diff --git a/media/tidb-cloud/changefeed/sink-to-cloud-storage-s3-endpoint.jpg b/media/tidb-cloud/changefeed/sink-to-cloud-storage-s3-endpoint.jpg deleted file mode 100644 index 02da980633bbf..0000000000000 Binary files a/media/tidb-cloud/changefeed/sink-to-cloud-storage-s3-endpoint.jpg and /dev/null differ diff --git a/tidb-cloud/changefeed-sink-to-cloud-storage.md b/tidb-cloud/changefeed-sink-to-cloud-storage.md index 30cbff2fe4b79..cf4777ad9a2ec 100644 --- a/tidb-cloud/changefeed-sink-to-cloud-storage.md +++ b/tidb-cloud/changefeed-sink-to-cloud-storage.md @@ -20,14 +20,46 @@ This document describes how to create a changefeed to stream data from TiDB Clou ## Step 1. Configure destination -Navigate to the cluster overview page of the target TiDB cluster. Click **Data** > **Changefeed** in the left navigation pane, click **Create Changefeed**, and select **Amazon S3**, **GCS**, or **Azure Blob Storage** as the destination. The configuration process varies depend on the destination you choose. +Navigate to the cluster overview page of the target TiDB cluster. Click **Data** > **Changefeed** in the left navigation pane, click **Create Changefeed** to go to the **Configure Destination** page, and then select **Amazon S3**, **GCS**, or **Azure Blob Storage** as the destination. The configuration process varies depending on the destination you choose.
-For **Amazon S3**, fill the **S3 Endpoint** area: `S3 URI`, `Access Key ID`, and `Secret Access Key`. Make the S3 bucket in the same region with your TiDB cluster. +For **Amazon S3**, you can use either **AWS Role ARN** or **AWS access key** for authentication. Using **AWS Role ARN** is recommended for stronger security and easier management. -![s3_endpoint](/media/tidb-cloud/changefeed/sink-to-cloud-storage-s3-endpoint.jpg) +**Option 1: AWS Role ARN (recommended)** + +To use an IAM Role for authentication, follow these steps: + +1. On the **Configure Destination** page for Amazon S3, enter the **S3 URI**. Make sure that the S3 bucket is in the same AWS region as your TiDB cluster. +2. Under **Bucket Access**, select **AWS Role ARN**. +3. To create a new Role ARN, click **Click here to create new one with AWS CloudFormation**. This template automatically configures the required permissions. + + If you prefer to create the role manually, click **Create Role ARN manually** to view the TiDB Cloud account information and the required policy. + +4. Ensure your IAM role has at least the following permissions for the target bucket: + + - `s3:ListBucket` + - `s3:PutObject` + - `s3:GetObject` + - `s3:DeleteObject` + +5. Paste the generated **Role ARN** into the corresponding field. + +**Option 2: AWS access key** + +> **Note:** +> +> Using an access key and secret key (AK/SK) requires manual credential management and rotation, which increases security risks. For stronger security, it is recommended to use **AWS Role ARN** instead. + +To use an access key for authentication, follow these steps: + +1. On the **Configure Destination** page for Amazon S3, enter the **S3 URI**. Make sure that the S3 bucket is in the same AWS region as your TiDB cluster. +2. Under **Bucket Access**, select **AWS Access Key**. +3. Fill in the following fields: + + - **Access Key ID** + - **Secret Access Key**