of the top-level folder that contains your backup files.
     - **Access Key ID**: enter your access key ID.
     - **Access Key Secret**: enter your access key secret.
 
+    > **Tip:**
+    >
+    > To create an access key for your storage bucket, see [Configure Amazon S3 access using an AWS access key](#configure-amazon-s3-access-using-an-aws-access-key) and [Configure Alibaba Cloud OSS access](#configure-alibaba-cloud-oss-access).
+
 3. Click **Verify Backup and Next**.
 
 4. If the verification is successful, the **Restore to a New Instance** page appears. Review the backup information displayed at the top of the page, and then follow the steps in [Create a {{{ .premium }}} Instance](/tidb-cloud/premium/create-tidb-instance-premium.md) to restore the backup to a new instance.
@@ -208,3 +212,113 @@ To restore backups from cloud storage, do the following:
 ## Limitations
 
 Currently, manual backups are not supported for {{{ .premium }}} instances.
+
+## References
+
+This section describes how to configure access for Amazon S3 and Alibaba Cloud OSS.
+
+### Configure Amazon S3 access using an AWS access key
+
+It is recommended that you use an IAM user, rather than the AWS account root user, to create an access key.
+
+Take the following steps to configure an access key:
+
+1. Create an IAM user and access key.
+
+    1. Create an IAM user. For more information, see [Create an IAM user in your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).
+    2. Sign in to the [IAM console](https://console.aws.amazon.com/iam) using your AWS account ID or account alias, and your IAM user name and password.
+    3. Create an access key. For more information, see [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).
+
+2. Grant permissions to the IAM user.
+
+    Create a policy with only the permissions required for your task and attach it to the IAM user. To restore data to a {{{ .premium }}} instance, grant the `s3:GetObject`, `s3:GetBucketLocation`, and `s3:ListBucket` permissions.
+
+    The following is an example policy that allows TiDB Cloud to restore data from a specific folder in your Amazon S3 bucket.
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowGetBucketLocation",
+                "Effect": "Allow",
+                "Action": "s3:GetBucketLocation",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>"
+            },
+            {
+                "Sid": "AllowListPrefix",
+                "Effect": "Allow",
+                "Action": "s3:ListBucket",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>",
+                "Condition": {
+                    "StringLike": {
+                        "s3:prefix": "<Your backup folder>/*"
+                    }
+                }
+            },
+            {
+                "Sid": "AllowReadObjectsInPrefix",
+                "Effect": "Allow",
+                "Action": "s3:GetObject",
+                "Resource": "arn:aws:s3:::<Your S3 bucket name>/<Your backup folder>/*"
+            }
+        ]
+    }
+    ```
+
+    In the preceding policy, replace `<Your S3 bucket name>` and `<Your backup folder>` with your actual bucket name and backup directory. This configuration follows the principle of least privilege by limiting access to only the necessary backup files.
+
+> **Note:**
+>
+> TiDB Cloud does not store your access keys. To maintain security, [delete the access key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey) after the import or export task is complete.
+
+### Configure Alibaba Cloud OSS access
+
+To grant TiDB Cloud access to your Alibaba Cloud OSS bucket, you need to create an AccessKey pair for the bucket.
+
+Take the following steps to configure an AccessKey pair:
+
+1. Create a RAM user and obtain the AccessKey pair. For more information, see [Create a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-ram-user).
+
+    In the **Access Mode** section, select **Using permanent AccessKey to access**.
+
+2. Create a custom policy with the required permissions. For more information, see [Create custom policies](https://www.alibabacloud.com/help/en/ram/user-guide/create-a-custom-policy).
+
+    - In the **Effect** section, select **Allow**.
+    - In the **Service** section, select **Object Storage Service**.
+    - In the **Action** section, select the required permissions. To restore a backup to a TiDB Cloud instance, grant the `oss:ListObjects` and `oss:GetObject` permissions.
+
+        > **Tip:**
+        >
+        > To enhance security for restore operations, you can  restrict access to the specific folder (`oss:Prefix`) where your backup files are stored rather than granting access to the entire bucket.
+
+        The following JSON example shows a policy for a restore task. This policy restricts access to a specific bucket and backup folder.
+
+        ```json
+        {
+        "Version": "1",
+        "Statement": [
+            {
+            "Effect": "Allow",
+            "Action": "oss:ListObjects",
+            "Resource": "acs:oss:*:*:<Your bucket name>",
+            "Condition": {
+                "StringLike": {
+                "oss:Prefix": "<Your backup folder>/*"
+                }
+            }
+            },
+            {
+            "Effect": "Allow",
+            "Action": "oss:GetObject",
+            "Resource": "acs:oss:*:*:<Your bucket name>/<Your backup folder>/*"
+            }
+        ]
+        }
+        ```
+
+    - In the **Resource** section, select the bucket and the specific objects in the bucket.
+
+3. Attach the custom policies to the RAM user.
+
+    For more information, see [Grant permissions to a RAM user](https://www.alibabacloud.com/help/en/ram/user-guide/grant-permissions-to-the-ram-user).
