Create storage WORM buckets

This page shows you how to create Google Distributed Cloud (GDC) air-gapped storage WORM buckets.

Before you begin

A project namespace manages bucket resources in the Management API server. You must have a project to work with buckets and objects.

You must also have the appropriate bucket permissions to perform the following operation. See Grant bucket access.

Create a WORM bucket

A WORM bucket ensures that nothing else overwrites objects and it retains them for a minimum period of time. Audit logging is an example use case for a WORM bucket.

Take the following steps to create a WORM bucket:

1. Set a retention period when creating the bucket. For example, the following example bucket has a retention period of 365 days.

   apiVersion: object.gdc.goog/v1
   kind: Bucket
   metadata:
     name: foo logging-bucket
     namespace: foo-service
   spec:
     description: "Audit logs for foo"
     storageClass: Standard
     bucketPolicy:
       lockingPolicy:
         defaultObjectRetentionDays: 365
   

2. Grant the project-bucket-object-viewer role to all users who need read-only access:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     namespace: foo-service
     name: object-readonly-access
   roleRef:
     kind: Role
     name: project-bucket-object-viewer
     apiGroup: rbac.authorization.k8s.io
   subjects:
   - kind: ServiceAccount
     namespace: foo-service
     name: foo-log-processor
   - kind: User
     name: bob@example.com
     apiGroup: rbac.authorization.k8s.io
   

3. Grant the project-bucket-object-admin role to users who need to write content to the bucket:

   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     namespace: foo-service
     name: object-write-access
   roleRef:
     kind: Role
     name: project-bucket-object-viewer
     apiGroup: rbac.authorization.k8s.io
   subjects:
   - kind: ServiceAccount
     namespace: foo-service
     name: foo-service-account