Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

Cloud Credentials

  6 minute read.

Last Modified 2021-03-17 18:59 EDT

To begin integrating TrueNAS with a Cloud Storage provider, register the account credentials on the system. After saving any credentials, a Cloud Sync Task allows sending or receiving data from that Cloud Storage Provider.

Saving a Cloud Storage Credential

Transferring data from TrueNAS to the Cloud requires saving Cloud Storage Provider credentials on the system.

To maximize security, these credentials are encrypted when saved. However, this means that to restore any cloud credentials from a TrueNAS configuration file, you must enable Export Password Secret Seed when generating that configuration backup. Remember to protect any downloaded TrueNAS configuration files.

It is recommended to have another browser tab open and logged in to the Cloud Storage Provider account you intend to link with TrueNAS. Some providers require additional information that is generated on the storage provider account page. For example, saving an Amazon S3 credential on TrueNAS could require logging in to the S3 account and generating an access key pair on the Security Credentials > Access Keys page.

To save cloud storage provider credentials, go to System > Cloud Credentials and click Add.


Enter a credential Name and choose a Provider. The rest of the options change according to the chosen Provider:

Access Key IDAmazon Web Services Key ID. This is found on Amazon AWS by going through My account > Security Credentials > Access Keys (Access Key ID and Secret Access Key). Must be alphanumeric and between 5 and 20 characters.
Secret Access KeyAmazon Web Services password. If the Secret Access Key cannot be found or remembered, go to My Account > Security Credentials > Access Keys and create a new key pair. Must be alphanumeric and between 8 and 40 characters.
Maximum Upload PortsDefine the maximum number of chunks for a multipart upload. This can be useful if a service does not support the 10,000 chunk AWS S3 specification.

Amazon S3 Advanced Options

Endpoint URLS3 API endpoint URL. When using AWS, the endpoint field can be empty to use the default endpoint for the region, and available buckets are automatically fetched. Refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.
RegionAWS resources in a geographic area. Leave empty to automatically detect the correct public region for the bucket. Entering a private region name allows interacting with Amazon buckets created in that region. For example, enter us-gov-east-1 to discover buckets created in the eastern AWS GovCloud region.
Disable Endpoint RegionSkip automatic detection of the Endpoint URL region. Set this when configuring a custom Endpoint URL.
User Signature Version 2Force using Signature Version 2 to sign API requests. Set this when configuring a custom Endpoint URL.
Key IDAlphanumeric Backblaze B2 Application Key ID. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the application keyID string to this field.
Application KeyBackblaze B2 Application Key. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the applicationKey string to this field.
Access TokenA User Access Token for Box. An access token enables Box to verify a request belongs to an authorized session. Example token: T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl.
Access TokenAccess Token for a Dropbox account. A token must be generated by the Dropbox account before adding it here.
HostFTP Host to connect to. Example:
PortFTP Port number. Leave blank to use the default port 21.
UsernameA username on the FTP Host system. This user must already exist on the FTP Host.
PasswordPassword for the user account.
Preview JSON Service Account KeyContents of the uploaded Service Account JSON file.
Choose FileUpload a Google Service Account credential file. The file is created with the Google Cloud Platform Console.
Access TokenToken created with Google Drive. Access Tokens expire periodically and must be refreshed.
Team Drive IDOnly needed when connecting to a Team Drive. The ID of the top level folder of the Team Drive.
Access TokenAccess Token generated by a Hubic account.
UsernameMEGA account username.
PasswordMEGA account password.
Account NameMicrosoft Azure account name.
Account KeyBase64 encoded key for Azure Account
Access TokenMicrosoft Onedrive Access Token. Log in to the Microsoft account to add an access token.
Drives ListDrives and IDs registered to the Microsoft account. Selecting a drive also fills the Drive ID field.
Drive Account TypeType of Microsoft acount. Logging in to a Microsoft account automatically chooses the correct account type. Options: Personal, Business, Document_Library
Drive IDUnique drive identifier. Log in to a Microsoft account and choose a drive from the Drives List drop-down to add a valid ID.
User NameOpenstack user name for login. This is the OS_USERNAME from an OpenStack credentials file.
API Key or PasswordOpenstack API key or password. This is the OS_PASSWORD from an OpenStack credentials file.
Authentication URLAuthentication URL for the server. This is the OS_AUTH_URL from an OpenStack credentials file.
Auth VersionAuthVersion - optional - set to (1,2,3) if your auth URL has no version (rclone documentation).
Authentication Advanced Options
Tenant NameThis is the OS_TENANT_NAME from an OpenStack credentials file.
Tenant IDTenant ID - optional for v1 auth, this or tenant required otherwise (rclone documentation).
Auth TokenAuth Token from alternate authentication - optional (rclone documentation).

Advanced Options

Region NameRegion name - optional (rclone documentation).
Storage URLStorage URL - optional (rclone documentation).
Endpoint TypeEndpoint type to choose from the service catalogue. Public is recommended, see the rclone documentation.
Access TokenpCloud Access Token. These tokens can expire and require extension.
HostnameEnter the hostname to connect to.
HostSSH Host to connect to.
PortSSH port number. Leave empty to use the default port 22.
UsernameSSH Username.
PasswordPassword for the SSH Username account.
Private Key IDImport the private key from an existing SSH keypair or select Generate New to create a new SSH key for this credential.
URLURL of the HTTP host to connect to.
WebDav ServiceName of the WebDAV site, service, or software being used.
UsernameWebDAV account username.
PasswordWebDAV account password.
Access TokenYandex Access Token.

Enter the required Authentication strings to enable saving the credential.

Automatic Authentication

Some providers can automatically populate the required Authentication strings by logging in to the account. To automatically configure the credential, click Login to Provider and entering your account username and password.


It is recommended to verify the credential before saving it.