Backup storage integration

Backup Storage lets you copy database backups to your own S3-compatible bucket (AWS S3, Cloudflare R2, MinIO, Backblaze B2, Wasabi, and similar providers). Credentials are stored at the Organisation level under Integrations; each database Service chooses a verified destination on its Backups tab.

For backup jobs, restore, schedules, and status values, see Backups and restore under Databases in the sidebar.

Before you start

• You can create access keys (or equivalent) on the bucket with read and write on the target bucket and prefix.

• You know the bucket name, region, and (for non-AWS providers) the provider’s S3 API endpoint URL.

• The database Service has compute attached so export jobs can run on a Worker Node (see Backups and restore).

• Review Integration permissions and prerequisites for secret handling and role access.

1. Connect storage in Integrations

1. Sign in to the dFlow dashboard (for example app.dflow.sh on dFlow Cloud).

2. Open Integrations in the organisation sidebar.

3. On the Backup Storage card, click Settings.

4. Click Connect storage and fill in:

   • Name — a label you will recognise (for example Production backups).

   • Bucket — the bucket that will hold dumps.

   • Region — AWS region (for example us-east-1) or auto for Cloudflare R2.

   • Endpoint URL — leave blank for native AWS S3; for R2, B2, MinIO, and others, paste the S3 API endpoint from your provider.

   • Access key ID and Secret access key — programmatic credentials with access to that bucket.

5. Click Test connection. Fix any error before you save.

6. Click Save.

Expected outcome: The provider appears in the list with status verified. You can re-run verification later with the shield control on the card.

Objects are stored under a default prefix (dflow/backups); you do not set the prefix in the connect dialog.

Provider examples

AWS S3

1. Create or use a dedicated bucket in the target region.

2. IAM → create a user or role with s3:PutObject, s3:GetObject, s3:DeleteObject, and s3:ListBucket scoped to that bucket (tighten ARNs per your policy).

3. Create an access key for that principal.

In dFlow, leave Endpoint URL empty and set Region to the bucket region (for example us-east-1).

Cloudflare R2

1. R2 → create a bucket → Manage R2 API tokens → token with read/write on that bucket.

2. Copy the S3 API endpoint (for example https://<account-id>.r2.cloudflarestorage.com).

In dFlow, set Region to auto, paste the endpoint, and use the token’s Access Key ID and Secret Access Key.

Backblaze B2, MinIO, Wasabi, and other S3-compatible hosts

Use the provider’s S3-compatible endpoint and application keys. Enable path-style addressing if your provider requires it (dFlow sets path-style automatically when a custom endpoint is present).

2. Use external storage on a database Service

1. Open Applications → Application → Environment → your database Service.

2. Open the Backups tab.

3. Choose External storage, select the verified provider you connected, and click Save destination.

4. Run Create backup or configure a schedule as needed.

Manual and scheduled jobs export on the server, upload the dump to your bucket, and record the object key on the backup row. Restore and delete use the same credentials.

Permission and upload errors

Backup storage credentials are separate from AWS cloud account keys used for EC2 provisioning. See Cloud provider accounts.

Related

• Backups and restore

• Integrations overview

• Integration troubleshooting

• Integration issues