Storage Profiles

Overview

Storage profiles provide organizations with the ability to customize the storage location and method for their blobs. A blob consists of Terraform/OpenTofu state files, code, and run artifacts such as logs. You can configure profiles through the API or by navigating to Account → Security → Storage Profiles in the Scalr UI. Storage profiles can be configured at the account level or per environment.

Storage Options

Scalr offers two primary storage models:

Scalr-Managed Storage (Default)

  • Blobs are stored in a Scalr-managed bucket
  • This is the default option for all accounts
  • No additional configuration required

Customer-Managed Storage

Store your data in your own cloud storage:

  • AWS S3 buckets
  • GCP buckets
  • Azure Storage accounts

This option is ideal when you require:

  • Data storage within your own infrastructure
  • Specific data residency requirements

What Gets Stored

When using customer-managed storage, the following objects are stored in your bucket:

  • Terraform/OpenTofu state files
  • Configuration file versions
  • Plan JSON and binaries
  • Terraform/OpenTofu logs

Configuration Guides

AWS S3 Storage Profile Configuration

Prerequisites

  1. An S3 bucket in AWS
  2. OIDC authentication setup
  3. IAM role with appropriate permissions

Setup Steps

  1. Create S3 Bucket

    • Create a bucket in AWS
    • Ensure Scalr has access to the bucket
  2. Configure OIDC Authentication

    • In AWS IAM, add an identity provider:
      • URL: https://scalr.io
      • Create an appropriate audience value
  3. Create IAM Role

    • Select web identity and your OIDC provider
    • Required permissions:
      s3:ListBucket
      s3:GetObject
      s3:PutObject
      s3:DeleteObject
      
    • For KMS encryption, add:
      kms:GenerateDataKey
      kms:Decrypt
      
  4. Configure Trust Policy
    Add the following to your role's trust policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowScalrOIDCAccess",
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::111111111:oidc-provider/scalr.io"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "scalr.io:aud": "my-awesome-audience"
                    },
                    "StringLike": {
                        "scalr.io:sub": "scalr:account:example"
                    }
                }
            }
        ]
    }
    
  5. Create Storage Profile
    Use the Scalr UI or API to create the profile:

UI:

API:

POST {{host}}/api/iacp/v3/storage-profiles
{
  "data": {
    "type": "storage-profiles",
    "attributes": {
      "backend-type": "aws-s3",
      "aws-s3-bucket-name": "example-aws-bucket",
      "aws-s3-audience": "my-awesome-audience",
      "aws-s3-region": "us-east-1",
      "aws-s3-role-arn": "arn:aws:iam::123456789012:role/your-role-name",
      "default": true,
      "name": "aws-s3-storage-profile"
    }
  }
}

GCP Storage Profile Configuration

Prerequisites

  1. GCP bucket
  2. Service account with Storage Admin role
  3. Appropriate IAM permissions

Setup Steps

  1. Create GCP Bucket
    Recommended configuration:

    Location type:         Multi-region
    Default storage class: Standard
    Public access:         Subject to object ACLs
    Access control:        Fine-grained
    Protection:            Soft Delete
    Bucket retention:      None
    Lifecycle rules:       None
    Encryption:            Google-managed
    
  2. Create Storage Profile
    Use the Scalr UI or API to create the profile:

UI:

API:

  POST {{host}}/api/iacp/v3/storage-profiles
  {
    "data": {
      "type": "storage-profiles",
      "attributes": {
        "backend-type": "google",
        "default": true,
        "name": "gcp-storage-profile",
        "google-storage-bucket": "your-bucket-name",
        "google-project": "your-project-id",
        "google-credentials": {
          // Your GCP service account JSON key
        }
      }
    }
  }

AzureRM Storage Profile Configuration

Prerequisites

  1. Azure subscription with AzureRM permissions
  2. Azure AD application
  3. Federated credentials setup

Setup Steps

  1. Create Azure AD Application

    • Navigate to Azure Active Directory → App registrations
    • Create new registration
    • Note the Application (client) ID
  2. Configure Federated Credentials

    • Go to Certificates & secrets → Federated credentials
    • Add credential with:
      • Issuer: https://scalr.io
      • Subject identifier: scalr:account:<your-account-name>
      • Audience: Your OIDC audience value
      • Name: Descriptive name (e.g., "Scalr-Federated-Credential")
  3. Grant Storage Access

    • Navigate to your Storage Account
    • Go to Access Control (IAM)
    • Add role assignment:
      • Role: Storage Blob Data Contributor
      • Assign to: Your Azure AD application
  4. Create Storage Profile

Use the Scalr UI or API to create the profile:

UI:

API:

POST {{host}}/api/iacp/v3/storage-profiles
{
  "data": {
    "type": "storage-profiles",
    "attributes": {
      "backend-type": "azurerm",
      "name": "azure-storage-profile",
      "default": true,
      "azurerm-storage-account": "your-storage-account",
      "azurerm-container-name": "your-container",
      "azurerm-tenant-id": "your-tenant-id",
      "azurerm-client-id": "your-client-id",
      "azurerm-audience": "your-audience"
    }
  }
}

Environment-Specific Configuration

Storage profiles can be assigned to environments through the UI or API. It can be done either when creating the environment or updating:

Sample API call:

PATCH {{host}}/api/iacp/v3/environments/<environment-id>
{
  "data": {
    "attributes": {
      "mask-sensitive-output": true,
      "remote-backend": true,
      "remote-backend-overridable": true
    },
    "relationships": {
      "storage-profile": {
        "data": {
          "type": "storage-profiles",
          "id": "<storage-profile-id>"
        }
      }
    },
    "type": "environments"
  }
}

Important Limitations

Profile Updates

  • After creating blob objects in a profile, only the profile name and credentials can be updated
  • Other fields cannot be modified

Profile Deletion

  • A storage profile cannot be deleted if it contains blob objects
  • All objects must be removed before deletion

Profile Migration

  • New blobs will use the new default profile
  • Existing blobs are not automatically migrated
  • Create a new profile and mark it as default to change storage for new objects