Google Cloud Storage as a Cheap S3 Backup for Coolify: Step-by-Step Setup

Coolify supports S3-compatible storage for database backups out of the box — and Google Cloud Storage is one of the cheapest options that works with it. This guide covers the full setup: bucket creation, HMAC authentication, IAM permissions, and the common pitfalls that cause AccessDenied errors on the first attempt. For a small self-hosted project, the total cost runs under $0.05 per month.

Why Google Cloud Storage Instead of AWS S3

Both services support the S3 API and charge roughly the same for storage. The practical difference is the free tier. Google Cloud offers a $300 free credit for new accounts, valid for 90 days but sufficient to cover years of small-scale backup storage. AWS S3’s free tier provides 5 GB of Standard storage for 12 months — useful, but expires and doesn’t cover cheaper storage classes.

For backup workloads — write once, read rarely — Google Cloud’s Nearline class at $0.010/GB/month is slightly cheaper than AWS S3 Infrequent Access at $0.0125/GB/month. The difference is marginal for small volumes but adds up at scale. AWS Glacier is cheaper for deep archive at $0.004/GB, but Coolify’s backup rotation doesn’t need archive-tier retrieval times.

What You Need Before Starting

The setup requires a Google Cloud account with an active project, a Cloud Storage bucket, and a running Coolify instance (version 4.x) with at least one database configured. No CLI tools are necessary — everything is done through the Google Cloud Console web interface and Coolify’s dashboard. The entire process takes about 10 minutes.

The key technical detail: Google Cloud Storage exposes an S3-compatible interoperability API authenticated via HMAC keys. Any tool that speaks the S3 protocol — including Coolify’s built-in S3 backup engine — can talk to GCS by pointing at https://storage.googleapis.com with HMAC credentials instead of AWS access keys.

Creating the Bucket: Region Selection Matters

Navigate to Cloud Storage ? Buckets in the Google Cloud Console and click Create. Three settings deserve attention:

• Name — globally unique across all of Google Cloud. Note it down; it goes into Coolify’s configuration.
• Location type — choose Region and pick a region close to the Coolify server. For a server in Helsinki, europe-north1 is optimal. For one in Frankfurt, europe-west3. A regional bucket in the same datacenter region as the server eliminates cross-region transfer latency during backup and restore.
• Access control — keep the default Uniform access control. Fine-grained ACLs are unnecessary for a backup-only bucket.

Region choice affects both cost and restore speed. The price difference between regions can reach 30% — us-central1 is cheaper than us-east1. More importantly, restoring a 500 MB database from a bucket in the same region takes seconds; from a different continent, the transfer alone adds minutes.

Generating HMAC Keys: The S3 Authentication Bridge

HMAC keys are the bridge between Google Cloud’s native authentication and the S3 protocol. They come as a pair — an Access Key and a Secret — functionally identical to AWS IAM access keys.

1. Go to Cloud Storage ? Settings (gear icon in the left sidebar).
2. Open the Interoperability tab.
3. Under User Account HMAC, click Create a key.
4. Copy both the Access Key and Secret immediately — the secret is shown only once.

The warning “You haven’t set a default project” on this page is harmless. It applies only to bucket listing and creation through the S3-compatible API, not to object operations on an existing bucket. Coolify only uploads, downloads, and deletes backup files — all object-level operations that work without a default project setting.

If the secret is lost, it cannot be retrieved. The only option is to delete the old HMAC key, create a new pair, and update the credentials in Coolify’s S3 Storage settings.

Granting Bucket Permissions: The Step Most People Miss

The HMAC key is tied to a specific Google account. That account needs explicit permissions on the bucket — without this step, Coolify will fail with AccessDenied during the connection verification.

In Cloud Storage ? Buckets ? [your bucket], open the Permissions tab and click Grant Access. Enter the email of the Google account that was used to create the HMAC key in the New principals field. Select Storage Object Admin as the role and click Save.

Storage Object Admin grants create, read, overwrite, and delete permissions on objects — exactly what Coolify needs for backup rotation. The broader Storage Admin role also allows managing bucket settings, which is unnecessary. The minimum viable combination would be Storage Object Creator + Storage Object Viewer, but Storage Object Admin is simpler and covers old backup deletion during rotation.

Adding the S3 Storage in Coolify

In Coolify’s sidebar, navigate to S3 Storages and click Add. Fill in the form:

Click Verify to test the connection. Coolify sends a test request to the bucket. Two common errors at this stage: InvalidLocationConstraint means the region doesn’t match the bucket’s actual region — check it in the bucket’s Configuration tab. AccessDenied means the IAM permissions from the previous step weren’t applied correctly.

Configuring Backup Schedule and Retention

Once the S3 storage is verified, go to the target database in Coolify, open the Backups tab, and enable S3 Enabled. Select the storage created in the previous step.

The schedule uses cron expressions. Two practical options:

• 0 2 * * * — daily at 2:00 AM. Sufficient for a blog or low-traffic application.
• 0 */6 * * * — every 6 hours. Appropriate for production workloads where 6 hours of data loss is unacceptable.

The Save backups parameter controls retention count. For a personal blog, 7–14 daily backups is a reasonable balance. Each 20 MB PostgreSQL backup on Nearline storage costs approximately $0.0002, so 30 retained copies cost under $0.01/month. The real cost driver is not storage — it’s the operations. Each backup cycle involves one write and one delete (for rotation), priced at $0.005 per 10,000 operations on Nearline. At one backup per day, that’s $0.000015/month in operation costs.

Troubleshooting Common Errors

AccessDenied during verification — the Google account tied to the HMAC key lacks permissions on the bucket. Confirm that Storage Object Admin is assigned to the exact email used when creating the key. Propagation takes up to 60 seconds; retry after a minute.

InvalidLocationConstraint — the region in Coolify doesn’t match the bucket’s region. Check the exact value in Bucket ? Configuration ? Location. Multi-region buckets (EU, US) work too, but the region field in Coolify must match exactly — enter EU or US, not a sub-region.

Backups succeed locally but don’t appear in S3 — verify that S3 Enabled is toggled on and the correct storage is selected. Coolify stores local backup copies separately from S3 uploads. A successful local backup does not guarantee a successful cloud upload. Check the backup logs in Coolify for S3 transfer status.

The Bottom Line

Google Cloud Storage works as a drop-in S3 backend for Coolify backups with no extra tools or middleware. The setup takes about 10 minutes and requires only a bucket, HMAC keys, and a single IAM permission. For a self-hosted blog or side project, the ongoing cost is under $0.05/month — and the $300 new-account credit covers that for years. The main advantage over AWS S3 isn’t the storage price (they’re nearly identical) — it’s the free credit and slightly cheaper infrequent-access tier. For anyone already running Coolify, adding GCS as a backup destination is the lowest-effort path to offsite database protection.