Disable soft delete at the organization level

This page describes how to disable the soft delete feature on all new and existing buckets across your organization.

Soft delete is enabled on new buckets by default to prevent data loss. If needed, you can disable soft delete for existing buckets by modifying the soft delete policy, and you can disable soft delete by default for new buckets by setting an organization-wide default tag. Note that once you disable soft delete, your deleted data cannot be recovered, including accidental or malicious deletions.

Required roles

To get the permissions that you need to disable soft delete, ask your administrator to grant you the following IAM roles on the organization level:

Storage Admin (roles/storage.admin)
Tag Administrator (roles/resourcemanager.tagAdmin)
Organization Viewer (roles/resourcemanager.organizationViewer)

These predefined roles contain the permissions required to disable soft delete. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to disable soft delete:

storage.buckets.get
storage.buckets.update
storage.buckets.list (this permission is only required if you plan to use the Google Cloud console to perform the instructions on this page)
For required permissions that are included as part of the Tag Admin (roles/resourcemanager.tagAdmin) role, see Required permissions for administering tags.

For information about granting roles, see Use IAM with buckets or Manage access to projects.

Disable soft delete on future bucket creation

While soft delete is enabled by default on new buckets, you can prevent soft delete from default enablement using tags. Tags use the storage.defaultSoftDeletePolicy key to apply a 0d (zero days) soft delete policy at the organization level, which disables the feature and prevents future retention of deleted data.

Use the following instructions to disable soft delete by default when you create new buckets. Note that the following instructions aren't equivalent to setting an organization policy that mandates a particular soft delete policy, meaning you can still enable soft delete on specific buckets by specifying a policy if needed.

Create the storage.defaultSoftDeletePolicy tag which is used to change the default soft delete retention duration on new buckets. Note that only the storage.defaultSoftDeletePolicy tag name updates the default soft delete retention duration.

Create a tag key using the gcloud resource-manager tags keys create command:
```
 gcloud resource-manager tags keys create storage.defaultSoftDeletePolicy \
  --parent=organizations/ORGANIZATION_ID \
  --description="Configures the default softDeletePolicy for new Storage buckets."
```
Replace the following:
- ORGANIZATION_ID: the numeric ID of the organization you want to set a default soft delete retention duration for. For example, 12345678901. To learn how to find the organization ID, see Getting your organization resource ID.
Create a tag value for 0d (zero days) to disable the soft delete retention period by default on new buckets using the gcloud resource-manager tags values create command:
```
  gcloud resource-manager tags values create 0d \
   --parent=ORGANIZATION_ID/storage.defaultSoftDeletePolicy \
   --description="Disables soft delete for new Storage buckets."
  done
```
Replace the following:
- ORGANIZATION_ID: the numeric ID of the organization you want to set the default soft delete retention duration for. For example, 12345678901.
Note: The command fails if you've previously created a storage.defaultSoftDeletePolicy tag. To create a tag value for 0d and disable soft delete, you'll need to update the existing storage.defaultSoftDeletePolicy tag to use the 0d tag value. For more information about updating tags, see Update existing tags.
Attach the tag to your resource using the gcloud resource-manager tags bindings create command:
```
 gcloud resource-manager tags bindings create \
   --tag-value=ORGANIZATION_ID/storage.defaultSoftDeletePolicy/0d \
   --parent=RESOURCE_ID
```
Replace the following:
- ORGANIZATION_ID: the numeric ID of the organization under which the tag was created. For example, 12345678901.
- RESOURCE_ID: the full name of the organization you want to create the tag binding for. For example, to attach a tag to organizations/7890123456, enter //cloudresourcemanager.googleapis.com/organizations/7890123456.

Disable soft delete on existing buckets

To disable soft delete on existing buckets, run the gcloud storage buckets update command with the --clear-soft-delete flag:

   gcloud projects list --format"value(projectId") | while read project
   do
     gcloud storage buckets update --project=PROJECT_ID --clear-soft-delete gs://*
   done

Replace the following:

PROJECT_ID: the name of the project whose soft delete policy you want to disable.

Cloud Storage disables soft delete on existing buckets. Objects that have already been soft deleted will remain in the buckets until their soft delete retention duration completes, after which, they are permanently deleted.

What's next

Review considerations before re-enabling soft delete.
Learn about how soft delete interacts with other Cloud Storage features.