This page guides you through how to create Write Once Read Many (WORM) storage buckets in Google Distributed Cloud (GDC) air-gapped environments. This covers the prerequisites and steps for creating a WORM bucket with a defined retention period, and for granting access permissions using role bindings. This information lets you enforce strict data retention practices and immutability, providing robust and compliant data storage for records and use cases like audit logging.
This page is for audiences such as IT administrators within the infrastructure operator group or developers within the application operator group who manage data retention and compliance settings for storage buckets in GDC air-gapped environments. For more information, see Audiences for GDC air-gapped documentation.
Before you begin
A project namespace manages bucket resources in the Management API server. You must have a project to work with buckets and objects.
You must also have the appropriate bucket permissions to perform the following operation. See Grant bucket access.
Create a WORM bucket
A WORM bucket ensures that nothing else overwrites objects and it retains them for a minimum period of time. Audit logging is an example use case for a WORM bucket.
Take the following steps to create a WORM bucket:
Set a retention period when creating the bucket. For example, the following example bucket has a retention period of 365 days.
apiVersion: object.gdc.goog/v1 kind: Bucket metadata: name: foo logging-bucket namespace: foo-service spec: description: "Audit logs for foo" storageClass: Standard bucketPolicy: lockingPolicy: defaultObjectRetentionDays: 365Grant the
project-bucket-object-viewerrole to all users who need read-only access:apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: foo-service name: object-readonly-access roleRef: kind: Role name: project-bucket-object-viewer apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: foo-service name: foo-log-processor - kind: User name: bob@example.com apiGroup: rbac.authorization.k8s.ioGrant the
project-bucket-object-adminrole to users who need to write content to the bucket:apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: foo-service name: object-write-access roleRef: kind: Role name: project-bucket-object-viewer apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: foo-service name: foo-service-account