S3 Repositoryedit

The S3 repository is using S3 to store snapshots. The S3 repository can be created using the following command:

PUT _snapshot/my_s3_repository
{
  "type": "s3",
  "settings": {
    "bucket": "my_bucket_name",
    "region": "us-west"
  }
}

The following settings are supported:

bucket
The name of the bucket to be used for snapshots. (Mandatory)
region
The region where bucket is located. Defaults to US Standard
endpoint
The endpoint to the S3 API. Defaults to AWS’s default S3 endpoint. Note that setting a region overrides the endpoint setting.
protocol
The protocol to use (http or https). Defaults to value of cloud.aws.protocol or cloud.aws.s3.protocol.
base_path
Specifies the path within bucket to repository data. Defaults to value of repositories.s3.base_path or to root directory if not set.
access_key
The access key to use for authentication. Defaults to value of cloud.aws.access_key.
secret_key
The secret key to use for authentication. Defaults to value of cloud.aws.secret_key.
chunk_size
Big files can be broken down into chunks during snapshotting if needed. The chunk size can be specified in bytes or by using size value notation, i.e. 1gb, 10mb, 5kb. Defaults to 1gb.
compress
When set to true metadata files are stored in compressed format. This setting doesn’t affect index files that are already compressed by default. Defaults to false.
server_side_encryption
When set to true files are encrypted on server side using AES256 algorithm. Defaults to false.
buffer_size
Minimum threshold below which the chunk is uploaded using a single request. Beyond this threshold, the S3 repository will use the AWS Multipart Upload API to split the chunk into several parts, each of buffer_size length, and to upload each part in its own request. Note that setting a buffer size lower than 5mb is not allowed since it will prevents the use of the Multipart API and may result in upload errors. Defaults to the minimum between 100mb and 5% of the heap size.
max_retries
Number of retries in case of S3 errors. Defaults to 3.
use_throttle_retries
Set to true if you want to throttle retries. Defaults to AWS SDK default value (false).
readonly
Makes repository read-only. Defaults to false.
canned_acl
The S3 repository supports all S3 canned ACLs : private, public-read, public-read-write, authenticated-read, log-delivery-write, bucket-owner-read, bucket-owner-full-control. Defaults to private. You could specify a canned ACL using the canned_acl setting. When the S3 repository creates buckets and objects, it adds the canned ACL into the buckets and objects.
storage_class
Sets the S3 storage class type for the backup files. Values may be standard, reduced_redundancy, standard_ia. Defaults to standard. Due to the extra complexity with the Glacier class lifecycle, it is not currently supported by the plugin. For more information about the different classes, see AWS Storage Classes Guide
path_style_access
Activate path style access for virtual hosting of buckets. The default behaviour is to detect which access style to use based on the configured endpoint (an IP will result in path-style access) and the bucket being accessed (some buckets are not valid DNS names). Set to true to use path-style access for all requests.

Note that you can define S3 repository settings for all S3 repositories in elasticsearch.yml configuration file. They are all prefixed with repositories.s3.. For example, you can define compression for all S3 repositories by setting repositories.s3.compress: true in elasticsearch.yml.

The S3 repositories use the same credentials as the rest of the AWS services provided by this plugin (discovery). See Getting started with AWS for details.

Multiple S3 repositories can be created. If the buckets require different credentials, then define them as part of the repository settings.

Recommended S3 Permissionsedit

In order to restrict the Elasticsearch snapshot process to the minimum required resources, we recommend using Amazon IAM in conjunction with pre-existing S3 buckets. Here is an example policy which will allow the snapshot access to an S3 bucket named "snaps.example.com". This may be configured through the AWS IAM console, by creating a Custom Policy, and using a Policy Document similar to this (changing snaps.example.com to your bucket name).

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::snaps.example.com"
      ]
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::snaps.example.com/*"
      ]
    }
  ],
  "Version": "2012-10-17"
}

You may further restrict the permissions by specifying a prefix within the bucket, in this example, named "foo".

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "foo/*"
          ]
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::snaps.example.com"
      ]
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::snaps.example.com/foo/*"
      ]
    }
  ],
  "Version": "2012-10-17"
}

The bucket needs to exist to register a repository for snapshots. If you did not create the bucket then the repository registration will fail. If you want elasticsearch to create the bucket instead, you can add the permission to create a specific bucket like this:

{
   "Action": [
      "s3:CreateBucket"
   ],
   "Effect": "Allow",
   "Resource": [
      "arn:aws:s3:::snaps.example.com"
   ]
}

Using other S3 endpointedit

If you are using any S3 api compatible service, you can set a global endpoint by setting cloud.aws.s3.endpoint to your URL provider. Note that this setting will be used for all S3 repositories.

Different endpoint, region and protocol settings can be set on a per-repository basis See S3 Repository for details.

AWS VPC Bandwidth Settingsedit

AWS instances resolve S3 endpoints to a public IP. If the elasticsearch instances reside in a private subnet in an AWS VPC then all traffic to S3 will go through that VPC’s NAT instance. If your VPC’s NAT instance is a smaller instance size (e.g. a t1.micro) or is handling a high volume of network traffic your bandwidth to S3 may be limited by that NAT instance’s networking bandwidth limitations.

Instances residing in a public subnet in an AWS VPC will connect to S3 via the VPC’s internet gateway and not be bandwidth limited by the VPC’s NAT instance.