From 10d52a8a9ddbbaaff054aedaf493c57c610de4fb Mon Sep 17 00:00:00 2001
From: Ivan Despot <66276597+g-despot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 08:41:58 +0200
Subject: [PATCH 1/2] Document BACKUP_SKIP_ACCESS_CHECK and
 EXPORT_SKIP_ACCESS_CHECK env vars
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds docs for the two env vars introduced in weaviate#11645 (released in
v1.37.8). Both default to false and skip the write-and-delete access probe
that runs when a backup/export backend initializes — useful for immutable
(write-once / WORM) buckets or least-privilege credentials that cannot
delete objects.

- env-vars/index.md: add EXPORT_SKIP_ACCESS_CHECK to the General reference table
- export.md: add EXPORT_SKIP_ACCESS_CHECK row; clarify runtime-config note
  (the new var is applied at startup, not runtime-configurable)
- backups.md: add a "Skip the storage access check" section for
  BACKUP_SKIP_ACCESS_CHECK (applies to all cloud backup backends)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 docs/deploy/configuration/backups.md        | 10 ++++++++++
 docs/deploy/configuration/env-vars/index.md |  1 +
 docs/deploy/configuration/export.md         |  3 ++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/docs/deploy/configuration/backups.md b/docs/deploy/configuration/backups.md
index efd13450..5387d5bb 100644
--- a/docs/deploy/configuration/backups.md
+++ b/docs/deploy/configuration/backups.md
@@ -124,6 +124,16 @@ To use any provider:
 
 Note multiple providers can be enabled simultaneously
 
+### Skip the storage access check
+
+When a cloud backup backend (`backup-s3`, `backup-gcs`, or `backup-azure`) initializes, Weaviate verifies that the configured credentials can write to and delete from the target bucket. It does this by writing a temporary `access-check` object and then removing it. This probe fails on immutable (write-once / WORM) buckets, or with least-privilege credentials that are not permitted to delete objects.
+
+Set `BACKUP_SKIP_ACCESS_CHECK=true` to skip this probe. The variable applies to all cloud backup backends, defaults to `false`, and is applied at startup (a restart is required to change it).
+
+| Environment variable | Required | Description |
+| --- | --- | --- |
+| `BACKUP_SKIP_ACCESS_CHECK` | no | Skip the write-and-delete access check performed when a backup backend initializes. Set to `true` for immutable (write-once / WORM) buckets or least-privilege credentials that cannot delete objects. Defaults to `false`.<br/><br/>Added in `v1.37.8`. |
+
 ### S3 (AWS or S3-compatible)
 
 - Works with AWS S3 and S3-compatible services (e.g., MinIO)
diff --git a/docs/deploy/configuration/env-vars/index.md b/docs/deploy/configuration/env-vars/index.md
index 8159ded7..307bff68 100644
--- a/docs/deploy/configuration/env-vars/index.md
+++ b/docs/deploy/configuration/env-vars/index.md
@@ -50,6 +50,7 @@ import APITable from '@site/src/components/APITable';
 | `EXPORT_DEFAULT_PATH` | Optional base path prefix for exported files within the bucket for [collection exports](/docs/deploy/configuration/export.md). Defaults to `""` (no prefix). _Changed in `v1.37.1`: previously required to be explicitly set._<br/>Added in `v1.37` | `string` | `exports/my-cluster` |
 | `EXPORT_ENABLED` | Enable the [collection export](/docs/deploy/configuration/export.md) API. Default: `false`<br/>Added in `v1.37` | `boolean` | `true` |
 | `EXPORT_PARALLELISM` | Number of concurrent scan workers for [collection exports](/docs/deploy/configuration/export.md). `0` uses GOMAXPROCS. Default: `0`<br/>Added in `v1.37` | `string - number` | `4` |
+| `EXPORT_SKIP_ACCESS_CHECK` | Skip the write-and-delete access check that runs when the [collection export](/docs/deploy/configuration/export.md) backend initializes. Set to `true` for immutable (write-once / WORM) buckets or least-privilege credentials that cannot delete objects. Applied at startup. Default: `false`<br/>Added in `v1.37.8` | `boolean` | `true` |
 | `GODEBUG` | Controls debugging variables within the runtime. [See official Go docs](https://pkg.go.dev/runtime). | `string - comma-separated list of name=val pairs` | `gctrace=1` |
 | `GOMAXPROCS` | Set the maximum number of threads that can be executing simultaneously. If this value is set, it be respected by `LIMIT_RESOURCES`. | `string - number` | `NUMBER_OF_CPU_CORES` |
 | `GOMEMLIMIT` | Set the memory limit for the Go runtime. A suggested value is between 80-90% of your total memory for Weaviate. The Go runtime tries to make sure that long-lived and temporary memory allocations do not exceed this value by making the garbage collector more aggressive as the memory usage approaches the limit. [Learn more about GOMEMLIMIT](https://weaviate.io/blog/gomemlimit-a-game-changer-for-high-memory-applications). | `string - memory limit in SI units` | `4096MiB` |
diff --git a/docs/deploy/configuration/export.md b/docs/deploy/configuration/export.md
index 19660405..b172b981 100644
--- a/docs/deploy/configuration/export.md
+++ b/docs/deploy/configuration/export.md
@@ -32,8 +32,9 @@ Set these [environment variables](/docs/deploy/configuration/env-vars/index.md)
 | `EXPORT_DEFAULT_BUCKET` | (empty)          | Storage bucket name. Required for S3, GCS, and Azure backends.                    |
 | `EXPORT_DEFAULT_PATH`   | `""`             | Optional base path prefix for exported files within the bucket. Defaults to an empty string (no prefix). _Changed in `v1.37.1`: previously required to be explicitly set._ |
 | `EXPORT_PARALLELISM`    | `0` (GOMAXPROCS) | Number of concurrent scan workers.                                                |
+| `EXPORT_SKIP_ACCESS_CHECK` | `false`       | Skip the write-and-delete access check that runs when the export backend initializes. Set to `true` for immutable (write-once / WORM) buckets or least-privilege credentials that cannot delete objects. _Added in `v1.37.8`._ |
 
-All four variables are [runtime-configurable](/docs/deploy/configuration/env-vars/runtime-config.md) and can be changed without restarting Weaviate.
+`EXPORT_ENABLED`, `EXPORT_DEFAULT_BUCKET`, `EXPORT_DEFAULT_PATH`, and `EXPORT_PARALLELISM` are [runtime-configurable](/docs/deploy/configuration/env-vars/runtime-config.md) and can be changed without restarting Weaviate. `EXPORT_SKIP_ACCESS_CHECK` is applied at startup and requires a restart to change.
 
 :::note Weaviate Cloud
 

From 54d2322bb7b5856f6b21e675b1aab95b0d17a1de Mon Sep 17 00:00:00 2001
From: Ivan Despot <66276597+g-despot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 09:51:17 +0200
Subject: [PATCH 2/2] Update note location

---
 docs/deploy/configuration/backups.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/deploy/configuration/backups.md b/docs/deploy/configuration/backups.md
index 5387d5bb..de8ac6b1 100644
--- a/docs/deploy/configuration/backups.md
+++ b/docs/deploy/configuration/backups.md
@@ -122,17 +122,7 @@ To use any provider:
     - Option 1: Set the necessary environment variables
     - Option 2 (Kubernetes): Configure the [Helm chart values](#kubernetes-configuration)
 
-Note multiple providers can be enabled simultaneously
-
-### Skip the storage access check
-
-When a cloud backup backend (`backup-s3`, `backup-gcs`, or `backup-azure`) initializes, Weaviate verifies that the configured credentials can write to and delete from the target bucket. It does this by writing a temporary `access-check` object and then removing it. This probe fails on immutable (write-once / WORM) buckets, or with least-privilege credentials that are not permitted to delete objects.
-
-Set `BACKUP_SKIP_ACCESS_CHECK=true` to skip this probe. The variable applies to all cloud backup backends, defaults to `false`, and is applied at startup (a restart is required to change it).
-
-| Environment variable | Required | Description |
-| --- | --- | --- |
-| `BACKUP_SKIP_ACCESS_CHECK` | no | Skip the write-and-delete access check performed when a backup backend initializes. Set to `true` for immutable (write-once / WORM) buckets or least-privilege credentials that cannot delete objects. Defaults to `false`.<br/><br/>Added in `v1.37.8`. |
+Note multiple providers can be enabled simultaneously.
 
 ### S3 (AWS or S3-compatible)
 
@@ -788,6 +778,16 @@ The backup API is built in a way that no long-running network requests are requi
 
 If you would like your application to wait for the background backup process to complete, you can use the "wait for completion" feature that is present in all language clients. The clients will poll the status endpoint in the background and block until the status is either `SUCCESS` or `FAILED`. This makes it easy to write simple synchronous backup scripts, even with the async nature of the API.
 
+### Skip the storage access check
+
+When a cloud backup backend (`backup-s3`, `backup-gcs`, or `backup-azure`) initializes, Weaviate verifies that the configured credentials can write to and delete from the target bucket. It does this by writing a temporary `access-check` object and then removing it. This probe fails on immutable (write-once / WORM) buckets, or with least-privilege credentials that are not permitted to delete objects.
+
+Set `BACKUP_SKIP_ACCESS_CHECK=true` to skip this probe. The variable applies to all cloud backup backends, defaults to `false`, and is applied at startup (a restart is required to change it).
+
+| Environment variable | Required | Description |
+| --- | --- | --- |
+| `BACKUP_SKIP_ACCESS_CHECK` | no | Skip the write-and-delete access check performed when a backup backend initializes. Set to `true` for immutable (write-once / WORM) buckets or least-privilege credentials that cannot delete objects. Defaults to `false`.<br/><br/>Added in `v1.37.8`. |
+
 ## Other Use cases
 
 ### Migrating to another environment