Create storage WORM buckets

This page guides you through how to create Write Once Read Many (WORM) storage buckets in Google Distributed Cloud (GDC) air-gapped environments. This covers the prerequisites and steps for creating a WORM bucket with a defined retention period, and for granting access permissions using role bindings. This information lets you enforce strict data retention practices and immutability, providing robust and compliant data storage for records and use cases like audit logging.

This page is for audiences such as IT administrators within the infrastructure operator group or developers within the application operator group who manage data retention and compliance settings for storage buckets in GDC air-gapped environments. For more information, see Audiences for GDC air-gapped documentation.

Before you begin

A project namespace manages bucket resources in the Management API server. You must have a project to work with buckets and objects.

You must also have the appropriate bucket permissions to perform the following operation. See Grant bucket access.

Create a WORM bucket

A WORM bucket ensures that nothing else overwrites objects and it retains them for a minimum period of time. Audit logging is an example use case for a WORM bucket.

Take the following steps to create a WORM bucket:

  1. Set a retention period when creating the bucket. For example, the following example bucket has a retention period of 365 days.

    apiVersion: object.gdc.goog/v1
    kind: Bucket
    metadata:
      name: foo logging-bucket
      namespace: foo-service
    spec:
      description: "Audit logs for foo"
      storageClass: Standard
      bucketPolicy:
        lockingPolicy:
          defaultObjectRetentionDays: 365
    
  2. Grant the project-bucket-object-viewer role to all users who need read-only access:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      namespace: foo-service
      name: object-readonly-access
    roleRef:
      kind: Role
      name: project-bucket-object-viewer
      apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: ServiceAccount
      namespace: foo-service
      name: foo-log-processor
    - kind: User
      name: bob@example.com
      apiGroup: rbac.authorization.k8s.io
    
  3. Grant the project-bucket-object-admin role to users who need to write content to the bucket:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      namespace: foo-service
      name: object-write-access
    roleRef:
      kind: Role
      name: project-bucket-object-viewer
      apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: ServiceAccount
      namespace: foo-service
      name: foo-service-account