Install and configure the storage CLI for projects
Stay organized with collections
Save and categorize content based on your preferences.
This page guides you through how to install and configure the gdcloud CLI for managing object storage when working with Google Distributed Cloud (GDC) air-gapped projects. It covers how to download, install, and configure the necessary components and settings essential for effectively using storage buckets and objects in this isolated environment.
This page is for audiences such as IT admins within the infrastructure operator group or developers within the application operator group who are looking to provision and manage object storage buckets for projects within GDC air-gapped environments. For more information, see Audiences for GDC air-gapped documentation.
Prepare the gdcloud CLI
To use the gdcloud CLI, see the following steps to download, install, and configure the package.
gdcloud config set storage/s3_secret_access_key SECRET_ACCESS_KEY
Replace CA_BUNDLE_FILE with the path to the CA Certificate:
gdcloud config set storage/s3_custom_ca_certs_file CA_BUNDLE_FILE
Replace ENDPOINT with the endpoint your Infrastructure Operator (IO) provides:
gdcloudconfigsetstorage/s3_endpointENDPOINT
This step differs slightly for dual-zone buckets. Each dual-zone bucket provides three endpoints that you can choose to access the bucket. For most situations, the global endpoint is appropriate in order to take advantage of automatic failovers:
Zone1 endpoint: This endpoint is always received by zone1. If using this endpoint, you have read-after-write consistency for any objects written to zone1. However, if zone1 goes down, a client needs to change to using either the zone2 or global endpoint to continue reading/writing to this bucket. If the client is coming from a user cluster, then this endpoint will only be accessible from within zone1.
Zone2 endpoint: This endpoint is always received by zone2. If using this endpoint, you have read-after-write consistency for any objects written to zone2. However, if zone2 goes down, a client needs to change to using either the zone1 or global endpoint to continue reading/writing to this bucket. If the client is coming from a user cluster, then this endpoint will only be accessible from within zone2.
Global endpoint: This endpoint results in your request being routed to either zone1 or zone2. This option doesn't provide session affinity, meaning that requests made using the same session may arrive in either zone1 or zone2. This means that there is no read-after-write guarantee for requests made to the global endpoint. The global endpoint provides automatic failover in the event that a zone goes down, so users won't have to change endpoints in their workloads the way they would need to if using the zonal endpoint. In addition, this endpoint is accessible from user clusters in all zones.
Run the following commands to view the global/zonal endpoints for your bucket and choose the one you want to use:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThe gdcloud CLI tool is used for managing object storage, and this guide provides steps on how to set it up.\u003c/p\u003e\n"],["\u003cp\u003eDownloading the gdcloud CLI is the first step, as detailed in the gdcloud CLI overview document.\u003c/p\u003e\n"],["\u003cp\u003eInstalling the storage dependencies component is required to use the storage command tree, and this can be achieved by running \u003ccode\u003egdcloud components install storage-cli-dependencies\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring the gdcloud CLI for object storage involves setting the access key ID, secret access key, CA certificate path, and endpoint using \u003ccode\u003egdcloud config set\u003c/code\u003e commands.\u003c/p\u003e\n"]]],[],null,["# Install and configure the storage CLI for projects\n\nThis page guides you through how to install and configure the gdcloud CLI for managing object storage when working with Google Distributed Cloud (GDC) air-gapped projects. It covers how to download, install, and configure the necessary components and settings essential for effectively using storage buckets and objects in this isolated environment.\n\nThis page is for audiences such as IT admins within the infrastructure operator group or developers within the application operator group who are looking to provision and manage object storage buckets for projects within GDC air-gapped environments. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nPrepare the gdcloud CLI\n-----------------------\n\nTo use the gdcloud CLI, see the following steps to download, install, and configure the package.\n\n### Download the gdcloud CLI\n\nTo download the gdcloud CLI, see the\n[gdcloud CLI overview](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview).\n\n### Install the gdcloud CLI\n\nIn order to use the storage command tree, the storage dependencies component must be installed.\n\n1. Follow [Install gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install).\n\n2. To install the storage dependencies component, run the following commands:\n\n gdcloud components install storage-cli-dependencies\n\n For more information on the `components install` command, see [Install gdcloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-install).\n\n| **Note:** This command only installs the dependencies onto the client machine. For configuring the gdcloud CLI follow [Configure gdcloud CLI for object storage](#gdcloud-storage-configure).\n\n### Configure the gdcloud CLI for object storage\n\nThe following configurations must be set to use the gdcloud CLI for object storage.\n\n1. Replace `ACCESS_KEY_ID` with the access key ID obtained from the secret in [getting access credentials](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/grant-obtain-storage-access#getting_bucket_access_credentials):\n\n gdcloud config set storage/s3_access_key_id ACCESS_KEY_ID\n\n2. Replace `SECRET_ACCESS_KEY` with the secret key obtained from the secret in [getting access credentials](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/grant-obtain-storage-access#getting_bucket_access_credentials):\n\n gdcloud config set storage/s3_secret_access_key SECRET_ACCESS_KEY\n\n3. Replace `CA_BUNDLE_FILE` with the path to the CA Certificate:\n\n gdcloud config set storage/s3_custom_ca_certs_file CA_BUNDLE_FILE\n\n | **Note:** If the CA Certs for GDC are already installed on the environment then you can set this to `/etc/ssl/certs/ca-certificates.crt`\n4. Replace `ENDPOINT` with the endpoint your Infrastructure Operator (IO) provides:\n\n gdcloud config set storage/s3_endpoint ENDPOINT\n\n | **Note:** This is the full endpoint beginning with `https://`.\n\n This step differs slightly for dual-zone buckets. Each dual-zone bucket provides three endpoints that you can choose to access the bucket. For most situations, the global endpoint is appropriate in order to take advantage of automatic failovers:\n - Zone1 endpoint: This endpoint is always received by zone1. If using this endpoint, you have read-after-write consistency for any objects written to zone1. However, if zone1 goes down, a client needs to change to using either the zone2 or global endpoint to continue reading/writing to this bucket. If the client is coming from a user cluster, then this endpoint will only be accessible from within zone1.\n - Zone2 endpoint: This endpoint is always received by zone2. If using this endpoint, you have read-after-write consistency for any objects written to zone2. However, if zone2 goes down, a client needs to change to using either the zone1 or global endpoint to continue reading/writing to this bucket. If the client is coming from a user cluster, then this endpoint will only be accessible from within zone2.\n - Global endpoint: This endpoint results in your request being routed to either zone1 or zone2. This option doesn't provide session affinity, meaning that requests made using the same session may arrive in either zone1 or zone2. This means that there is no read-after-write guarantee for requests made to the global endpoint. The global endpoint provides automatic failover in the event that a zone goes down, so users won't have to change endpoints in their workloads the way they would need to if using the zonal endpoint. In addition, this endpoint is accessible from user clusters in all zones.\n\n Run the following commands to view the global/zonal endpoints for your bucket and choose the one you want to use: \n\n kgo get buckets $BUCKET_NAME -n $PROJECT_NAME -o jsonpath=\"{.status.globalEndpoint}\"\n\n kgo get buckets $BUCKET_NAME -n $PROJECT_NAME -o jsonpath=\"{.status.zonalEndpoints}\""]]
