Skip to content

Cloud Storage

General Info


Feature Description
  • At Rest: by default, before it is written to disk
  • In Transit: by default, from Google to endpoint
  • Immutable
  • You do not edit them in place, but instead create a new version
  • If enabled, Cloud Storage keeps a history of modifications (overwrites or deletes)
  • You can list the archived versions of an object, restore an object to an older state, or permanently delete a version
  • If disabled, new always overwrites old


Solution Description
Offline Media Import/Export
  • 3rd-party solution that allows you to load data into Google Cloud Storage by sending physical media (HDDs, tapes, etc.) to a 3rd-party service provider who uploads data on your behalf
Cloud Storage Transfer Service
  • Allows to import large amounts of online data into Google Cloud Storage
  • Set up a transfer from a data source (S3, HTTP/HTTPS location, another Cloud Storage Bucket) to data sink (Google Cloud Storage bucket)
Transfer Appliance
  • Storage server that you lease from Google Cloud
  • Connect it to your network, load it with data, and then ship it to an upload facility where the data is uploaded to Cloud Storage

Storage Classes

Class Description
  • High-performance
  • Geo-redundant: you pick a broad geographical location (US/EU, Asia), and data is stored in at least 2 geographic locations separated by at least 160km
  • Appropriate for storing frequently accessed data (website content, interactive workloads, etc.)
  • High-performance
  • Lets you store data in a specific GCP region (e.g., us-central1)
  • Cheaper than multi-regional storage, but it offers less redundancy
  • Appropriate to store data close to their Compute Engine virtual machines or their GKE clusters -> gives better performance for data-intensive computations
  • Backup and archival storage
  • Low-cost, highly durable storage service for storing infrequently accessed data
  • Where you plan to read or modify your data on average once a month or less
  • Also incurs an access fee per gigabyte of data read
  • Backup and archival storage
  • Very-low-cost, highly durable storage service for data archiving, online backup, and disaster recovery
  • Best choice for data that you plan to access at most once a year, due to its slightly lower availability, 90-day minimum storage duration, costs for data access, and higher per-operation costs
  • Incurs a higher fee per gigabyte of data read

Access Control

Cloud IAM
  • Roles are inherited from project to bucket to object
  • Predefined roles:
    • Storage Object Admin: full control of Cloud Storage objects
    • Storage Object Creator: get and list projects, create Cloud Storage objects
    • Storage Object Viewer: get and list projects, get and list Cloud Storage objects
Access Control Lists ("ACLs")
  • Define who has access to buckets and objects, as well as what level of access they have
  • Use ACLs if you need to customize access to individual objects within a bucket (IAM applies to all objects within a bucket)
  • Each ACL consists of two parts
    • Scope: defines who can perform the specified actions
    • Permission: defines what actions can be performed
  • Default ACL: project-private
  • When default ACL for a bucket is changed, the ACLs of objects that already exists remain unchanged
Signed URLs
  • Allow access to Cloud Storage without adding a user to IAM or ACL
  • Temporary access with a timeout
  • Anyone with the signed URL has access
Signed Policy Documents
  • Specify what can be uploaded to a bucket with a form POST
  • Allow greater control over size, content type, and other upload characteristics, in comparison to signed URLs
  • Can also be used by website owners to allow visitors to upload files to Cloud Storage

Making buckets public

Entire bucket Grant the Storage Object Viewer role to the allUsers group
Individual objects in a bucket Grant the Reader access to allUsers on the individual objects