Use Backblaze B2 Terraform
    • Dark

    Use Backblaze B2 Terraform

    • Dark

    Article Summary

    Terraform is an open-source infrastructure as code (IaC) tool that was developed by HashiCorp. Instead of using imperative commands (step-by-step instructions), Terraform uses declarative code, “here’s what I want.” 

    The Backblaze B2 Cloud Storage Terraform provider lets you create and manage application keys, buckets, and upload files.

    To use the Backblaze B2 Terraform provider, you must download a Terraform binary. You can find the appropriate binary for your platform here.

    Enable Backblaze B2

    Before you begin: You must have a Backblaze B2 Cloud Storage account. You can sign up here. If you already have a Backblaze account and the left navigation menu contains a B2 Cloud Storage section, your account is already enabled for Backblaze B2.

    1. Sign in to your Backblaze account.
    2. In the left navigation menu under Account, click My Settings.
    3. Under Enabled Products, select the checkbox to enable B2 Cloud Storage.
    4. Review the Terms and Conditions, and click OK to accept them. 

    Create an Application Key in the Backblaze Web UI

    Application keys control access to your Backblaze B2 Cloud Storage account and the buckets that are contained in your account.

    1. Sign in to your Backblaze account.
    2. In the left navigation menu under Account, click Application Keys.
    3. Click Add a New Application Key, and enter an app key name.
          You cannot search an app key by this name; therefore, app key names are not required to be globally unique.
    4. Select All or a specific bucket in the Allow Access to Bucket(s) dropdown menu.
    5. Optionally, select your access type (Read and Write, Read Only, or Write Only).
    6. Optionally, select the Allow List All Bucket Names checkbox (required for the B2 Native API b2_list_buckets and the S3-Compatible API S3 List Buckets operations).
    7. Optionally, enter a file name prefix to restrict application key access only to files with that prefix. Depending on what you selected in step #4, this limits application key access to files with the specified prefix for all buckets or just the selected bucket.
    8. Optionally, enter a positive integer to limit the time, in seconds, before the application key expires. The value must be less than 1000 days (in seconds).
    9. Click Create New Key, and note the resulting keyID and applicationKey values.
    When you create a new app key, the response contains the actual key string, for example N2Zug0evLcHDlh_L0Z0AJhiGGdY. You can always find the keyID on this page, but for security, the applicationKey appears only once. Make sure you copy and securely save this value elsewhere.

    Create an Application Key using Terraform

    1. Enter the following code changing the values as appropriate:
      terraform {
        required_version = ">= 0.13"
        required_providers {
          b2 = {
            source  = "Backblaze/b2"
            version = "~> 0.2"
      provider "b2" {
      resource "b2_application_key" "example" {
        key_name     = "test-b2-tfp-0000000000000000000"
        capabilities = ["readFiles"]
      data "b2_application_key" "example" {
        key_name = b2_application_key.example.key_name
      output "application_key" {
        value = data.b2_application_key.example
    2. Save this code into a file called
    3. Run the following command to initialize the Terraform environment:
      $ terraform init
      The following output is returned:
      $ terraform init
      Initializing the backend...
      Initializing provider plugins...
      - Reusing previous version of backblaze/b2 from the dependency lock file
      - Using previously-installed backblaze/b2 v0.2.1
      Terraform has been successfully initialized!
      You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.
      If you ever set or change modules or backend configuration for Terraform,
      rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
    4. Run the following command to create and run your Terraform plan:
      terraform plan -out=application_key.out
      The following output is returned:
      $ terraform plan -out=application_key.out
      An execution plan has been generated and is shown below.
      Resource actions are indicated with the following symbols:
        + create
       <= read (data resources)
      Terraform will perform the following actions:
        # data.b2_application_key.example will be read during apply
        # (config refers to values not yet known)
       <= data "b2_application_key" "example"  {
            + application_key_id = (known after apply)
            + bucket_id          = (known after apply)
            + capabilities       = (known after apply)
            + id                 = (known after apply)
            + key_name           = "test-b2-tfp-0000000000000000000"
            + name_prefix        = (known after apply)
            + options            = (known after apply)
        # b2_application_key.example will be created
        + resource "b2_application_key" "example" {
            + application_key    = (sensitive value)
            + application_key_id = (known after apply)
            + capabilities       = [
                + "readFiles",
            + id                 = (known after apply)
            + key_name           = "test-b2-tfp-0000000000000000000"
            + options            = (known after apply)
      Plan: 1 to add, 0 to change, 0 to destroy.
      This plan was saved to: application_key.out
      To perform exactly these actions, run the following command to apply:
          terraform apply "application_key.out"
      Terraform indicates that it wants to add 1 key, change 0, and destroy 0.
    5. If you are satisfied with the plan, run the following command to apply the plan:
      $ terraform apply application_key.out
      The following output is returned:
      $ terraform apply application_key.out
      b2_application_key.example: Creating...
      b2_application_key.example: Creation complete after 4s [id=0000000000000000000000000]
      data.b2_application_key.example: Reading...
      data.b2_application_key.example: Read complete after 4s [id=0000000000000000000000000]
      Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
      The state of your infrastructure has been saved to the path
      below. This state is required to modify and destroy your
      infrastructure, so keep it safe. To inspect the complete state
      use the `terraform show` command.
      State path: terraform.tfstate
    6. Run the following command to clean up the application key that you created, and enter yes when prompted:
      $ terraform destroy
      The following output is returned:
      $ terraform destroy
      An execution plan has been generated and is shown below.
      Resource actions are indicated with the following symbols:
      - destroy
      Terraform will perform the following actions:
      # b2_application_key.example will be destroyed
      - resource "b2_application_key" "example" {
      - application_key = (sensitive value)
      - application_key_id = "0000000000000000000000000" -> null
      - capabilities = [
      - "readFiles",
      ] -> null
      - id = "0000000000000000000000000" -> null
      - key_name = "test-b2-tfp-0000000000000000000" -> null
      - options = [
      - "s3",
      ] -> null
      Plan: 0 to add, 0 to change, 1 to destroy.
      Do you really want to destroy all resources?
      Terraform will destroy all your managed infrastructure, as shown above.
      There is no undo. Only 'yes' will be accepted to confirm.
      Enter a value: yes
      b2_application_key.example: Destroying... [id=0000000000000000000000000]
      b2_application_key.example: Destruction complete after 3s
      Destroy complete! Resources: 1 destroyed.

    Set Environmental Variables

    Run the following command to set your application key and application key ID environmental variables to read at runtime:

    $ export B2_APPLICATION_KEY_ID=0000000000000000000000000
    $ export B2_APPLICATION_KEY=0000000000000000000000000000000

    Was this article helpful?