Create a backup repository

This document describes how to create a backup repository for virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped.

Before creating backups or snapshots, you must define at least one backup repository that can be shared among several backups or snapshots. A backup repository tells the backup system where to store or retrieve backups. Backup repositories for VMs are restricted to the Management API server.

This document is for developers in platform administrator or application operator groups that manage VM Backup and restore operations. For more information, see Audiences for GDC air-gapped documentation.

Before you begin

Before you create a backup repository, you must provision the underlying storage. :

An object storage bucket and an S3-compatible endpoint.
A service account with granted access to the bucket, and its S3 credentials.

Request IAM permissions

To create VM backup repositories, ask your Organization IAM Admin to grant you the following roles:

Organization Backup Admin (organization-backup-admin): Manages the entire lifecycle of VM backup resources, including creating, viewing, and deleting backup and restore plans within user clusters. This role is required to configure and execute VM data protection strategies.
Secret Viewer (secret-viewer): Views Kubernetes secrets in projects.

Create a backup repository

Create a repository using the GDC console or the API.

Console

Sign into the GDC console.
In the navigation menu, click Backup for Virtual Machines > Repositories.
Click Create repository.
Enter a repository name and an optional description.
In the S3 URI endpoint field, enter an endpoint with the fully-qualified domain name of your object storage site.
In the Bucket name field, enter the name of the bucket.
In the Bucket region field, enter the region where the bucket was created.
In the Access Key ID list, enter the access key ID.
In the Access key field, enter the access key.
Click Create.

API

Create a BackupRepository custom resource using your credentials.

Get the name of the secret that contains S3 credentials:
```
export PROJECT_NAME=PROJECT_NAME
export SA_NAME=SA_NAME
kubectl get secrets --namespace $PROJECT_NAME -o json | jq -r --arg USER_NAME "${SA_NAME:?}" '.items[] | select( (.metadata.annotations."object.gdc.goog/subject"==$USER_NAME)) | .metadata.name'
```
Make sure you record the secret name returned by the command and use it as the SECRET_NAME value when creating your BackupRepository resource.

Replace the following:
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
To get bucket details like FQDN and endpoints, extract the fullyQualifiedName and zonalEndpoints values from the output:
```
kubectl get buckets -n PROJECT_NAME BUCKET_NAME -o yaml
```
Create a BackupRepository within the Management API server:
```
apiVersion: backup.gdc.goog/v1
kind: BackupRepository
metadata:
  name: REPOSITORY_NAME
spec:
  secretReference:
    namespace: PROJECT_NAME
    name: SECRET_NAME
  endpoint: ENDPOINT
  type: "S3"
  s3Options:
    bucket: BUCKET_FQDN
    region: REGION
    forcePathStyle: FORCE_PATH_STYLE
  importPolicy: IMPORT_POLICY
```
Replace the following:
- REPOSITORY_NAME: the name of the backup repository.
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
- SECRET_NAME: the name of the secret returned from the kubectl get secrets command.
- ENDPOINT: the fully qualified domain name for the storage system, for example, https://objectstorage.google.gdch.test. For the type field, only a value of S3 is supported.
- BUCKET_FQDN: the fully qualified name of the bucket.
- REGION: the region where the bucket was created.
- FORCE_PATH_STYLE: use the forcePathStyle field to force path style URLs for objects. This field must have a value of true or false.
- IMPORT_POLICY: set to one of the following:
  - ReadWrite: This repository can be used to schedule or create backups, backup plans, and restores.
  - ReadOnly: This repository can only be used to import and view backups. No new backups or resources can be created in this repository, but restores can use and reference read-only backups for restoration. There is no restriction on how often a backup repository can be used as ReadOnly.
The BackupRepository creates a read-write enabled BackupRepository resource in the Management API server that has the same name.

What's next

Manage a backup repository

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-02 UTC.