Create storage WORM buckets for projects

This page shows you how to create Google Distributed Cloud (GDC) air-gapped storage WORM buckets.

Before you begin

A project namespace manages bucket resources in the Management API server. You must have a project to work with buckets and objects.

You must also have the appropriate bucket permissions to perform the following operation. See Grant bucket access.

Create a WORM bucket

A WORM bucket ensures that nothing else overwrites objects and it retains them for a minimum period of time. Audit logging is an example use case for a WORM bucket.

Take the following steps to create a WORM bucket:

  1. Set a retention period when creating the bucket. For example, the following example bucket has a retention period of 365 days.

    apiVersion: object.gdc.goog/v1
kind: Bucket
metadata:
  name: foo logging-bucket
  namespace: foo-service
spec:
  description: "Audit logs for foo"
  storageClass: Standard
  bucketPolicy:
    lockingPolicy:
      defaultObjectRetentionDays: 365

  2. Grant the project-bucket-object-viewer role to all users who need read-only access:

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: foo-service
  name: object-readonly-access
roleRef:
  kind: Role
  name: project-bucket-object-viewer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  namespace: foo-service
  name: foo-log-processor
- kind: User
  name: bob@example.com
  apiGroup: rbac.authorization.k8s.io

  3. Grant the project-bucket-object-admin role to users who need to write content to the bucket:

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: foo-service
  name: object-write-access
roleRef:
  kind: Role
  name: project-bucket-object-viewer
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  namespace: foo-service
  name: foo-service-account