Create a backup repository

This page describes how to create a backup repository for virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped.

Before creating backups or snapshots, you must define at least one backup repository that can be shared among several backups or snapshots. A backup repository tells the backup system where to store or retrieve backups. Backup repositories for VMs are restricted to Management API server.

Before you begin

Before you create a backup repository, you must provision the underlying storage and configure the necessary permissions, including:

An object storage bucket and an S3-compatible endpoint.
A service account with granted access to the bucket, and its S3 credentials.
The necessary IAM roles:
- Organization Backup Admin: manages backup resources such as backup and restore plans in user clusters.
- Secret Viewer: views Kubernetes secrets in projects.
Ask your Organization IAM Admin to grant you the Organization Backup Admin (organization-backup-admin) and Secret Viewer (secret-viewer) roles. For more information, see Role definitions.

Create a backup repository

Create a repository using the GDC console or the API.

Console

Sign into the GDC console.
In the navigation menu, click Backup for Virtual Machines > Repositories.
Click Create repository.
Enter a repository name and an optional description.
In the S3 URI endpoint field, enter an endpoint with the fully-qualified domain name of your object storage site. To get the value from the Bucket custom resource, run the following command:
```
kubectl get Bucket BUCKET_NAME -n NAMESPACE -o json | jq -r '.status.endpoint'
```
In the Bucket name field, enter the fully qualified domain name of the bucket. You can get this name from the Bucket details page in the GDC console, or to get the value from the Bucket custom resource run the following command:
```
kubectl get Bucket BUCKET_NAME -n NAMESPACE -o json | jq -r '.status.fullyQualifiedName'
```
In the Bucket region field, enter the region where the bucket was created and get the value from the Bucket custom resource run the following command:
```
kubectl get Bucket BUCKET_NAME -n NAMESPACE -o json | jq -r '.status.region'
```
In the Access Key ID and Access key fields, enter the access key ID and secret access key. For more information about obtaining these credentials, see Grant and obtain storage bucket access.
Click Create.

API

Create a BackupRepository custom resource using your credentials.

Get the name of the secret that contains S3 credentials:
```
export PROJECT_NAME=PROJECT_NAME
export SA_NAME=SA_NAME
kubectl get secrets --namespace $PROJECT_NAME -o json | jq -r --arg USER_NAME "${SA_NAME:?}" '.items[] | select( (.metadata.annotations."object.gdc.goog/subject"==$USER_NAME)) | .metadata.name'
```
Make sure to record the secret name returned by the command and use it as SECRET_NAME in the next step.

Replace the following:
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
To get bucket details like FQDN and endpoints, extract the fullyQualifiedName and zonalEndpoints values from the output:
```
kubectl get buckets -n PROJECT_NAME BUCKET_NAME -o yaml
```
Create a BackupRepository within the Management API server:
```
apiVersion: backup.gdc.goog/v1
kind: BackupRepository
metadata:
  name: REPOSITORY_NAME
spec:
  secretReference:
    namespace: PROJECT_NAME
    name: SECRET_NAME
  endpoint: ENDPOINT
  type: "S3"
  s3Options:
    bucket: BUCKET_FQDN
    region: REGION
    forcePathStyle: FORCE_PATH_STYLE
  importPolicy: IMPORT_POLICY
```
Replace the following:
- REPOSITORY_NAME: the name of the backup repository.
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
- SECRET_NAME: the name of the secret returned from the kubectl get secrets command.
- ENDPOINT: the fully qualified domain name for the storage system, for example, https://objectstorage.google.gdch.test. For the type field, only a value of S3 is supported.
- BUCKET_FQDN: the fully qualified name of the bucket.
- REGION: the region where the bucket was created.
- FORCE_PATH_STYLE: use the forcePathStyle field to force path style URLs for objects. This field must have a value of true or false.
- IMPORT_POLICY: set to one of the following:
  - ReadWrite: This repository can be used to schedule or create backups, backup plans, and restores.
  - ReadOnly: This repository can only be used to import and view backups. No new backups or resources can be created in this repository, but restores can use and reference read-only backups for restoration. There is no restriction on how often a backup repository can be used as ReadOnly.
The BackupRepository creates a read-write enabled BackupRepository resource in the Management API server that has the same name.

What's next

Manage a backup repository

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-09 UTC.