Object Storage
Object Storage integrations are reusable storage targets you register once at the account level and reuse across backups and other storage-backed workflows. Each target stores its bucket and connection metadata in Edka and its access credentials in Vault.
Open Integrations → Object Storage to manage these targets. The page lists your registered integrations and reports how many are connected.
Supported providers
Section titled “Supported providers”When you add a target, you pick one provider. The provider determines which fields are required.
| Provider | Label | Use for |
|---|---|---|
| Amazon S3 | aws-s3 | AWS-managed buckets configured by bucket and region. |
| Azure Blob Storage | azure-blob | Azure Storage account and container using account key auth. |
| Google Cloud Storage | gcp-gcs | Bucket access backed by a Google Cloud service account JSON. |
| S3-Compatible | s3-compatible | MinIO, Wasabi, Ceph, Hetzner Object Storage, and similar APIs. |
Add a target
Section titled “Add a target”- Open Integrations → Object Storage.
- Select Add Integration.
- Choose a provider.
- Enter a Name — the internal label shown in the integrations list.
- Complete the provider-specific fields and credentials.
- Select Save Integration.
Adding, editing, and removing targets requires the admin role. Reading them requires account read access.
Required fields by provider
Section titled “Required fields by provider”Every target requires a Name plus the provider fields below. Credentials are required when you create a target.
| Provider | Configuration fields | Credential fields |
|---|---|---|
| Amazon S3 | Bucket, Region | Access Key ID, Secret Access Key |
| Azure Blob Storage | Account Name, Container Name, Endpoint Suffix (core.windows.net) | Account Key |
| Google Cloud Storage | Bucket | Service Account JSON |
| S3-Compatible | Bucket, Endpoint URL, Force Path Style; Region optional | Access Key ID, Secret Access Key |
Notes verified against the create form and schema:
- Endpoint URL for S3 compatible targets must be a valid URL.
- Force Path Style is a toggle; enable it for providers that require path-style addressing. It defaults to off.
- Service Account JSON is the full Google Cloud service account key document.
Edka reads the
project_idandclient_emailfrom it for display. - Endpoint Suffix for Azure defaults to
core.windows.netif left blank.
Where targets are consumed
Section titled “Where targets are consumed”Object storage targets are selected by other workflows rather than used directly from this page:
- Agent state backups. Hermes agent state backups are written to a selected object storage integration on a schedule, configured per agent.
- PostgreSQL database backups. Managed PostgreSQL backups can write to a selected object storage integration.
Backup uploads use a presigned multipart strategy for Amazon S3 and S3 compatible targets. Google Cloud Storage is supported for agent state backups, while Azure Blob Storage is not yet supported as a PostgreSQL backup target.
Credentials and safety
Section titled “Credentials and safety”- Credentials are written to Vault, never stored in the integrations table, and are never shown again after you save them.
- To rotate credentials when editing a target, enable Rotate credentials and enter new values. Leaving rotation off keeps the stored secret unchanged.
- The provider of an existing target cannot be changed. To switch providers, remove the target and add a new one.
- Removing a target deletes both the database record and its stored credentials in Vault. Workflows still referencing it will lose access.