snapr

    S3

    type: s3 — upload to AWS S3 or any S3-compatible service (MinIO, Wasabi, Backblaze B2 with S3 API, Cloudflare R2, etc.).

    Prerequisites

    • No external binaries required — snapr uses the AWS SDK directly.
    • Credentials need s3:PutObject, s3:ListBucket, s3:DeleteObject (for retention), and s3:GetObject (for the UI download feature).

    Fields

    FieldTypeRequiredNotes
    types3yes
    namestringyesidentifier; unique within the job
    bucketstringyes
    regionstringyes
    accessKeyIdstringyesuse env:
    secretAccessKeystringyesuse env:
    endpointstringnocustom endpoint for non-AWS providers. Setting this also enables path-style addressing.
    pathstringnoobject key prefix. Archives are stored at <path>/<jobName>/<archive> (see Storages → On-disk layout).
    storageClassstringnoone of STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR, SNOW, EXPRESS_ONEZONE. Default STANDARD.
    downloadModestringnoproxy (default) — snapr streams the archive through itself. signed — snapr issues a presigned S3 URL and the browser fetches directly.
    signedUrlTTLintnolifetime of presigned URLs in seconds (60–86400, default 900). Only used when downloadMode: signed.

    Example — AWS

    storages:
  - type: s3
    name: aws-cold
    bucket: backups
    region: us-east-1
    accessKeyId: env:S3_KEY
    secretAccessKey: env:S3_SECRET
    path: snapr/postgres
    storageClass: STANDARD_IA

    Example — MinIO

    storages:
  - type: s3
    name: minio
    bucket: backups
    region: us-east-1
    endpoint: https://minio.internal:9000
    accessKeyId: env:MINIO_KEY
    secretAccessKey: env:MINIO_SECRET

    Download mode

    By default snapr proxies download responses through its HTTP server. Set downloadMode: signed to have the API return a presigned S3 GET URL — the browser then fetches directly from S3 without going through snapr.

    storages:
  - type: s3
    name: aws-cold
    bucket: backups
    region: us-east-1
    accessKeyId: env:S3_KEY
    secretAccessKey: env:S3_SECRET
    downloadMode: signed
    signedUrlTTL: 1800

    When to use signed:

    • snapr runs on a small instance and would saturate its bandwidth proxying large archives.
    • The client and the S3 endpoint share a faster network path than client → snapr → S3.
    • You want CDN-style edge delivery (works with S3 Transfer Acceleration / CloudFront origins).

    Trade-offs:

    • Each signed URL contains short-lived auth in query params. Shorten signedUrlTTL (≥ 60 s) if URLs may end up in proxy/access logs.
    • The browser must reach the S3 endpoint directly. For private MinIO setups make sure the endpoint hostname is resolvable from the user's network and CORS is configured on the bucket.
    • For split snapshots, per-part download still works (each part is its own redirect) but the "Download full archive" option is hidden in the UI — one HTTP redirect cannot represent N parts. Use downloadMode: proxy if full-archive streaming matters.

    signed is only valid for type: s3. The config validator rejects it on other backends.

    Notes

    • For non-AWS providers, set endpoint to the service URL — path-style addressing is enabled automatically.
    • storageClass is forwarded as the x-amz-storage-class header. Providers that don't recognise the value will fall back to their default.