Storage Profiles
Overview
Storage profiles provide organizations with the ability to customize the storage location and method for their blobs. A blob consists of Terraform/OpenTofu state files, code, and run artifacts such as logs. You can configure profiles through the API or by navigating to Account → Security → Storage Profiles in the Scalr UI. Storage profiles can be configured at the account level or per environment.
Storage Options
Scalr offers two primary storage models:
Scalr-Managed Storage (Default)
- Blobs are stored in a Scalr-managed bucket
- This is the default option for all accounts
- No additional configuration required
Customer-Managed Storage
Store your data in your own cloud storage:
- AWS S3 buckets
- GCP buckets
- Azure Storage accounts
This option is ideal when you require:
- Data storage within your own infrastructure
- Specific data residency requirements
What Gets Stored
When using customer-managed storage, the following objects are stored in your bucket:
- Terraform/OpenTofu state files
- Configuration file versions
- Plan JSON and binaries
- Terraform/OpenTofu logs
Configuration Guides
AWS S3 Storage Profile Configuration
Prerequisites
- An S3 bucket in AWS
- OIDC authentication setup
- IAM role with appropriate permissions
Setup Steps
-
Create S3 Bucket
- Create a bucket in AWS
- Ensure Scalr has access to the bucket
-
Configure OIDC Authentication
- In AWS IAM, add an identity provider:
- URL:
https://scalr.io - Create an appropriate audience value
- URL:
- In AWS IAM, add an identity provider:
-
Create IAM Role
- Select web identity and your OIDC provider
- Required permissions:
s3:ListBucket s3:GetObject s3:PutObject s3:DeleteObject - For KMS encryption, add:
kms:GenerateDataKey kms:Decrypt
-
Configure Trust Policy
Add the following to your role's trust policy:{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowScalrOIDCAccess", "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111111111:oidc-provider/scalr.io" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "scalr.io:aud": "my-awesome-audience" }, "StringLike": { "scalr.io:sub": "scalr:account:example" } } } ] } -
Create Storage Profile
Use the Scalr UI or API to create the profile:
UI:
API:
POST {{host}}/api/iacp/v3/storage-profiles
{
"data": {
"type": "storage-profiles",
"attributes": {
"backend-type": "aws-s3",
"aws-s3-bucket-name": "example-aws-bucket",
"aws-s3-audience": "my-awesome-audience",
"aws-s3-region": "us-east-1",
"aws-s3-role-arn": "arn:aws:iam::123456789012:role/your-role-name",
"default": true,
"name": "aws-s3-storage-profile"
}
}
}
GCP Storage Profile Configuration
Prerequisites
- GCP bucket
- Service account with Storage Admin role
- Appropriate IAM permissions
Setup Steps
-
Create GCP Bucket
Recommended configuration:Location type: Multi-region Default storage class: Standard Public access: Subject to object ACLs Access control: Fine-grained Protection: Soft Delete Bucket retention: None Lifecycle rules: None Encryption: Google-managed -
Create Storage Profile
Use the Scalr UI or API to create the profile:
UI:
API:
POST {{host}}/api/iacp/v3/storage-profiles
{
"data": {
"type": "storage-profiles",
"attributes": {
"backend-type": "google",
"default": true,
"name": "gcp-storage-profile",
"google-storage-bucket": "your-bucket-name",
"google-project": "your-project-id",
"google-credentials": {
// Your GCP service account JSON key
}
}
}
}
AzureRM Storage Profile Configuration
Prerequisites
- Azure subscription with AzureRM permissions
- Azure AD application
- Federated credentials setup
Setup Steps
-
Create Azure AD Application
- Navigate to Azure Active Directory → App registrations
- Create new registration
- Note the Application (client) ID
-
Configure Federated Credentials
- Go to Certificates & secrets → Federated credentials
- Add credential with:
- Issuer:
https://scalr.io - Subject identifier:
scalr:account:<your-account-name> - Audience: Your OIDC audience value
- Name: Descriptive name (e.g., "Scalr-Federated-Credential")
- Issuer:
-
Grant Storage Access
- Navigate to your Storage Account
- Go to Access Control (IAM)
- Add role assignment:
- Role: Storage Blob Data Contributor
- Assign to: Your Azure AD application
-
Create Storage Profile
Use the Scalr UI or API to create the profile:
UI:
API:
POST {{host}}/api/iacp/v3/storage-profiles
{
"data": {
"type": "storage-profiles",
"attributes": {
"backend-type": "azurerm",
"name": "azure-storage-profile",
"default": true,
"azurerm-storage-account": "your-storage-account",
"azurerm-container-name": "your-container",
"azurerm-tenant-id": "your-tenant-id",
"azurerm-client-id": "your-client-id",
"azurerm-audience": "your-audience"
}
}
}
Environment-Specific Configuration
Storage profiles can be assigned to environments through the UI or API. It can be done either when creating the environment or updating:
Sample API call:
PATCH {{host}}/api/iacp/v3/environments/<environment-id>
{
"data": {
"attributes": {
"mask-sensitive-output": true,
"remote-backend": true,
"remote-backend-overridable": true
},
"relationships": {
"storage-profile": {
"data": {
"type": "storage-profiles",
"id": "<storage-profile-id>"
}
}
},
"type": "environments"
}
}
Important Limitations
Profile Updates
- After creating blob objects in a profile, only the profile name and credentials can be updated
- Other fields cannot be modified
Profile Deletion
- A storage profile cannot be deleted if it contains blob objects
- All objects must be removed before deletion
Profile Migration
- New blobs will use the new default profile
- Existing blobs are not automatically migrated
- Create a new profile and mark it as default to change storage for new objects
Updated 8 days ago