Repository Settings
editRepository Settings
editThe s3
repository type supports a number of settings to customize how data is stored in S3.
These can be specified when creating the repository. For example:
PUT _snapshot/my_s3_repository { "type": "s3", "settings": { "bucket": "my_bucket_name", "another_setting": "setting_value" } }
The following settings are supported:
-
bucket
- The name of the bucket to be used for snapshots. (Mandatory)
-
client
-
The name of the s3 client to use to connect to S3. Defaults to
default
. -
base_path
-
Specifies the path within bucket to repository data. Defaults to
value of
repositories.s3.base_path
or to root directory if not set. Previously, the base_path could take a leading/
(forward slash). However, this has been deprecated and setting the base_path now should omit the leading/
. -
chunk_size
-
Big files can be broken down into chunks during snapshotting if needed.
The chunk size can be specified in bytes or by using size value notation,
i.e.
1gb
,10mb
,5kb
. Defaults to1gb
. -
compress
-
When set to
true
metadata files are stored in compressed format. This setting doesn’t affect index files that are already compressed by default. Defaults tofalse
. -
server_side_encryption
-
When set to
true
files are encrypted on server side using AES256 algorithm. Defaults tofalse
. -
buffer_size
-
Minimum threshold below which the chunk is uploaded using a single
request. Beyond this threshold, the S3 repository will use the
AWS Multipart Upload API
to split the chunk into several parts, each of
buffer_size
length, and to upload each part in its own request. Note that setting a buffer size lower than5mb
is not allowed since it will prevent the use of the Multipart API and may result in upload errors. It is also not possible to set a buffer size greater than5gb
as it is the maximum upload size allowed by S3. Defaults to the minimum between100mb
and5%
of the heap size. -
canned_acl
-
The S3 repository supports all S3 canned ACLs
:
private
,public-read
,public-read-write
,authenticated-read
,log-delivery-write
,bucket-owner-read
,bucket-owner-full-control
. Defaults toprivate
. You could specify a canned ACL using thecanned_acl
setting. When the S3 repository creates buckets and objects, it adds the canned ACL into the buckets and objects. -
storage_class
-
Sets the S3 storage class type for the backup files. Values may be
standard
,reduced_redundancy
,standard_ia
. Defaults tostandard
. Due to the extra complexity with the Glacier class lifecycle, it is not currently supported by the plugin. For more information about the different classes, see AWS Storage Classes Guide
Recommended S3 Permissions
editIn order to restrict the Elasticsearch snapshot process to the minimum required resources, we recommend using Amazon IAM in conjunction with pre-existing S3 buckets. Here is an example policy which will allow the snapshot access to an S3 bucket named "snaps.example.com". This may be configured through the AWS IAM console, by creating a Custom Policy, and using a Policy Document similar to this (changing snaps.example.com to your bucket name).
{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com" ] }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com/*" ] } ], "Version": "2012-10-17" }
You may further restrict the permissions by specifying a prefix within the bucket, in this example, named "foo".
{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions" ], "Condition": { "StringLike": { "s3:prefix": [ "foo/*" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com" ] }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com/foo/*" ] } ], "Version": "2012-10-17" }
The bucket needs to exist to register a repository for snapshots. If you did not create the bucket then the repository registration will fail. If you want Elasticsearch to create the bucket instead, you can add the permission to create a specific bucket like this:
{ "Action": [ "s3:CreateBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com" ] }
AWS VPC Bandwidth Settings
editAWS instances resolve S3 endpoints to a public IP. If the Elasticsearch instances reside in a private subnet in an AWS VPC then all traffic to S3 will go through that VPC’s NAT instance. If your VPC’s NAT instance is a smaller instance size (e.g. a t1.micro) or is handling a high volume of network traffic your bandwidth to S3 may be limited by that NAT instance’s networking bandwidth limitations.
Instances residing in a public subnet in an AWS VPC will connect to S3 via the VPC’s internet gateway and not be bandwidth limited by the VPC’s NAT instance.