# Configure a Bucket

{% hint style="info" %}
We highly recommend to read the page describing the [Cloud Storage](https://docs.flashback.tech/flashback-platform/cloud-and-ai-gateway/cloud-storage) in Flashback and you can also set up a bucket with our [API calls](https://docs.flashback.tech/support-reference/platform-api-reference/storage-apis/bucket-management).
{% endhint %}

{% hint style="danger" %}
The guide is experimental and may contain errors as our technology continues to evolve. If you encounter any problems, please do not hesitate to contact us in [Discord](https://discord.com/invite/yy8kyM5qFB) and give us your feedback.
{% endhint %}

## Properties

Each bucket has the following properties:<br>

* **Bucket Label** (required)\
  A human-readable description of the bucket.
* **Storage Type**\
  Supported storage types according to its API interface:

  * AWS S3 or equivalent S3-compatible storage buckets indicating the custom endpoint.
  * Google Cloud Storage or equivalent GCS-compatible storage buckets indicating the custom endpoint.
  * Microsoft Azure Blob.

  Example: Connect to an S3-compatible endpoint, you will select “S3”.

## Access Mechanisms for Flashback

There are 2 access mechanisms to the APIs:

* **Classic access**\
  Providing API key/secret (S3) or client email/private key (GCS).
* **Delegated access to** [**Flashback platform account**](https://docs.flashback.tech/guides/configure-external-delegated-credentials)\
  Only available if we access a native S3/GCS/Azure Blob endpoint:
  * **S3**: Require an access Role ARN (resource name) and external ID created for Flashback AWS user, with the access policy configured for the destination bucket(s).
  * **GCS**: Flashback service account (GCS) with token creation permission and permissions to the GCS buckets.
  * **Azure**: Flashback Azure identity with guest/service-principal access granted through RBAC at storage account or container scope. See [Azure Blob delegated access](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-external-access-for-azure-blob).

{% hint style="info" %}
For general details explaining how the delegation process/grant guest access works:

* In AWS/S3, check out [this article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html).
* In Google Cloud/GCS, check out [this article](https://cloud.google.com/iam/docs/manage-access-service-accounts).
* In Azure/Blob, check out [this article](https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal).
  {% endhint %}

## Storage Type

{% hint style="danger" %}
All bucket and storage-account names must be globally unique across S3, GCS, and Azure—no two providers can use the same name. This is essential for a stable integration in the [Repositories](https://docs.flashback.tech/flashback-platform/cloud-and-ai-gateway/repositories).\
**Collisions such as an S3/GCS bucket named `mybucket` and an Azure storage account or container under `mybucket` are not allowed, though multiple containers from the&#x20;*****same*****&#x20;Azure storage account are permitted.**
{% endhint %}

### AWS S3 or Compatible Provider

You must indicate the parameters to allow access the remote bucket.

* **Bucket Name**\
  As it appears in the S3 configuration or in the URLs.
* **Access Key/ARN** (required)\
  API key or [AWS delegated Role ARN](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-external-access-for-aws-s3) to access the bucket.
* **Secret Key** (required)\
  API secret or [External ID](https://docs.flashback.tech/configure-external-delegated-credentials#configure-external-access-for-aws-s3) to access the bucket.
* **Endpoint** (optional)\
  An URL for the endpoint. **If empty, we assume we are connecting to AWS**. If not empty, we assume a non-AWS S3-compatible API endpoint from an external data provider.
* **Region** (required if **endpoint** field is empty)\
  AWS region the bucket is in. Not needed if we provide a custom, non-AWS endpoint.

### GCS or Compatible Provider

You must indicate the parameters to allow access the remote bucket.

* **Bucket Name**\
  As it shows in the Project storage section.
* **Client Email** (required)\
  Client email to access the bucket. It can be the service account or a [delegated service account](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configuring-external-access-for-gcss-buckets) that has been configured to grant external access to Flashback's service account
* **Private Key** (empty if delegated access)\
  Private key to access the bucket.
* **Endpoint**\
  An URL of the endpoint. If empty, we assume we are connecting to a GCS bucket. If not empty, we assume a non-GCP GCS-compatible API endpoint from an external data provider.

### Microsoft Azure

You must indicate the parameters to allow access the remote bucket (container in Azure terms).

* **Storage Account**
* **Container**
* **Access key**: account key from Azure Storage Account (optional in delegated setups). For delegated guidance, see [Configure Azure Blob delegated access](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-external-access-for-azure-blob).

## Instructions

Here’s a step-by-step guide to creating a new Bucket in the Flashback Platform:

{% stepper %}
{% step %}
**Access the Buckets page**

In the left-hand menu, select **Storage** → **Buckets**.
{% endstep %}

{% step %}
**Create a new Connector (called Bucket)**

Click the + **Add Bucket** button and select the provider where you will connect your tenant bucket or storage account to this Flashback bucket.
{% endstep %}

{% step %}
**Fill in the Bucket properties**

On the “Create Bucket” form, enter the following fields (all are required unless noted otherwise):

**Bucket Label:** human-readable label for this bucket of the Flashback Platform (e.g. “Backups-EU”).

{% hint style="info" %}
We recommend to have unique name per bucket to avoid issues when you'll set up [your repository](https://docs.flashback.tech/flashback-platform/cloud-and-ai-gateway/repositories).
{% endhint %}

**Storage Type:** You can choose of:

* **S3** (AWS or any S3-compatible endpoint provider)
* **GCS** (GCP or any GCS-compatible endpoint provider)
* **Azure Blob** (only Microsoft Azure)
  {% endstep %}

{% step %}
**Add Vendor's Bucket**

***AWS or any S3-compatible provider***

* **Bucket Name:** The exact identifier as defined by your provider in your vendor tenant (e.g. the S3 bucket name in your AWS account).
* **Access Key**: Your S3 API Key/AWS access key ID **OR** the IAM Role ARN if using [AWS delegated Role ARN](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-external-access-for-aws-s3)
* **Secret Key**: Your AWS secret key **OR** External ID for delegated roles
* **Endpoint** *(optional)*: custom S3 endpoint URL **OR** leave blank if using AWS
* **Region**: AWS region required if no custom endpoint.

***GCP or any GCS-compatible provider***

* **Bucket Name:** The exact identifier as defined by your provider in your vendor tenant (e.g. the S3 bucket name in your GCS account).
* **Client Email**: Your service account email **OR** a [delegated service account](https://docs.flashback.tech/guides/configure-external-delegated-credentials/configuring-external-access-for-gcss-buckets)
* **Private Key**: service account private key **OR** leave blank if using delegated access
* **Endpoint** *(optional)*: custom GCS-compatible endpoint **OR** leave blank if using GCP

***Azure***

* **Storage Account**: your Azure storage account name
* **Container**: the container within that account
* **Access Key** *(optional)*: account key **OR** leave blank for delegated guest access
  {% endstep %}

{% step %}
**Save your new Bucket**

Click **Save** (or **Create**) at the bottom of the form. Your bucket will now appear in the list, and you can begin using it in Repositories, generate API keys, or attach it to workflows.
{% endstep %}
{% endstepper %}