Get a Quote     (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode
TrueNAS.com Software Systems Company Community Security iX Portal Download

  1. Documentation Hub
  2. /
  3. TrueNAS SCALE
  4. /
  5. SCALE Tutorials
  6. /
  7. Credentials
  8. /
  9. Backup Credentials
  10. /
  11. Adding Cloud Credentials
Edit this page

Adding Cloud Credentials

  9 minute read.

Last Modified 2022-10-12 11:49 -0400

The Cloud Credentials widget on the Backup Credentials screen allows users to integrate TrueNAS with cloud storage providers.

To maximize security, TrueNAS encrypts cloud credentials when saving them. However, this means that to restore any cloud credentials from a TrueNAS configuration file, you must enable Export Password Secret Seed when generating that configuration backup. Remember to protect any downloaded TrueNAS configuration files.

TrueNAS SCALE supports linking to 18 cloud storage providers. Authentication methods for each provider could differ based on the provider security requirements. You can add credentials for many of the supported cloud storage providers from the information on the Cloud Credentials Screens. This article provides instructions for the more involved providers.

Before You Begin

We recommend users open another browser tab to open and log into the cloud storage provider account you intend to link with TrueNAS.

Some providers require additional information that they generate on the storage provider account page. For example, saving an Amazon S3 credential on TrueNAS could require logging in to the S3 account and generating an access key pair found on the Security Credentials > Access Keys page.

Have any authentication information your cloud storage provider requires on-hand to make the process easier. Authentication information could include but are not limited to user credentials, access tokens, and access and security keys.

Adding Cloud Credentials

To set up a cloud credential, go to Credentials > Backup Credentials and click Add in the Cloud Credentials widget.

  1. Enter a credential name.

CloudCredentialsAdd

  1. Select the cloud service from the Provider dropdown list. The provider required authentication option settings display.

    For details on each provider authentication settings see Cloud Credentials Screens.

  2. Click Verify Credentials to test the entered credentials and verify they work.

  3. Click Save.

Adding Amazon S3 Cloud Credentials

If adding an Amazon S3 cloud credential, you can use the default authentication settings or use advanced settings if you want to include endpoint settings.

After entering a name and leaving Amazon S3 as the Provider setting:

  1. Open a web browser tab to Amazon AWS.

  2. Navigate to My account > Security Credentials > Access Keys to obtain the Amazon S3 secret access key ID. Access keys are alphanumeric and between 5 and 20 characters.

    If you cannot find or remember the secret access key, go to My Account > Security Credentials > Access Keys and create a new key pair.

  3. Enter or copy/paste the access key into Access Key ID.

  4. Enter or copy/paste the Amazon Web Services alphanumeric password that is between 8 and 40 characters into Secret Access Key

  5. (Optional) Enter a value to define the maximum number of chunks for a multipart upload in Maximum Upload Ports. Setting a maximum is necessary if a service does not support the 10,000 chunk AWS S3 specification.

  6. (Optional) Select Advanced Settings to display the endpoint settings.

    a. Enter the S3 API endpoint URL in Endpoint URL.

    To use the default endpoint for the region and automatically fetch available buckets leave this field blank. For more information refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.

    b. Enter an AWS resources in a geographic area in Region.

    To detect the correct public region for the selected bucket leave the field blank. Entering a private region name allows interacting with Amazon buckets created in that region.

    c. (Optional) Configure a custom endpoint URL. Select Disable Endpoint Region.

    d. (Optional) Select User Signature Version 2 to force using signature version 2 with the custom endpoint URL.
    For more information on using this to sign API requests see Signature Version 2.

  7. Click Verify Credentials to check your credentials for any issues.

  8. Click Save

Adding Cloud Credentials that Authenticate with OAuth

Cloud storage providers using OAuth as an authentication method are Box, Dropbox, Google Drive, Google Photo, pCloud and Yandex.

After logging into the provider with the OAuth credentials, the provider provides the access token. Google Drive and pCloud use one more setting to authenticate credentials.

  1. Enter the name and select the cloud storage provider from the Provider dropdown list.

  2. Enter the provider account email in OAuth Client ID and the password for that user account in OAuth Client Secret.

  3. Click Log In To Provider. The Authentication window opens. Click Proceed to open the OAuth credential account sign in window.

    Yandex displays a cookies message you must accept before you can enter credentials.

    Enter the provider account user name and password to verify the credentials.

  4. (Optional) Enter the value for any additional authentication method. For pCloud, enter the pCloud host name for the host you connect to in Hostname. For Google Drive when connecting to Team Drive, enter the Google Drive top-level folder ID.

  5. If not populated by the provider after OAuth authentication, enter the access token from the provider. Obtaining the access token varies by provider.

    Provider Access Token
    Box For more information the user acess token for Box click here. An access token enables Box to verify a request belongs to an authorized session. Example token: T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl.
    Dropbox Create an access token from the Dropbox account.
    Google Drive The authentication process creates the token for Google Drive and populates the Access Token field automatically. Access tokens expire periodically, so you must refresh them.
    Google Photo does not used an access token.
    pCloud Create the pCloud access token here. These tokens can expire and require an extension.
    Yandex Create the Yandex access token here.

  6. Click Verify Credentials to make sure you can connect with the entered credentials.

  7. Click Save.

Adding BackBlaze B2 Cloud Credentials

BackBlaze B2 uses an application key and key ID to authenticate credentials.

From the Cloud Credentials widget, click Add and then:

  1. Enter the name and select BackBlaze B2 from the Provider dropdown list.

  2. Log into the BackBlaze account, go to App Keys page and add a new application key. Copy and past this into Key ID.

  3. Generate a new application key on the BackBlaze B2 website. From the App Keys page, add a new application key. Copy the application Key string Application Key.

  4. Click Verify Credentials.

  5. Click Save.

Adding Google Cloud Storage Credentials

Google Cloud Storage uses a service account json file to authenticate credentials.

From the Cloud Credentials widget, click Add and then:

  1. Enter the name and select Google Cloud Storage from the Provider dropdown list.

  2. Go to your Google Cloud Storage website to download this file to the TrueNAS SCALE server. The Google Cloud Platform Console creates the file.

  3. Upload the json file to Preview JSON Service Account Key using Choose File to browse the server to locate the downloaded file.
    For help uploading a Google Service Account credential file click here.

  4. Click Verify Credentials.

  5. Click Save.

Adding Microsoft OneDrive Cloud Credentials

Microsoft OneDrive Cloud uses OAuth authentication, an access token, and Drives list, account type and IDs to authenticate credentials.

From the Cloud Credentials widget, click Add and then:

  1. Enter the name and select Google Cloud Storage from the Provider dropdown list.

  2. Enter your account credentials in OAuth Client ID and OAuth Client Secret. Click Log In To Provider. Click Proceed on the Authentication window, and then enter your user credentials on the sign in screen.

  3. Enter the token generated by the Microsoft OneDrive website through the OAuth authentication in Access Token if not populated by this process. For help with the authentication token click Microsoft Onedrive Access Token.

  4. Enter the Microsoft OneDrive drive information.

    a. Select the drive(s) from the Drives List dropdown options of drives and IDs registered to the Microsoft account. This should populate Drive ID.

    b. Select the Microsoft account type from the Drive Account Type dropdown options.

    c. Enter the unique drive identifier in Drive ID if not already populated by selecting the drive(s) in Drives List. If necessary to add valid drive IDs, from your Microsoft account and choose a drive from the Drives List dropdown list.

  5. Click Verify Credentials.

  6. Click Save.

Adding OpenStack Swift Cloud Credentials

OpenStack Swift authentication credentials change based on selections made in AuthVersion. All options use the user name, API key or password and authentication URL, and can use the optional endpoint settings.

For more information on OpenStack Swift settings see rclone documentation.

From the Cloud Credentials widget, click Add and then:

  1. Enter the name and select OpenStack Swift from the Provider dropdown list.

  2. Enter your OpenStack OS_USERNAME from an OpenStack credentials file in User Name.

  3. Enter the OS_PASSWORD from an OpenStack credentials file in API Key or Password.

  4. (Optional) Select the version from the AuthVersion. For more information see rclone documentation. If set to v3 the Advanced Options settings display.

    a. (Optional) Enter the user ID to log into OpenStack. Leave blank to log into most Swift systems. (Optional) Enter the User Domain.

    b. (Required) Enter the OS_TENANT_NAME from an OpenStack credentials file in Tenant Name.

    c. Enter the ID in Tenant ID. Required for v2 and v3. (Optional) Enter a Tenant Domain.

    d. (Optional) Enter the alternative authentication token in Auth Token.

  5. (Optional) Enter endpoint settings.

    a. Enter a region name in Region Name

    b. (Optional) Enter the URL in Storage URL.

    c. (Optional) Select service catalogue option from the Endpoint Type dropdown. Options are Public, Internal and Admin. Public is recommended.

  6. Click Verify Credentials.

  7. Click Save.

Using Automatic Authentication

Some providers can automatically populate the required authentication strings by logging in to the account. To automatically configure the credential, click Login to Provider and entering your account user name and password.

AutomaticAuthenticationSCALE

We recommend verifying the credential before saving it.

Related Content

Related Backup Articles