Stay organized with collections
Save and categorize content based on your preferences.
This page guides you through how to create Write Once Read Many (WORM) storage buckets in Google Distributed Cloud (GDC) air-gapped environments. This covers the prerequisites and steps for creating a WORM bucket with a defined retention period, and for granting access permissions using role bindings. This information lets you enforce strict data retention practices and immutability, providing robust and compliant data storage for records and use cases like audit logging.
This page is for audiences such as IT administrators within the infrastructure operator group or developers within the application operator group who manage data retention and compliance settings for storage buckets in GDC air-gapped environments. For more information, see Audiences for GDC air-gapped documentation.
Before you begin
A project namespace manages bucket resources in the Management API server. You
must have a project to work with buckets and objects.
You must also have the appropriate bucket permissions to perform the following
operation. See Grant bucket access.
Create a WORM bucket
A WORM bucket ensures that nothing else overwrites objects and it retains them for
a minimum period of time. Audit logging is an example use case for a WORM bucket.
Take the following steps to create a WORM bucket:
Set a retention period when creating the bucket. For example, the following
example bucket has a retention period of 365 days.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page provides instructions on creating air-gapped storage WORM buckets within Google Distributed Cloud (GDC).\u003c/p\u003e\n"],["\u003cp\u003eCreating a WORM bucket requires an existing project namespace and appropriate bucket permissions, which can be granted using provided documentation.\u003c/p\u003e\n"],["\u003cp\u003eWORM buckets ensure data immutability for a specified retention period, preventing overwrites, and are suitable for use cases like audit logging.\u003c/p\u003e\n"],["\u003cp\u003eYou set the retention period when creating a WORM bucket, which determines the minimum duration for which objects are retained, and objects can only be deleted after the bucket policy's retention period.\u003c/p\u003e\n"],["\u003cp\u003eUser access to WORM buckets can be managed by granting \u003ccode\u003eproject-bucket-object-viewer\u003c/code\u003e for read-only or \u003ccode\u003eproject-bucket-object-admin\u003c/code\u003e for write access.\u003c/p\u003e\n"]]],[],null,["# Create storage WORM buckets\n\nThis page guides you through how to create Write Once Read Many (WORM) storage buckets in Google Distributed Cloud (GDC) air-gapped environments. This covers the prerequisites and steps for creating a WORM bucket with a defined retention period, and for granting access permissions using role bindings. This information lets you enforce strict data retention practices and immutability, providing robust and compliant data storage for records and use cases like audit logging.\n\nThis page is for audiences such as IT administrators within the infrastructure operator group or developers within the application operator group who manage data retention and compliance settings for storage buckets in GDC air-gapped environments. For more information, see [Audiences for GDC air-gapped documentation](/distributed-cloud/hosted/docs/latest/gdch/resources/audiences).\n\nBefore you begin\n----------------\n\nA project namespace manages bucket resources in the Management API server. You\nmust have a [project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/project-management) to work with buckets and objects.\n\nYou must also have the appropriate bucket permissions to perform the following\noperation. See [Grant bucket access](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/grant-obtain-storage-access#grant_bucket_access).\n\nCreate a WORM bucket\n--------------------\n\nA WORM bucket ensures that nothing else overwrites objects and it retains them for\na minimum period of time. Audit logging is an example use case for a WORM bucket.\n| **Note:** If you attempt to overwrite an object in a WORM bucket, you will add a new version of the object. Only after a WORM object's retention period, as dictated by the bucket locking policy, is over can you proceed with object, bucket, and project deletion.\n\nTake the following steps to create a WORM bucket:\n\n1. Set a retention period when creating the bucket. For example, the following\n example bucket has a retention period of 365 days.\n\n apiVersion: object.gdc.goog/v1\n kind: Bucket\n metadata:\n name: foo logging-bucket\n namespace: foo-service\n spec:\n description: \"Audit logs for foo\"\n storageClass: Standard\n bucketPolicy:\n lockingPolicy:\n defaultObjectRetentionDays: 365\n\n2. Grant the `project-bucket-object-viewer` role to all users who need read-only\n access:\n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n namespace: foo-service\n name: object-readonly-access\n roleRef:\n kind: Role\n name: project-bucket-object-viewer\n apiGroup: rbac.authorization.k8s.io\n subjects:\n - kind: ServiceAccount\n namespace: foo-service\n name: foo-log-processor\n - kind: User\n name: bob@example.com\n apiGroup: rbac.authorization.k8s.io\n\n3. Grant the `project-bucket-object-admin` role to users who need to write\n content to the bucket:\n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n namespace: foo-service\n name: object-write-access\n roleRef:\n kind: Role\n name: project-bucket-object-viewer\n apiGroup: rbac.authorization.k8s.io\n subjects:\n - kind: ServiceAccount\n namespace: foo-service\n name: foo-service-account"]]
