Buckets
A Storage bucket is the representation of a remote Object Storage Bucket in Flashback Platform.
Properties
Each bucket has the following properties:
Bucket Label (required) A human-readable description of the bucket.
Storage Type Supported storage types according to its API interface:
AWS S3 or equivalent S3-compatible storage buckets indicating the custom endpoint.
Google Cloud Storage or equivalent GCS-compatible storage buckets indicating the custom endpoint.
Microsoft Azure Blob.
Example: Connect to an S3-compatible endpoint, you will select “S3”.
Access Mechanisms
There are 2 access mechanisms to the APIs:
Classic access Providing API key/secret (S3) or client email/private key (GCS).
Delegated access to Flashback platform account Only available if we access a native S3/GCS/Azure Blob endpoint:
S3: Require an access Role ARN (resource name) and external ID created for Flashback AWS user, with the access policy configured for the destination bucket(s).
GCS: Flashback service account (GCS) with token creation permission and permissions to the GCS buckets.
Azure: Flashback Azure user, with guest access granted to the detination storage account.
Security and Bucket Secret Encryption
All secrets in Flashback are encrypted in our database using an RSA key that the platform backend itself does not possess. Once you save a bucket’s credentials, Flashback cannot decrypt or recover them—so treat the platform as a secure store, not a backup.
We do not recommend to use the Flashback platform as a "backup" mechanism for your API secrets or private keys, as they cannot be recovered once saved.
Decryption is handled exclusively by Bridge Nodes via a federated shared-secret mechanism:
When a Bridge Node starts up, it retrieves the encrypted bucket secrets from the backend database, decrypts them in secret storage inside the Bridge node instance's memory, and never writes or materializes them to any kind of hard drive or permanent storage.
When the node shuts down, those keys are purged from memory and must be freshly decrypted on next startup.
This design avoids any single point of failure: your secrets remain unreadable by the backend and exist only transiently in the Bridge Node’s runtime memory.
Storage Type
AWS S3 or Compatible Provider
You must indicate the parameters to allow access the remote bucket.
Bucket Name As it appears in the S3 configuration or in the URLs.
Access Key/ARN (required) API key or AWS delegated Role ARN to access the bucket.
Secret Key (required) API secret or External ID to access the bucket.
Endpoint (optional) An URL for the endpoint. If empty, we assume we are connecting to AWS. If not empty, we assume a non-AWS S3-compatible API endpoint from an external data provider.
Region (required if endpoint field is empty) AWS region the bucket is in. Not needed if we provide a custom, non-AWS endpoint.
GCS or Compatible Provider
You must indicate the parameters to allow access the remote bucket.
Bucket Name As it shows in the Project storage section.
Client Email (required) Client email to access the bucket. It can be the service account or a delegated service account that has been configured to grant external access to Flashback's service account
Private Key (empty if delegated access) Private key to access the bucket.
Endpoint An URL of the endpoint. If empty, we assume we are connecting to a GCS bucket. If not empty, we assume a non-GCP GCS-compatible API endpoint from an external data provider.
Microsoft Azure
You must indicate the parameters to allow access the remote bucket (container in Azure terms).
Storage Account
Container
Access key: as shown in the "Security & Networking - Access keys" section of the Azure Storage Account management.
Last updated
Was this helpful?