Namespace Pulumi.Gcp.Storage
Classes
Bucket
Creates a new bucket in Google cloud storage service (GCS).
Once a bucket has been created, its location can't be changed.
ACLs can be applied
using the gcp.storage.BucketACL resource.
For more information see the official documentation and API.
Note: If the project id is not set on the resource or in the provider block it will be dynamically determined which will require enabling the compute api.
Example Usage - creating a private bucket in standard storage, in the EU region. Bucket configured as static website and CORS configurations
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var static_site = new Gcp.Storage.Bucket("static-site", new Gcp.Storage.BucketArgs
{
BucketPolicyOnly = true,
Cors =
{
new Gcp.Storage.Inputs.BucketCorArgs
{
MaxAgeSeconds = 3600,
Method =
{
"GET",
"HEAD",
"PUT",
"POST",
"DELETE",
},
Origin =
{
"http://image-store.com",
},
ResponseHeader =
{
"*",
},
},
},
ForceDestroy = true,
Location = "EU",
Website = new Gcp.Storage.Inputs.BucketWebsiteArgs
{
MainPageSuffix = "index.html",
NotFoundPage = "404.html",
},
});
}
}
Example Usage - Life cycle settings for storage bucket objects
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var auto_expire = new Gcp.Storage.Bucket("auto-expire", new Gcp.Storage.BucketArgs
{
ForceDestroy = true,
LifecycleRules =
{
new Gcp.Storage.Inputs.BucketLifecycleRuleArgs
{
Action = new Gcp.Storage.Inputs.BucketLifecycleRuleActionArgs
{
Type = "Delete",
},
Condition = new Gcp.Storage.Inputs.BucketLifecycleRuleConditionArgs
{
Age = "3",
},
},
},
Location = "US",
});
}
}
BucketAccessControl
Bucket ACLs can be managed authoritatively using the
storage_bucket_acl resource. Do not use these two resources in conjunction to manage the same bucket.
The BucketAccessControls resource manages the Access Control List (ACLs) for a single entity/role pairing on a bucket. ACLs let you specify who has access to your data and to what extent.
There are three roles that can be assigned to an entity:
READERs can get the bucket, though no acl property will be returned, and list the bucket's objects. WRITERs are READERs, and they can insert objects into the bucket and delete the bucket's objects. OWNERs are WRITERs, and they can get the acl property of a bucket, update a bucket, and call all BucketAccessControls methods on the bucket. For more information, see Access Control, with the caveat that this API uses READER, WRITER, and OWNER instead of READ, WRITE, and FULL_CONTROL.
To get more information about BucketAccessControl, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Storage Bucket Access Control Public Bucket
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var bucket = new Gcp.Storage.Bucket("bucket", new Gcp.Storage.BucketArgs
{
});
var publicRule = new Gcp.Storage.BucketAccessControl("publicRule", new Gcp.Storage.BucketAccessControlArgs
{
Bucket = bucket.Name,
Role = "READER",
Entity = "allUsers",
});
}
}
BucketAccessControlArgs
BucketAccessControlState
BucketACL
Authoritatively manages a bucket's ACLs in Google cloud storage service (GCS). For more information see the official documentation and API.
Bucket ACLs can be managed non authoritatively using the storage_bucket_access_control resource. Do not use these two resources in conjunction to manage the same bucket.
Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
NOTE This resource will not remove the project-owners-<project_id> entity from the OWNER role.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var image_store = new Gcp.Storage.Bucket("image-store", new Gcp.Storage.BucketArgs
{
Location = "EU",
});
var image_store_acl = new Gcp.Storage.BucketACL("image-store-acl", new Gcp.Storage.BucketACLArgs
{
Bucket = image_store.Name,
RoleEntities =
{
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
},
});
}
}
BucketACLArgs
BucketACLState
BucketArgs
BucketIAMBinding
Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:
gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
Note:
gcp.storage.BucketIAMPolicycannot be used in conjunction withgcp.storage.BucketIAMBindingandgcp.storage.BucketIAMMemberor they will fight over what your policy should be.
Note:
gcp.storage.BucketIAMBindingresources can be used in conjunction withgcp.storage.BucketIAMMemberresources only if they do not grant privilege to the same role.
google_storage_bucket_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_storage_bucket_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Storage.Inputs.BucketIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
google_storage_bucket_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
Condition = new Gcp.Storage.Inputs.BucketIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
BucketIAMBindingArgs
BucketIAMBindingState
BucketIAMMember
Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:
gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
Note:
gcp.storage.BucketIAMPolicycannot be used in conjunction withgcp.storage.BucketIAMBindingandgcp.storage.BucketIAMMemberor they will fight over what your policy should be.
Note:
gcp.storage.BucketIAMBindingresources can be used in conjunction withgcp.storage.BucketIAMMemberresources only if they do not grant privilege to the same role.
google_storage_bucket_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_storage_bucket_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Storage.Inputs.BucketIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
google_storage_bucket_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
Condition = new Gcp.Storage.Inputs.BucketIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
BucketIAMMemberArgs
BucketIAMMemberState
BucketIAMPolicy
Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:
gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.
Note:
gcp.storage.BucketIAMPolicycannot be used in conjunction withgcp.storage.BucketIAMBindingandgcp.storage.BucketIAMMemberor they will fight over what your policy should be.
Note:
gcp.storage.BucketIAMBindingresources can be used in conjunction withgcp.storage.BucketIAMMemberresources only if they do not grant privilege to the same role.
google_storage_bucket_iam_policy
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var admin = Output.Create(Gcp.Organizations.GetIAMPolicy.InvokeAsync(new Gcp.Organizations.GetIAMPolicyArgs
{
Binding =
{
{
{ "role", "roles/storage.admin" },
{ "members",
{
"user:jane@example.com",
} },
{ "condition",
{
{ "title", "expires_after_2019_12_31" },
{ "description", "Expiring at midnight of 2019-12-31" },
{ "expression", "request.time < timestamp(\"2020-01-01T00:00:00Z\")" },
} },
},
},
}));
var policy = new Gcp.Storage.BucketIAMPolicy("policy", new Gcp.Storage.BucketIAMPolicyArgs
{
Bucket = google_storage_bucket.Default.Name,
PolicyData = admin.Apply(admin => admin.PolicyData),
});
}
}
google_storage_bucket_iam_binding
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var binding = new Gcp.Storage.BucketIAMBinding("binding", new Gcp.Storage.BucketIAMBindingArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Members =
{
"user:jane@example.com",
},
Condition = new Gcp.Storage.Inputs.BucketIAMBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
google_storage_bucket_iam_member
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
});
}
}
With IAM Conditions:
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var member = new Gcp.Storage.BucketIAMMember("member", new Gcp.Storage.BucketIAMMemberArgs
{
Bucket = google_storage_bucket.Default.Name,
Role = "roles/storage.admin",
Member = "user:jane@example.com",
Condition = new Gcp.Storage.Inputs.BucketIAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
}
}
BucketIAMPolicyArgs
BucketIAMPolicyState
BucketObject
Creates a new object inside an existing bucket in Google cloud storage service (GCS).
ACLs can be applied using the gcp.storage.ObjectACL resource.
For more information see
the official documentation
and
API.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var picture = new Gcp.Storage.BucketObject("picture", new Gcp.Storage.BucketObjectArgs
{
Bucket = "image-store",
Source = new FileAsset("/images/nature/garden-tiger-moth.jpg"),
});
}
}
BucketObjectArgs
BucketObjectState
BucketState
DefaultObjectAccessControl
The DefaultObjectAccessControls resources represent the Access Control Lists (ACLs) applied to a new object within a Google Cloud Storage bucket when no ACL was provided for that object. ACLs let you specify who has access to your bucket contents and to what extent.
There are two roles that can be assigned to an entity:
READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.
To get more information about DefaultObjectAccessControl, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Storage Default Object Access Control Public
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var bucket = new Gcp.Storage.Bucket("bucket", new Gcp.Storage.BucketArgs
{
});
var publicRule = new Gcp.Storage.DefaultObjectAccessControl("publicRule", new Gcp.Storage.DefaultObjectAccessControlArgs
{
Bucket = bucket.Name,
Role = "READER",
Entity = "allUsers",
});
}
}
DefaultObjectAccessControlArgs
DefaultObjectAccessControlState
DefaultObjectACL
Authoritatively manages the default object ACLs for a Google Cloud Storage bucket without managing the bucket itself.
Note that for each object, its creator will have the
"OWNER"role in addition to the default ACL that has been defined.
For more information see the official documentation and API.
Want fine-grained control over default object ACLs? Use
gcp.storage.DefaultObjectAccessControlto control individual role entity pairs.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var image_store = new Gcp.Storage.Bucket("image-store", new Gcp.Storage.BucketArgs
{
Location = "EU",
});
var image_store_default_acl = new Gcp.Storage.DefaultObjectACL("image-store-default-acl", new Gcp.Storage.DefaultObjectACLArgs
{
Bucket = image_store.Name,
RoleEntities =
{
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
},
});
}
}
DefaultObjectACLArgs
DefaultObjectACLState
GetBucketObject
GetBucketObjectArgs
GetBucketObjectResult
GetObjectSignedUrl
GetObjectSignedUrlArgs
GetObjectSignedUrlResult
GetProjectServiceAccount
GetProjectServiceAccountArgs
GetProjectServiceAccountResult
GetTransferProjectServieAccount
GetTransferProjectServieAccountArgs
GetTransferProjectServieAccountResult
HmacKey
The hmacKeys resource represents an HMAC key within Cloud Storage. The resource consists of a secret and HMAC key metadata. HMAC keys can be used as credentials for service accounts.
To get more information about HmacKey, see:
- API documentation
- How-to Guides
- Official Documentation
Warning: All arguments including the
secretvalue will be stored in the raw state as plain-text. Read more about secrets in state. On import, thesecretvalue will not be retrieved.
Warning: All arguments including
secretwill be stored in the raw state as plain-text. Read more about secrets in state.
Example Usage - Storage Hmac Key
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var serviceAccount = new Gcp.ServiceAccount.Account("serviceAccount", new Gcp.ServiceAccount.AccountArgs
{
AccountId = "my-svc-acc",
});
var key = new Gcp.Storage.HmacKey("key", new Gcp.Storage.HmacKeyArgs
{
ServiceAccountEmail = serviceAccount.Email,
});
}
}
HmacKeyArgs
HmacKeyState
Notification
Creates a new notification configuration on a specified bucket, establishing a flow of event notifications from GCS to a Cloud Pub/Sub topic. For more information see the official documentation and API.
In order to enable notifications, a special Google Cloud Storage service account unique to the project
must have the IAM permission "projects.topics.publish" for a Cloud Pub/Sub topic in the project. To get the service
account's email address, use the gcp.storage.getProjectServiceAccount datasource's email_address value, and see below
for an example of enabling notifications by granting the correct IAM permission. See
the notifications documentation for more details.
NOTE: This resource can affect your storage IAM policy. If you are using this in the same config as your storage IAM policy resources, consider making this resource dependent on those IAM resources via
depends_on. This will safeguard against errors due to IAM race conditions.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var gcsAccount = Output.Create(Gcp.Storage.GetProjectServiceAccount.InvokeAsync());
var topic = new Gcp.PubSub.Topic("topic", new Gcp.PubSub.TopicArgs
{
});
var binding = new Gcp.PubSub.TopicIAMBinding("binding", new Gcp.PubSub.TopicIAMBindingArgs
{
Topic = topic.Id,
Role = "roles/pubsub.publisher",
Members =
{
gcsAccount.Apply(gcsAccount => $"serviceAccount:{gcsAccount.EmailAddress}"),
},
});
// End enabling notifications
var bucket = new Gcp.Storage.Bucket("bucket", new Gcp.Storage.BucketArgs
{
});
var notification = new Gcp.Storage.Notification("notification", new Gcp.Storage.NotificationArgs
{
Bucket = bucket.Name,
PayloadFormat = "JSON_API_V1",
Topic = topic.Id,
EventTypes =
{
"OBJECT_FINALIZE",
"OBJECT_METADATA_UPDATE",
},
CustomAttributes =
{
{ "new-attribute", "new-attribute-value" },
},
});
// Enable notifications by giving the correct IAM permission to the unique service account.
}
}
NotificationArgs
NotificationState
ObjectAccessControl
The ObjectAccessControls resources represent the Access Control Lists (ACLs) for objects within Google Cloud Storage. ACLs let you specify who has access to your data and to what extent.
There are two roles that can be assigned to an entity:
READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.
To get more information about ObjectAccessControl, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Storage Object Access Control Public Object
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var bucket = new Gcp.Storage.Bucket("bucket", new Gcp.Storage.BucketArgs
{
});
var @object = new Gcp.Storage.BucketObject("object", new Gcp.Storage.BucketObjectArgs
{
Bucket = bucket.Name,
Source = new FileAsset("../static/img/header-logo.png"),
});
var publicRule = new Gcp.Storage.ObjectAccessControl("publicRule", new Gcp.Storage.ObjectAccessControlArgs
{
Object = @object.OutputName,
Bucket = bucket.Name,
Role = "READER",
Entity = "allUsers",
});
}
}
ObjectAccessControlArgs
ObjectAccessControlState
ObjectACL
Authoritatively manages the access control list (ACL) for an object in a Google
Cloud Storage (GCS) bucket. Removing a gcp.storage.ObjectACL sets the
acl to the private predefined ACL.
For more information see the official documentation and API.
Want fine-grained control over object ACLs? Use
gcp.storage.ObjectAccessControlto control individual role entity pairs.
Example Usage
using Pulumi;
using Gcp = Pulumi.Gcp;
class MyStack : Stack
{
public MyStack()
{
var image_store = new Gcp.Storage.Bucket("image-store", new Gcp.Storage.BucketArgs
{
Location = "EU",
});
var image = new Gcp.Storage.BucketObject("image", new Gcp.Storage.BucketObjectArgs
{
Bucket = image_store.Name,
Source = new FileAsset("image1.jpg"),
});
var image_store_acl = new Gcp.Storage.ObjectACL("image-store-acl", new Gcp.Storage.ObjectACLArgs
{
Bucket = image_store.Name,
Object = image.OutputName,
RoleEntities =
{
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
},
});
}
}
ObjectACLArgs
ObjectACLState
TransferJob
Creates a new Transfer Job in Google Cloud Storage Transfer.
To get more information about Google Cloud Storage Transfer, see: