1. Docs
2. Reference
3. API
4. @pulumi/gcp
5. storage

Module storage

Resources

• Bucket
• BucketAccessControl
• BucketACL
• BucketIAMBinding
• BucketIAMMember
• BucketIAMPolicy
• BucketObject
• DefaultObjectAccessControl
• DefaultObjectACL
• HmacKey
• Notification
• ObjectAccessControl
• ObjectACL
• TransferJob

Functions

• getBucketObject
• getObjectSignedUrl
• getProjectServiceAccount
• getTransferProjectServieAccount

Others

• BucketAccessControlArgs
• BucketAccessControlState
• BucketACLArgs
• BucketACLState
• BucketArgs
• BucketContext
• BucketData
• BucketEventArgs
• BucketEventCallbackFunctionArgs
• BucketEventHandler
• BucketIAMBindingArgs
• BucketIAMBindingState
• BucketIAMMemberArgs
• BucketIAMMemberState
• BucketIAMPolicyArgs
• BucketIAMPolicyState
• BucketObjectArgs
• BucketObjectState
• BucketState
• DefaultObjectAccessControlArgs
• DefaultObjectAccessControlState
• DefaultObjectACLArgs
• DefaultObjectACLState
• GetBucketObjectArgs
• GetBucketObjectResult
• GetObjectSignedUrlArgs
• GetObjectSignedUrlResult
• GetProjectServiceAccountArgs
• GetProjectServiceAccountResult
• GetTransferProjectServieAccountArgs
• GetTransferProjectServieAccountResult
• HmacKeyArgs
• HmacKeyState
• NotificationArgs
• NotificationState
• ObjectAccessControlArgs
• ObjectAccessControlState
• ObjectACLArgs
• ObjectACLState
• SimpleBucketEventArgs
• TransferJobArgs
• TransferJobState

Resources

Resource Bucket

class Bucket extends CustomResource

Creates a new bucket in Google cloud storage service (GCS). Once a bucket has been created, its location can’t be changed. ACLs can be applied using the gcp.storage.BucketACL resource.

For more information see the official documentation and API.

Note: If the project id is not set on the resource or in the provider block it will be dynamically determined which will require enabling the compute api.

Example Usage - creating a private bucket in standard storage, in the EU region. Bucket configured as static website and CORS configurations

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const staticSite = new gcp.storage.Bucket("static-site", {
    bucketPolicyOnly: true,
    cors: [{
        maxAgeSeconds: 3600,
        methods: [
            "GET",
            "HEAD",
            "PUT",
            "POST",
            "DELETE",
        ],
        origins: ["http://image-store.com"],
        responseHeaders: ["*"],
    }],
    forceDestroy: true,
    location: "EU",
    website: {
        mainPageSuffix: "index.html",
        notFoundPage: "404.html",
    },
});

Example Usage - Life cycle settings for storage bucket objects

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const autoExpire = new gcp.storage.Bucket("auto-expire", {
    forceDestroy: true,
    lifecycleRules: [{
        action: {
            type: "Delete",
        },
        condition: {
            age: 3,
        },
    }],
    location: "US",
});

constructor

new Bucket(name: string, args?: BucketArgs, opts?: pulumi.CustomResourceOptions)

Create a Bucket resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketState, opts?: pulumi.CustomResourceOptions): Bucket

Get an existing Bucket resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Bucket

Returns true if the given object is an instance of Bucket. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

method onObjectArchived

onObjectArchived(name: string, handler: BucketEventHandler | BucketEventCallbackFunctionArgs, args?: SimpleBucketEventArgs, opts?: pulumi.ComponentResourceOptions): CallbackFunction

Creates and publishes a Cloud Functions that will be triggered when a live version of an object is archived or deleted.

This event is only sent for versioning buckets.

See https://cloud.google.com/storage/docs/object-versioning for more details.

method onObjectDeleted

onObjectDeleted(name: string, handler: BucketEventHandler | BucketEventCallbackFunctionArgs, args?: SimpleBucketEventArgs, opts?: pulumi.ComponentResourceOptions): CallbackFunction

Creates and publishes a Cloud Functions that will be triggered when an object is permanently deleted. Depending on the object versioning setting for a bucket this means:

1. For versioning buckets, this is only sent when a version is permanently deleted (but not when an object is archived).

2. For non-versioning buckets, this is sent when an object is deleted or overwritten.

See https://cloud.google.com/storage/docs/object-versioning for more details.

method onObjectEvent

onObjectEvent(name: string, handler: BucketEventHandler | BucketEventCallbackFunctionArgs, args: BucketEventArgs, opts?: pulumi.ComponentResourceOptions): CallbackFunction

Generic helper for registering for any event.

method onObjectFinalized

onObjectFinalized(name: string, handler: BucketEventHandler | BucketEventCallbackFunctionArgs, args?: SimpleBucketEventArgs, opts?: pulumi.ComponentResourceOptions): CallbackFunction

Creates and publishes a Cloud Functions that will be triggered when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in this bucket.

method onObjectMetadataUpdated

onObjectMetadataUpdated(name: string, handler: BucketEventHandler | BucketEventCallbackFunctionArgs, args?: SimpleBucketEventArgs, opts?: pulumi.ComponentResourceOptions): CallbackFunction

Creates and publishes a Cloud Functions that will be triggered when the metadata of an existing object changes.

See https://cloud.google.com/storage/docs/metadata for more details.

property bucketPolicyOnly

public bucketPolicyOnly: pulumi.Output<boolean>;

Enables Bucket Policy Only access to a bucket.

property cors

public cors: pulumi.Output<BucketCor[] | undefined>;

The bucket’s Cross-Origin Resource Sharing (CORS) configuration. Multiple blocks of this type are permitted. Structure is documented below.

property defaultEventBasedHold

public defaultEventBasedHold: pulumi.Output<boolean | undefined>;

property encryption

public encryption: pulumi.Output<BucketEncryption | undefined>;

The bucket’s encryption configuration.

property forceDestroy

public forceDestroy: pulumi.Output<boolean | undefined>;

When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, the provider will fail that run.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property labels

public labels: pulumi.Output<{[key: string]: string} | undefined>;

A set of key/value label pairs to assign to the bucket.

property lifecycleRules

public lifecycleRules: pulumi.Output<BucketLifecycleRule[] | undefined>;

The bucket’s Lifecycle Rules configuration. Multiple blocks of this type are permitted. Structure is documented below.

property location

public location: pulumi.Output<string | undefined>;

The GCS location

property logging

public logging: pulumi.Output<BucketLogging | undefined>;

The bucket’s Access & Storage Logs configuration.

property name

public name: pulumi.Output<string>;

The name of the bucket.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property requesterPays

public requesterPays: pulumi.Output<boolean | undefined>;

Enables Requester Pays on a storage bucket.

property retentionPolicy

public retentionPolicy: pulumi.Output<BucketRetentionPolicy | undefined>;

Configuration of the bucket’s data retention policy for how long objects in the bucket should be retained. Structure is documented below.

property selfLink

public selfLink: pulumi.Output<string>;

The URI of the created resource.

property storageClass

public storageClass: pulumi.Output<string | undefined>;

The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE.

property url

public url: pulumi.Output<string>;

The base URL of the bucket, in the format gs://<bucket-name>.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property versioning

public versioning: pulumi.Output<BucketVersioning | undefined>;

The bucket’s Versioning configuration.

property website

public website: pulumi.Output<BucketWebsite | undefined>;

Configuration if the bucket acts as a website. Structure is documented below.

Resource BucketAccessControl

class BucketAccessControl extends CustomResource

Bucket ACLs can be managed authoritatively using the storageBucketAcl resource. Do not use these two resources in conjunction to manage the same bucket.

The BucketAccessControls resource manages the Access Control List (ACLs) for a single entity/role pairing on a bucket. ACLs let you specify who has access to your data and to what extent.

There are three roles that can be assigned to an entity:

READERs can get the bucket, though no acl property will be returned, and list the bucket’s objects. WRITERs are READERs, and they can insert objects into the bucket and delete the bucket’s objects. OWNERs are WRITERs, and they can get the acl property of a bucket, update a bucket, and call all BucketAccessControls methods on the bucket. For more information, see Access Control, with the caveat that this API uses READER, WRITER, and OWNER instead of READ, WRITE, and FULL_CONTROL.

To get more information about BucketAccessControl, see:

• API documentation
• How-to Guides
  • Official Documentation

Example Usage - Storage Bucket Access Control Public Bucket

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const bucket = new gcp.storage.Bucket("bucket", {});
const publicRule = new gcp.storage.BucketAccessControl("publicRule", {
    bucket: bucket.name,
    role: "READER",
    entity: "allUsers",
});

constructor

new BucketAccessControl(name: string, args: BucketAccessControlArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketAccessControl resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketAccessControlState, opts?: pulumi.CustomResourceOptions): BucketAccessControl

Get an existing BucketAccessControl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketAccessControl

Returns true if the given object is an instance of BucketAccessControl. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket.

property domain

public domain: pulumi.Output<string>;

The domain associated with the entity.

property email

public email: pulumi.Output<string>;

The email address associated with the entity.

property entity

public entity: pulumi.Output<string>;

The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property role

public role: pulumi.Output<string | undefined>;

The access permission for the entity.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource BucketACL

class BucketACL extends CustomResource

Authoritatively manages a bucket’s ACLs in Google cloud storage service (GCS). For more information see the official documentation and API.

Bucket ACLs can be managed non authoritatively using the storageBucketAccessControl resource. Do not use these two resources in conjunction to manage the same bucket.

Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.

NOTE This resource will not remove the project-owners-<project_id> entity from the OWNER role.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const imageStore = new gcp.storage.Bucket("image-store", {location: "EU"});
const imageStoreAcl = new gcp.storage.BucketACL("image-store-acl", {
    bucket: image_store.name,
    roleEntities: [
        "OWNER:user-my.email@gmail.com",
        "READER:group-mygroup",
    ],
});

constructor

new BucketACL(name: string, args: BucketACLArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketACL resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketACLState, opts?: pulumi.CustomResourceOptions): BucketACL

Get an existing BucketACL resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketACL

Returns true if the given object is an instance of BucketACL. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket it applies to.

property defaultAcl

public defaultAcl: pulumi.Output<string | undefined>;

Configure this ACL to be the default ACL.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property predefinedAcl

public predefinedAcl: pulumi.Output<string | undefined>;

The canned GCS ACL to apply. Must be set if roleEntity is not.

property roleEntities

public roleEntities: pulumi.Output<string[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefinedAcl is not.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource BucketIAMBinding

class BucketIAMBinding extends CustomResource

Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:

• gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
• gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
• gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.

Note: gcp.storage.BucketIAMPolicy cannot be used in conjunction with gcp.storage.BucketIAMBinding and gcp.storage.BucketIAMMember or they will fight over what your policy should be.

Note: gcp.storage.BucketIAMBinding resources can be used in conjunction with gcp.storage.BucketIAMMember resources only if they do not grant privilege to the same role.

google_storage_bucket_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

google_storage_bucket_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

google_storage_bucket_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new BucketIAMBinding(name: string, args: BucketIAMBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketIAMBinding resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketIAMBindingState, opts?: pulumi.CustomResourceOptions): BucketIAMBinding

Get an existing BucketIAMBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketIAMBinding

Returns true if the given object is an instance of BucketIAMBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property condition

public condition: pulumi.Output<BucketIAMBindingCondition | undefined>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource BucketIAMMember

class BucketIAMMember extends CustomResource

Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:

• gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
• gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
• gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.

Note: gcp.storage.BucketIAMPolicy cannot be used in conjunction with gcp.storage.BucketIAMBinding and gcp.storage.BucketIAMMember or they will fight over what your policy should be.

Note: gcp.storage.BucketIAMBinding resources can be used in conjunction with gcp.storage.BucketIAMMember resources only if they do not grant privilege to the same role.

google_storage_bucket_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

google_storage_bucket_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

google_storage_bucket_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new BucketIAMMember(name: string, args: BucketIAMMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketIAMMember resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketIAMMemberState, opts?: pulumi.CustomResourceOptions): BucketIAMMember

Get an existing BucketIAMMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketIAMMember

Returns true if the given object is an instance of BucketIAMMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property condition

public condition: pulumi.Output<BucketIAMMemberCondition | undefined>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource BucketIAMPolicy

class BucketIAMPolicy extends CustomResource

Three different resources help you manage your IAM policy for Cloud Storage Bucket. Each of these resources serves a different use case:

• gcp.storage.BucketIAMPolicy: Authoritative. Sets the IAM policy for the bucket and replaces any existing policy already attached.
• gcp.storage.BucketIAMBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the bucket are preserved.
• gcp.storage.BucketIAMMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the bucket are preserved.

Note: gcp.storage.BucketIAMPolicy cannot be used in conjunction with gcp.storage.BucketIAMBinding and gcp.storage.BucketIAMMember or they will fight over what your policy should be.

Note: gcp.storage.BucketIAMBinding resources can be used in conjunction with gcp.storage.BucketIAMMember resources only if they do not grant privilege to the same role.

google_storage_bucket_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/storage.admin",
        members: ["user:jane@example.com"],
        condition: {
            title: "expiresAfter20191231",
            description: "Expiring at midnight of 2019-12-31",
            expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    }],
});
const policy = new gcp.storage.BucketIAMPolicy("policy", {
    bucket: google_storage_bucket["default"].name,
    policyData: admin.then(admin => admin.policyData),
});

google_storage_bucket_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.storage.BucketIAMBinding("binding", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    members: ["user:jane@example.com"],
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

google_storage_bucket_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
});

With IAM Conditions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.storage.BucketIAMMember("member", {
    bucket: google_storage_bucket["default"].name,
    role: "roles/storage.admin",
    member: "user:jane@example.com",
    condition: {
        title: "expiresAfter20191231",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

constructor

new BucketIAMPolicy(name: string, args: BucketIAMPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketIAMPolicy resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketIAMPolicyState, opts?: pulumi.CustomResourceOptions): BucketIAMPolicy

Get an existing BucketIAMPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketIAMPolicy

Returns true if the given object is an instance of BucketIAMPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource BucketObject

class BucketObject extends CustomResource

Creates a new object inside an existing bucket in Google cloud storage service (GCS). ACLs can be applied using the gcp.storage.ObjectACL resource. For more information see the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const picture = new gcp.storage.BucketObject("picture", {
    bucket: "image-store",
    source: new pulumi.asset.FileAsset("/images/nature/garden-tiger-moth.jpg"),
});

constructor

new BucketObject(name: string, args: BucketObjectArgs, opts?: pulumi.CustomResourceOptions)

Create a BucketObject resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BucketObjectState, opts?: pulumi.CustomResourceOptions): BucketObject

Get an existing BucketObject resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is BucketObject

Returns true if the given object is an instance of BucketObject. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the containing bucket.

property cacheControl

public cacheControl: pulumi.Output<string | undefined>;

Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600

property content

public content: pulumi.Output<string | undefined>;

Data as string to be uploaded. Must be defined if source is not. Note: The content field is marked as sensitive.

property contentDisposition

public contentDisposition: pulumi.Output<string | undefined>;

Content-Disposition of the object data.

property contentEncoding

public contentEncoding: pulumi.Output<string | undefined>;

Content-Encoding of the object data.

property contentLanguage

public contentLanguage: pulumi.Output<string | undefined>;

Content-Language of the object data.

property contentType

public contentType: pulumi.Output<string>;

Content-Type of the object data. Defaults to “application/octet-stream” or “text/plain; charset=utf-8”.

property crc32c

public crc32c: pulumi.Output<string>;

(Computed) Base 64 CRC32 hash of the uploaded data.

property detectMd5hash

public detectMd5hash: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property md5hash

public md5hash: pulumi.Output<string>;

(Computed) Base 64 MD5 hash of the uploaded data.

property metadata

public metadata: pulumi.Output<{[key: string]: string} | undefined>;

User-provided metadata, in key/value pairs.

property name

public name: pulumi.Output<string>;

The name of the object. If you’re interpolating the name of this object, see outputName instead.

property outputName

public outputName: pulumi.Output<string>;

(Computed) The name of the object. Use this field in interpolations with gcp.storage.ObjectACL to recreate gcp.storage.ObjectACL resources when your gcp.storage.BucketObject is recreated.

property selfLink

public selfLink: pulumi.Output<string>;

(Computed) A url reference to this object.

property source

public source: pulumi.Output<Asset | Archive | undefined>;

A path to the data you want to upload. Must be defined if content is not.

property storageClass

public storageClass: pulumi.Output<string>;

The StorageClass of the new bucket object. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE. If not provided, this defaults to the bucket’s default storage class or to a standard class.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource DefaultObjectAccessControl

class DefaultObjectAccessControl extends CustomResource

The DefaultObjectAccessControls resources represent the Access Control Lists (ACLs) applied to a new object within a Google Cloud Storage bucket when no ACL was provided for that object. ACLs let you specify who has access to your bucket contents and to what extent.

There are two roles that can be assigned to an entity:

READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.

To get more information about DefaultObjectAccessControl, see:

• API documentation
• How-to Guides
  • Official Documentation

Example Usage - Storage Default Object Access Control Public

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const bucket = new gcp.storage.Bucket("bucket", {});
const publicRule = new gcp.storage.DefaultObjectAccessControl("publicRule", {
    bucket: bucket.name,
    role: "READER",
    entity: "allUsers",
});

constructor

new DefaultObjectAccessControl(name: string, args: DefaultObjectAccessControlArgs, opts?: pulumi.CustomResourceOptions)

Create a DefaultObjectAccessControl resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefaultObjectAccessControlState, opts?: pulumi.CustomResourceOptions): DefaultObjectAccessControl

Get an existing DefaultObjectAccessControl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is DefaultObjectAccessControl

Returns true if the given object is an instance of DefaultObjectAccessControl. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket.

property domain

public domain: pulumi.Output<string>;

The domain associated with the entity.

property email

public email: pulumi.Output<string>;

The email address associated with the entity.

property entity

public entity: pulumi.Output<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property entityId

public entityId: pulumi.Output<string>;

The ID for the entity

property generation

public generation: pulumi.Output<number>;

The content generation of the object, if applied to an object.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property object

public object: pulumi.Output<string | undefined>;

The name of the object, if applied to an object.

property projectTeam

public projectTeam: pulumi.Output<DefaultObjectAccessControlProjectTeam>;

The project team associated with the entity

property role

public role: pulumi.Output<string>;

The access permission for the entity.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource DefaultObjectACL

class DefaultObjectACL extends CustomResource

Authoritatively manages the default object ACLs for a Google Cloud Storage bucket without managing the bucket itself.

Note that for each object, its creator will have the "OWNER" role in addition to the default ACL that has been defined.

For more information see the official documentation and API.

Want fine-grained control over default object ACLs? Use gcp.storage.DefaultObjectAccessControl to control individual role entity pairs.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const imageStore = new gcp.storage.Bucket("image-store", {location: "EU"});
const imageStoreDefaultAcl = new gcp.storage.DefaultObjectACL("image-store-default-acl", {
    bucket: image_store.name,
    roleEntities: [
        "OWNER:user-my.email@gmail.com",
        "READER:group-mygroup",
    ],
});

constructor

new DefaultObjectACL(name: string, args: DefaultObjectACLArgs, opts?: pulumi.CustomResourceOptions)

Create a DefaultObjectACL resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefaultObjectACLState, opts?: pulumi.CustomResourceOptions): DefaultObjectACL

Get an existing DefaultObjectACL resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is DefaultObjectACL

Returns true if the given object is an instance of DefaultObjectACL. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket it applies to.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property roleEntities

public roleEntities: pulumi.Output<string[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Object ACL documentation for more details. Omitting the field is the same as providing an empty list.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource HmacKey

class HmacKey extends CustomResource

The hmacKeys resource represents an HMAC key within Cloud Storage. The resource consists of a secret and HMAC key metadata. HMAC keys can be used as credentials for service accounts.

To get more information about HmacKey, see:

• API documentation
• How-to Guides
  • Official Documentation

Warning: All arguments including the secret value will be stored in the raw state as plain-text. Read more about secrets in state. On import, the secret value will not be retrieved.

Warning: All arguments including secret will be stored in the raw state as plain-text. Read more about secrets in state.

Example Usage - Storage Hmac Key

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const serviceAccount = new gcp.serviceAccount.Account("serviceAccount", {accountId: "my-svc-acc"});
const key = new gcp.storage.HmacKey("key", {serviceAccountEmail: serviceAccount.email});

constructor

new HmacKey(name: string, args: HmacKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a HmacKey resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: HmacKeyState, opts?: pulumi.CustomResourceOptions): HmacKey

Get an existing HmacKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is HmacKey

Returns true if the given object is an instance of HmacKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessId

public accessId: pulumi.Output<string>;

The access ID of the HMAC Key.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property secret

public secret: pulumi.Output<string>;

HMAC secret key material.

property serviceAccountEmail

public serviceAccountEmail: pulumi.Output<string>;

The email address of the key’s associated service account.

property state

public state: pulumi.Output<string | undefined>;

The state of the key. Can be set to one of ACTIVE, INACTIVE.

property timeCreated

public timeCreated: pulumi.Output<string>;

‘The creation time of the HMAC key in RFC 3339 format. ‘

property updated

public updated: pulumi.Output<string>;

‘The last modification time of the HMAC key metadata in RFC 3339 format.’

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Notification

class Notification extends CustomResource

Creates a new notification configuration on a specified bucket, establishing a flow of event notifications from GCS to a Cloud Pub/Sub topic. For more information see the official documentation and API.

In order to enable notifications, a special Google Cloud Storage service account unique to the project must have the IAM permission “projects.topics.publish” for a Cloud Pub/Sub topic in the project. To get the service account’s email address, use the gcp.storage.getProjectServiceAccount datasource’s emailAddress value, and see below for an example of enabling notifications by granting the correct IAM permission. See the notifications documentation for more details.

NOTE: This resource can affect your storage IAM policy. If you are using this in the same config as your storage IAM policy resources, consider making this resource dependent on those IAM resources via dependsOn. This will safeguard against errors due to IAM race conditions.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const gcsAccount = gcp.storage.getProjectServiceAccount({});
const topic = new gcp.pubsub.Topic("topic", {});
const binding = new gcp.pubsub.TopicIAMBinding("binding", {
    topic: topic.id,
    role: "roles/pubsub.publisher",
    members: [gcsAccount.then(gcsAccount => `serviceAccount:${gcsAccount.emailAddress}`)],
});
// End enabling notifications
const bucket = new gcp.storage.Bucket("bucket", {});
const notification = new gcp.storage.Notification("notification", {
    bucket: bucket.name,
    payloadFormat: "JSON_API_V1",
    topic: topic.id,
    eventTypes: [
        "OBJECT_FINALIZE",
        "OBJECT_METADATA_UPDATE",
    ],
    customAttributes: {
        "new-attribute": "new-attribute-value",
    },
});
// Enable notifications by giving the correct IAM permission to the unique service account.

constructor

new Notification(name: string, args: NotificationArgs, opts?: pulumi.CustomResourceOptions)

Create a Notification resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NotificationState, opts?: pulumi.CustomResourceOptions): Notification

Get an existing Notification resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Notification

Returns true if the given object is an instance of Notification. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket.

property customAttributes

public customAttributes: pulumi.Output<{[key: string]: string} | undefined>;

A set of key/value attribute pairs to attach to each Cloud PubSub message published for this notification subscription

property eventTypes

public eventTypes: pulumi.Output<string[] | undefined>;

List of event type filters for this notification config. If not specified, Cloud Storage will send notifications for all event types. The valid types are: "OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE", "OBJECT_DELETE", "OBJECT_ARCHIVE"

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property notificationId

public notificationId: pulumi.Output<string>;

The ID of the created notification.

property objectNamePrefix

public objectNamePrefix: pulumi.Output<string | undefined>;

Specifies a prefix path filter for this notification config. Cloud Storage will only send notifications for objects in this bucket whose names begin with the specified prefix.

property payloadFormat

public payloadFormat: pulumi.Output<string>;

The desired content of the Payload. One of "JSON_API_V1" or "NONE".

property selfLink

public selfLink: pulumi.Output<string>;

The URI of the created resource.

property topic

public topic: pulumi.Output<string>;

The Cloud PubSub topic to which this subscription publishes. Expects either the topic name, assumed to belong to the default GCP provider project, or the project-level name, i.e. projects/my-gcp-project/topics/my-topic or my-topic. If the project is not set in the provider, you will need to use the project-level name.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource ObjectAccessControl

class ObjectAccessControl extends CustomResource

The ObjectAccessControls resources represent the Access Control Lists (ACLs) for objects within Google Cloud Storage. ACLs let you specify who has access to your data and to what extent.

There are two roles that can be assigned to an entity:

READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.

To get more information about ObjectAccessControl, see:

• API documentation
• How-to Guides
  • Official Documentation

Example Usage - Storage Object Access Control Public Object

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const bucket = new gcp.storage.Bucket("bucket", {});
const object = new gcp.storage.BucketObject("object", {
    bucket: bucket.name,
    source: new pulumi.asset.FileAsset("../static/img/header-logo.png"),
});
const publicRule = new gcp.storage.ObjectAccessControl("publicRule", {
    object: object.outputName,
    bucket: bucket.name,
    role: "READER",
    entity: "allUsers",
});

constructor

new ObjectAccessControl(name: string, args: ObjectAccessControlArgs, opts?: pulumi.CustomResourceOptions)

Create a ObjectAccessControl resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ObjectAccessControlState, opts?: pulumi.CustomResourceOptions): ObjectAccessControl

Get an existing ObjectAccessControl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is ObjectAccessControl

Returns true if the given object is an instance of ObjectAccessControl. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket.

property domain

public domain: pulumi.Output<string>;

The domain associated with the entity.

property email

public email: pulumi.Output<string>;

The email address associated with the entity.

property entity

public entity: pulumi.Output<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property entityId

public entityId: pulumi.Output<string>;

The ID for the entity

property generation

public generation: pulumi.Output<number>;

The content generation of the object, if applied to an object.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property object

public object: pulumi.Output<string>;

The name of the object to apply the access control to.

property projectTeam

public projectTeam: pulumi.Output<ObjectAccessControlProjectTeam>;

The project team associated with the entity

property role

public role: pulumi.Output<string>;

The access permission for the entity.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource ObjectACL

class ObjectACL extends CustomResource

Authoritatively manages the access control list (ACL) for an object in a Google Cloud Storage (GCS) bucket. Removing a gcp.storage.ObjectACL sets the acl to the private predefined ACL.

For more information see the official documentation and API.

Want fine-grained control over object ACLs? Use gcp.storage.ObjectAccessControl to control individual role entity pairs.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const imageStore = new gcp.storage.Bucket("image-store", {location: "EU"});
const image = new gcp.storage.BucketObject("image", {
    bucket: image_store.name,
    source: new pulumi.asset.FileAsset("image1.jpg"),
});
const imageStoreAcl = new gcp.storage.ObjectACL("image-store-acl", {
    bucket: image_store.name,
    object: image.outputName,
    roleEntities: [
        "OWNER:user-my.email@gmail.com",
        "READER:group-mygroup",
    ],
});

constructor

new ObjectACL(name: string, args: ObjectACLArgs, opts?: pulumi.CustomResourceOptions)

Create a ObjectACL resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ObjectACLState, opts?: pulumi.CustomResourceOptions): ObjectACL

Get an existing ObjectACL resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is ObjectACL

Returns true if the given object is an instance of ObjectACL. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property bucket

public bucket: pulumi.Output<string>;

The name of the bucket the object is stored in.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property object

public object: pulumi.Output<string>;

The name of the object to apply the acl to.

property predefinedAcl

public predefinedAcl: pulumi.Output<string | undefined>;

The “canned” predefined ACL to apply. Must be set if roleEntity is not.

property roleEntities

public roleEntities: pulumi.Output<string[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Object ACL documentation for more details. Must be set if predefinedAcl is not.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource TransferJob

class TransferJob extends CustomResource

Creates a new Transfer Job in Google Cloud Storage Transfer.

To get more information about Google Cloud Storage Transfer, see:

• Overview
• API documentation
• How-to Guides
  • Configuring Access to Data Sources and Sinks

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const default = gcp.storage.getTransferProjectServieAccount({
    project: _var.project,
});
const s3_backup_bucketBucket = new gcp.storage.Bucket("s3-backup-bucketBucket", {
    storageClass: "NEARLINE",
    project: _var.project,
});
const s3_backup_bucketBucketIAMMember = new gcp.storage.BucketIAMMember("s3-backup-bucketBucketIAMMember", {
    bucket: s3_backup_bucketBucket.name,
    role: "roles/storage.admin",
    member: _default.then(_default => `serviceAccount:${_default.email}`),
});
const s3BucketNightlyBackup = new gcp.storage.TransferJob("s3-bucket-nightly-backup", {
    description: "Nightly backup of S3 bucket",
    project: _var.project,
    transfer_spec: {
        object_conditions: {
            maxTimeElapsedSinceLastModification: "600s",
            excludePrefixes: ["requests.gz"],
        },
        transfer_options: {
            deleteObjectsUniqueInSink: false,
        },
        aws_s3_data_source: {
            bucketName: _var.aws_s3_bucket,
            aws_access_key: {
                accessKeyId: _var.aws_access_key,
                secretAccessKey: _var.aws_secret_key,
            },
        },
        gcs_data_sink: {
            bucketName: s3_backup_bucketBucket.name,
        },
    },
    schedule: {
        schedule_start_date: {
            year: 2018,
            month: 10,
            day: 1,
        },
        schedule_end_date: {
            year: 2019,
            month: 1,
            day: 15,
        },
        start_time_of_day: {
            hours: 23,
            minutes: 30,
            seconds: 0,
            nanos: 0,
        },
    },
});

constructor

new TransferJob(name: string, args: TransferJobArgs, opts?: pulumi.CustomResourceOptions)

Create a TransferJob resource with the given unique name, arguments, and options.

• name The unique name of the resource.
• args The arguments to use to populate this resource's properties.
• opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: TransferJobState, opts?: pulumi.CustomResourceOptions): TransferJob

Get an existing TransferJob resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is TransferJob

Returns true if the given object is an instance of TransferJob. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property creationTime

public creationTime: pulumi.Output<string>;

When the Transfer Job was created.

property deletionTime

public deletionTime: pulumi.Output<string>;

When the Transfer Job was deleted.

property description

public description: pulumi.Output<string>;

Unique description to identify the Transfer Job.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property lastModificationTime

public lastModificationTime: pulumi.Output<string>;

When the Transfer Job was last modified.

property name

public name: pulumi.Output<string>;

The name of the Transfer Job.

property project

public project: pulumi.Output<string>;

The project in which the resource belongs. If it is not provided, the provider project is used.

property schedule

public schedule: pulumi.Output<TransferJobSchedule>;

Schedule specification defining when the Transfer Job should be scheduled to start, end and and what time to run. Structure documented below.

property status

public status: pulumi.Output<string | undefined>;

Status of the job. Default: ENABLED. NOTE: The effect of the new job status takes place during a subsequent job run. For example, if you change the job status from ENABLED to DISABLED, and an operation spawned by the transfer is running, the status change would not affect the current operation.

property transferSpec

public transferSpec: pulumi.Output<TransferJobTransferSpec>;

Transfer specification. Structure documented below.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getBucketObject

getBucketObject(args?: GetBucketObjectArgs, opts?: pulumi.InvokeOptions): Promise<GetBucketObjectResult>

Gets an existing object inside an existing bucket in Google Cloud Storage service (GCS). See the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const picture = pulumi.output(gcp.storage.getBucketObject({
    bucket: "image-store",
    name: "folder/butterfly01.jpg",
}, { async: true }));

Function getObjectSignedUrl

getObjectSignedUrl(args: GetObjectSignedUrlArgs, opts?: pulumi.InvokeOptions): Promise<GetObjectSignedUrlResult>

The Google Cloud storage signed URL data source generates a signed URL for a given storage object. Signed URLs provide a way to give time-limited read or write access to anyone in possession of the URL, regardless of whether they have a Google account.

For more info about signed URL’s is available here.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const artifact = pulumi.output(gcp.storage.getObjectSignedUrl({
    bucket: "installBinaries",
    path: "path/to/install_file.bin",
}, { async: true }));
const vm = new gcp.compute.Instance("vm", {});

Full Example

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * from "fs";

const getUrl = gcp.storage.getObjectSignedUrl({
    bucket: "friedChicken",
    path: "path/to/file",
    contentMd5: "pRviqwS4c4OTJRTe03FD1w==",
    contentType: "text/plain",
    duration: "2d",
    credentials: fs.readFileSync("path/to/credentials.json"),
    extensionHeaders: {
        "x-goog-if-generation-match": 1,
    },
});

Function getProjectServiceAccount

getProjectServiceAccount(args?: GetProjectServiceAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetProjectServiceAccountResult>

Get the email address of a project’s unique Google Cloud Storage service account.

Each Google Cloud project has a unique service account for use with Google Cloud Storage. Only this special service account can be used to set up gcp.storage.Notification resources.

For more information see the API reference.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const gcsAccount = gcp.storage.getProjectServiceAccount({});
const binding = new gcp.pubsub.TopicIAMBinding("binding", {
    topic: google_pubsub_topic.topic.name,
    role: "roles/pubsub.publisher",
    members: [gcsAccount.then(gcsAccount => `serviceAccount:${gcsAccount.emailAddress}`)],
});

Function getTransferProjectServieAccount

getTransferProjectServieAccount(args?: GetTransferProjectServieAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetTransferProjectServieAccountResult>

Use this data source to retrieve Storage Transfer service account for this project

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const default = gcp.storage.getTransferProjectServieAccount({});
export const defaultAccount = _default.then(_default => _default.email);

Others

interface BucketAccessControlArgs

interface BucketAccessControlArgs

The set of arguments for constructing a BucketAccessControl resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket.

property entity

entity: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.

property role

role?: pulumi.Input<string>;

The access permission for the entity.

interface BucketAccessControlState

interface BucketAccessControlState

Input properties used for looking up and filtering BucketAccessControl resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket.

property domain

domain?: pulumi.Input<string>;

The domain associated with the entity.

property email

email?: pulumi.Input<string>;

The email address associated with the entity.

property entity

entity?: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.

property role

role?: pulumi.Input<string>;

The access permission for the entity.

interface BucketACLArgs

interface BucketACLArgs

The set of arguments for constructing a BucketACL resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket it applies to.

property defaultAcl

defaultAcl?: pulumi.Input<string>;

Configure this ACL to be the default ACL.

property predefinedAcl

predefinedAcl?: pulumi.Input<string>;

The canned GCS ACL to apply. Must be set if roleEntity is not.

property roleEntities

roleEntities?: pulumi.Input<pulumi.Input<string>[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefinedAcl is not.

interface BucketACLState

interface BucketACLState

Input properties used for looking up and filtering BucketACL resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket it applies to.

property defaultAcl

defaultAcl?: pulumi.Input<string>;

Configure this ACL to be the default ACL.

property predefinedAcl

predefinedAcl?: pulumi.Input<string>;

The canned GCS ACL to apply. Must be set if roleEntity is not.

property roleEntities

roleEntities?: pulumi.Input<pulumi.Input<string>[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefinedAcl is not.

interface BucketArgs

interface BucketArgs

The set of arguments for constructing a Bucket resource.

property bucketPolicyOnly

bucketPolicyOnly?: pulumi.Input<boolean>;

Enables Bucket Policy Only access to a bucket.

property cors

cors?: pulumi.Input<pulumi.Input<BucketCor>[]>;

The bucket’s Cross-Origin Resource Sharing (CORS) configuration. Multiple blocks of this type are permitted. Structure is documented below.

property defaultEventBasedHold

defaultEventBasedHold?: pulumi.Input<boolean>;

property encryption

encryption?: pulumi.Input<BucketEncryption>;

The bucket’s encryption configuration.

property forceDestroy

forceDestroy?: pulumi.Input<boolean>;

When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, the provider will fail that run.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value label pairs to assign to the bucket.

property lifecycleRules

lifecycleRules?: pulumi.Input<pulumi.Input<BucketLifecycleRule>[]>;

The bucket’s Lifecycle Rules configuration. Multiple blocks of this type are permitted. Structure is documented below.

property location

location?: pulumi.Input<string>;

The GCS location

property logging

logging?: pulumi.Input<BucketLogging>;

The bucket’s Access & Storage Logs configuration.

property name

name?: pulumi.Input<string>;

The name of the bucket.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property requesterPays

requesterPays?: pulumi.Input<boolean>;

Enables Requester Pays on a storage bucket.

property retentionPolicy

retentionPolicy?: pulumi.Input<BucketRetentionPolicy>;

Configuration of the bucket’s data retention policy for how long objects in the bucket should be retained. Structure is documented below.

property storageClass

storageClass?: pulumi.Input<string>;

The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE.

property versioning

versioning?: pulumi.Input<BucketVersioning>;

The bucket’s Versioning configuration.

property website

website?: pulumi.Input<BucketWebsite>;

Configuration if the bucket acts as a website. Structure is documented below.

interface BucketContext

interface BucketContext extends Context

Shape of the [context] object passed to a Cloud Function when a bucket event fires.

property eventId

eventId: string;

A unique ID for the event. For example: “70172329041928”.

property eventType

eventType: "google.storage.object.finalize" | "google.storage.object.delete" | "google.storage.object.archive" | "google.storage.object.metadataUpdate";

The type of the event.

property resource

resource: {
    name: string;
    service: "storage.googleapis.com";
    type: "storage#object";
};

The resource that emitted the event.

property timestamp

timestamp: string;

The date/time this event was created. For example: “2018-04-09T07:56:12.975Z”.

interface BucketData

interface BucketData

Shape of the [data] object passed to a Cloud Function when a bucket event fires.

See https://cloud.google.com/storage/docs/json_api/v1/objects for more details.

property bucket

bucket: string;

property contentType

contentType: string;

property crc32c

crc32c: string;

property etag

etag: string;

property generation

generation: number;

property id

id: string;

property kind

kind: "storage#object";

property md5Hash

md5Hash: string;

property mediaLink

mediaLink: string;

property metadata

metadata: Record<string, string>;

property metageneration

metageneration: number;

property name

name: string;

property selfLink

selfLink: string;

property size

size: number;

property storageClass

storageClass: string;

property timeCreated

timeCreated: string;

property timeStorageClassUpdated

timeStorageClassUpdated: string;

property updated

updated: string;

interface BucketEventArgs

interface BucketEventArgs

property failurePolicy

failurePolicy?: cloudfunctions.FailurePolicy;

property triggerType

triggerType: "finalize" | "delete" | "archive" | "metadataUpdate";

interface BucketEventCallbackFunctionArgs

interface BucketEventCallbackFunctionArgs extends CallbackFunctionArgs

Arguments that can be provided to control the Cloud Function created as the serverless endpoint for a bucket event.

property availableMemoryMb

availableMemoryMb?: pulumi.Input<number>;

Memory (in MB), available to the function. Default value is 256MB. Allowed values are: 128MB, 256MB, 512MB, 1024MB, and 2048MB.

property bucket

bucket?: storage.Bucket;

The bucket to use as the sourceArchiveBucket for the generated CloudFunctions Function source to be placed in. A fresh [storage.BucketObject] will be made there containing the serialized code.

property callback

callback?: BucketEventHandler;

property callbackFactory

callbackFactory?: undefined | () => BucketEventHandler;

property codePathOptions

codePathOptions?: pulumi.runtime.CodePathOptions;

Options to control which paths/packages should be included or excluded in the zip file containing the code for the GCP Function.

property description

description?: pulumi.Input<string>;

Description of the function.

property environmentVariables

environmentVariables?: pulumi.Input<{[key: string]: any}>;

A set of key/value environment variable pairs to assign to the function.

property eventTrigger

eventTrigger?: undefined;

property httpsTriggerUrl

httpsTriggerUrl?: undefined;

property iamMember

iamMember?: pulumi.Input<string>;

The specific member to grant access to the function. If not specifiedm then we default to allUsers. Available options are allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid} and domain:{domain}:

property iamRole

iamRole?: pulumi.Input<string>;

The specific role to attach to the function. If not specified, then we default to roles/cloudfunctions.invoker. Role must be in the format roles/{role-name}

property labels

labels?: pulumi.Input<{[key: string]: any}>;

A set of key/value label pairs to assign to the function.

property project

project?: pulumi.Input<string>;

Project of the function. If it is not provided, the provider project is used.

property region

region?: pulumi.Input<string>;

Region of function. Currently can be only “us-central1”. If it is not provided, the provider region is used.

property runtime

runtime?: pulumi.Input<string>;

The specific runtime for the function. If not specified, a default will be applied

property serviceAccountEmail

serviceAccountEmail?: pulumi.Input<string>;

If provided, the self-provided service account to run the function with.

property timeout

timeout?: pulumi.Input<number>;

Timeout (in seconds) for the function. Default value is 60 seconds. Cannot be more than 540 seconds.

property triggerHttp

triggerHttp?: undefined;

type BucketEventHandler

type BucketEventHandler = cloudfunctions.Callback<BucketData, BucketContext, void>;

interface BucketIAMBindingArgs

interface BucketIAMBindingArgs

The set of arguments for constructing a BucketIAMBinding resource.

property bucket

bucket: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<BucketIAMBindingCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface BucketIAMBindingState

interface BucketIAMBindingState

Input properties used for looking up and filtering BucketIAMBinding resources.

property bucket

bucket?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<BucketIAMBindingCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface BucketIAMMemberArgs

interface BucketIAMMemberArgs

The set of arguments for constructing a BucketIAMMember resource.

property bucket

bucket: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<BucketIAMMemberCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property member

member: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface BucketIAMMemberState

interface BucketIAMMemberState

Input properties used for looking up and filtering BucketIAMMember resources.

property bucket

bucket?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<BucketIAMMemberCondition>;

) An IAM Condition for a given binding. Structure is documented below.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property member

member?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.storage.BucketIAMBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface BucketIAMPolicyArgs

interface BucketIAMPolicyArgs

The set of arguments for constructing a BucketIAMPolicy resource.

property bucket

bucket: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface BucketIAMPolicyState

interface BucketIAMPolicyState

Input properties used for looking up and filtering BucketIAMPolicy resources.

property bucket

bucket?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

interface BucketObjectArgs

interface BucketObjectArgs

The set of arguments for constructing a BucketObject resource.

property bucket

bucket: pulumi.Input<string>;

The name of the containing bucket.

property cacheControl

cacheControl?: pulumi.Input<string>;

Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600

property content

content?: pulumi.Input<string>;

Data as string to be uploaded. Must be defined if source is not. Note: The content field is marked as sensitive.

property contentDisposition

contentDisposition?: pulumi.Input<string>;

Content-Disposition of the object data.

property contentEncoding

contentEncoding?: pulumi.Input<string>;

Content-Encoding of the object data.

property contentLanguage

contentLanguage?: pulumi.Input<string>;

Content-Language of the object data.

property contentType

contentType?: pulumi.Input<string>;

Content-Type of the object data. Defaults to “application/octet-stream” or “text/plain; charset=utf-8”.

property detectMd5hash

detectMd5hash?: pulumi.Input<string>;

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

User-provided metadata, in key/value pairs.

property name

name?: pulumi.Input<string>;

The name of the object. If you’re interpolating the name of this object, see outputName instead.

property source

source?: pulumi.Input<Asset | Archive>;

A path to the data you want to upload. Must be defined if content is not.

property storageClass

storageClass?: pulumi.Input<string>;

The StorageClass of the new bucket object. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE. If not provided, this defaults to the bucket’s default storage class or to a standard class.

interface BucketObjectState

interface BucketObjectState

Input properties used for looking up and filtering BucketObject resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the containing bucket.

property cacheControl

cacheControl?: pulumi.Input<string>;

Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600

property content

content?: pulumi.Input<string>;

Data as string to be uploaded. Must be defined if source is not. Note: The content field is marked as sensitive.

property contentDisposition

contentDisposition?: pulumi.Input<string>;

Content-Disposition of the object data.

property contentEncoding

contentEncoding?: pulumi.Input<string>;

Content-Encoding of the object data.

property contentLanguage

contentLanguage?: pulumi.Input<string>;

Content-Language of the object data.

property contentType

contentType?: pulumi.Input<string>;

Content-Type of the object data. Defaults to “application/octet-stream” or “text/plain; charset=utf-8”.

property crc32c

crc32c?: pulumi.Input<string>;

(Computed) Base 64 CRC32 hash of the uploaded data.

property detectMd5hash

detectMd5hash?: pulumi.Input<string>;

property md5hash

md5hash?: pulumi.Input<string>;

(Computed) Base 64 MD5 hash of the uploaded data.

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

User-provided metadata, in key/value pairs.

property name

name?: pulumi.Input<string>;

The name of the object. If you’re interpolating the name of this object, see outputName instead.

property outputName

outputName?: pulumi.Input<string>;

(Computed) The name of the object. Use this field in interpolations with gcp.storage.ObjectACL to recreate gcp.storage.ObjectACL resources when your gcp.storage.BucketObject is recreated.

property selfLink

selfLink?: pulumi.Input<string>;

(Computed) A url reference to this object.

property source

source?: pulumi.Input<Asset | Archive>;

A path to the data you want to upload. Must be defined if content is not.

property storageClass

storageClass?: pulumi.Input<string>;

The StorageClass of the new bucket object. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE. If not provided, this defaults to the bucket’s default storage class or to a standard class.

interface BucketState

interface BucketState

Input properties used for looking up and filtering Bucket resources.

property bucketPolicyOnly

bucketPolicyOnly?: pulumi.Input<boolean>;

Enables Bucket Policy Only access to a bucket.

property cors

cors?: pulumi.Input<pulumi.Input<BucketCor>[]>;

The bucket’s Cross-Origin Resource Sharing (CORS) configuration. Multiple blocks of this type are permitted. Structure is documented below.

property defaultEventBasedHold

defaultEventBasedHold?: pulumi.Input<boolean>;

property encryption

encryption?: pulumi.Input<BucketEncryption>;

The bucket’s encryption configuration.

property forceDestroy

forceDestroy?: pulumi.Input<boolean>;

When deleting a bucket, this boolean option will delete all contained objects. If you try to delete a bucket that contains objects, the provider will fail that run.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value label pairs to assign to the bucket.

property lifecycleRules

lifecycleRules?: pulumi.Input<pulumi.Input<BucketLifecycleRule>[]>;

The bucket’s Lifecycle Rules configuration. Multiple blocks of this type are permitted. Structure is documented below.

property location

location?: pulumi.Input<string>;

The GCS location

property logging

logging?: pulumi.Input<BucketLogging>;

The bucket’s Access & Storage Logs configuration.

property name

name?: pulumi.Input<string>;

The name of the bucket.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property requesterPays

requesterPays?: pulumi.Input<boolean>;

Enables Requester Pays on a storage bucket.

property retentionPolicy

retentionPolicy?: pulumi.Input<BucketRetentionPolicy>;

Configuration of the bucket’s data retention policy for how long objects in the bucket should be retained. Structure is documented below.

property selfLink

selfLink?: pulumi.Input<string>;

The URI of the created resource.

property storageClass

storageClass?: pulumi.Input<string>;

The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE.

property url

url?: pulumi.Input<string>;

The base URL of the bucket, in the format gs://<bucket-name>.

property versioning

versioning?: pulumi.Input<BucketVersioning>;

The bucket’s Versioning configuration.

property website

website?: pulumi.Input<BucketWebsite>;

Configuration if the bucket acts as a website. Structure is documented below.

interface DefaultObjectAccessControlArgs

interface DefaultObjectAccessControlArgs

The set of arguments for constructing a DefaultObjectAccessControl resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket.

property entity

entity: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property object

object?: pulumi.Input<string>;

The name of the object, if applied to an object.

property role

role: pulumi.Input<string>;

The access permission for the entity.

interface DefaultObjectAccessControlState

interface DefaultObjectAccessControlState

Input properties used for looking up and filtering DefaultObjectAccessControl resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket.

property domain

domain?: pulumi.Input<string>;

The domain associated with the entity.

property email

email?: pulumi.Input<string>;

The email address associated with the entity.

property entity

entity?: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property entityId

entityId?: pulumi.Input<string>;

The ID for the entity

property generation

generation?: pulumi.Input<number>;

The content generation of the object, if applied to an object.

property object

object?: pulumi.Input<string>;

The name of the object, if applied to an object.

property projectTeam

projectTeam?: pulumi.Input<DefaultObjectAccessControlProjectTeam>;

The project team associated with the entity

property role

role?: pulumi.Input<string>;

The access permission for the entity.

interface DefaultObjectACLArgs

interface DefaultObjectACLArgs

The set of arguments for constructing a DefaultObjectACL resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket it applies to.

property roleEntities

roleEntities?: pulumi.Input<pulumi.Input<string>[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Object ACL documentation for more details. Omitting the field is the same as providing an empty list.

interface DefaultObjectACLState

interface DefaultObjectACLState

Input properties used for looking up and filtering DefaultObjectACL resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket it applies to.

property roleEntities

roleEntities?: pulumi.Input<pulumi.Input<string>[]>;

List of role/entity pairs in the form ROLE:entity. See GCS Object ACL documentation for more details. Omitting the field is the same as providing an empty list.

interface GetBucketObjectArgs

interface GetBucketObjectArgs

A collection of arguments for invoking getBucketObject.

property bucket

bucket?: undefined | string;

The name of the containing bucket.

property name

name?: undefined | string;

The name of the object.

interface GetBucketObjectResult

interface GetBucketObjectResult

A collection of values returned by getBucketObject.

property bucket

bucket?: undefined | string;

property cacheControl

cacheControl: string;

(Computed) Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600

property content

content: string;

property contentDisposition

contentDisposition: string;

(Computed) Content-Disposition of the object data.

property contentEncoding

contentEncoding: string;

(Computed) Content-Encoding of the object data.

property contentLanguage

contentLanguage: string;

(Computed) Content-Language of the object data.

property contentType

contentType: string;

(Computed) Content-Type of the object data. Defaults to “application/octet-stream” or “text/plain; charset=utf-8”.

property crc32c

crc32c: string;

(Computed) Base 64 CRC32 hash of the uploaded data.

property detectMd5hash

detectMd5hash: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property md5hash

md5hash: string;

(Computed) Base 64 MD5 hash of the uploaded data.

property metadata

metadata: {[key: string]: string};

property name

name?: undefined | string;

property outputName

outputName: string;

property selfLink

selfLink: string;

(Computed) A url reference to this object.

property source

source: string;

property storageClass

storageClass: string;

(Computed) The StorageClass of the new bucket object. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE. If not provided, this defaults to the bucket’s default storage class or to a standard class.

interface GetObjectSignedUrlArgs

interface GetObjectSignedUrlArgs

A collection of arguments for invoking getObjectSignedUrl.

property bucket

bucket: string;

The name of the bucket to read the object from

property contentMd5

contentMd5?: undefined | string;

The MD5 digest value in Base64. Typically retrieved from google_storage_bucket_object.object.md5hash attribute. If you provide this in the datasource, the client (e.g. browser, curl) must provide the Content-MD5 HTTP header with this same value in its request.

property contentType

contentType?: undefined | string;

If you specify this in the datasource, the client must provide the Content-Type HTTP header with the same value in its request.

property credentials

credentials?: undefined | string;

What Google service account credentials json should be used to sign the URL. This data source checks the following locations for credentials, in order of preference: data source credentials attribute, provider credentials attribute and finally the GOOGLE_APPLICATION_CREDENTIALS environment variable.

property duration

duration?: undefined | string;

For how long shall the signed URL be valid (defaults to 1 hour - i.e. 1h). See here for info on valid duration formats.

property extensionHeaders

extensionHeaders?: undefined | {[key: string]: string};

As needed. The server checks to make sure that the client provides matching values in requests using the signed URL. Any header starting with x-goog- is accepted but see the Google Docs for list of headers that are supported by Google.

property httpMethod

httpMethod?: undefined | string;

What HTTP Method will the signed URL allow (defaults to GET)

property path

path: string;

The full path to the object inside the bucket

interface GetObjectSignedUrlResult

interface GetObjectSignedUrlResult

A collection of values returned by getObjectSignedUrl.

property bucket

bucket: string;

property contentMd5

contentMd5?: undefined | string;

property contentType

contentType?: undefined | string;

property credentials

credentials?: undefined | string;

property duration

duration?: undefined | string;

property extensionHeaders

extensionHeaders?: undefined | {[key: string]: string};

property httpMethod

httpMethod?: undefined | string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property path

path: string;

property signedUrl

signedUrl: string;

The signed URL that can be used to access the storage object without authentication.

interface GetProjectServiceAccountArgs

interface GetProjectServiceAccountArgs

A collection of arguments for invoking getProjectServiceAccount.

property project

project?: undefined | string;

The project the unique service account was created for. If it is not provided, the provider project is used.

property userProject

userProject?: undefined | string;

The project the lookup originates from. This field is used if you are making the request from a different account than the one you are finding the service account for.

interface GetProjectServiceAccountResult

interface GetProjectServiceAccountResult

A collection of values returned by getProjectServiceAccount.

property emailAddress

emailAddress: string;

The email address of the service account. This value is often used to refer to the service account in order to grant IAM permissions.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property project

project: string;

property userProject

userProject?: undefined | string;

interface GetTransferProjectServieAccountArgs

interface GetTransferProjectServieAccountArgs

A collection of arguments for invoking getTransferProjectServieAccount.

property project

project?: undefined | string;

The project ID. If it is not provided, the provider project is used.

interface GetTransferProjectServieAccountResult

interface GetTransferProjectServieAccountResult

A collection of values returned by getTransferProjectServieAccount.

property email

email: string;

Email address of the default service account used by Storage Transfer Jobs running in this project

property id

id: string;

The provider-assigned unique ID for this managed resource.

property project

project: string;

interface HmacKeyArgs

interface HmacKeyArgs

The set of arguments for constructing a HmacKey resource.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property serviceAccountEmail

serviceAccountEmail: pulumi.Input<string>;

The email address of the key’s associated service account.

property state

state?: pulumi.Input<string>;

The state of the key. Can be set to one of ACTIVE, INACTIVE.

interface HmacKeyState

interface HmacKeyState

Input properties used for looking up and filtering HmacKey resources.

property accessId

accessId?: pulumi.Input<string>;

The access ID of the HMAC Key.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property secret

secret?: pulumi.Input<string>;

HMAC secret key material.

property serviceAccountEmail

serviceAccountEmail?: pulumi.Input<string>;

The email address of the key’s associated service account.

property state

state?: pulumi.Input<string>;

The state of the key. Can be set to one of ACTIVE, INACTIVE.

property timeCreated

timeCreated?: pulumi.Input<string>;

‘The creation time of the HMAC key in RFC 3339 format. ‘

property updated

updated?: pulumi.Input<string>;

‘The last modification time of the HMAC key metadata in RFC 3339 format.’

interface NotificationArgs

interface NotificationArgs

The set of arguments for constructing a Notification resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket.

property customAttributes

customAttributes?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value attribute pairs to attach to each Cloud PubSub message published for this notification subscription

property eventTypes

eventTypes?: pulumi.Input<pulumi.Input<string>[]>;

List of event type filters for this notification config. If not specified, Cloud Storage will send notifications for all event types. The valid types are: "OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE", "OBJECT_DELETE", "OBJECT_ARCHIVE"

property objectNamePrefix

objectNamePrefix?: pulumi.Input<string>;

Specifies a prefix path filter for this notification config. Cloud Storage will only send notifications for objects in this bucket whose names begin with the specified prefix.

property payloadFormat

payloadFormat: pulumi.Input<string>;

The desired content of the Payload. One of "JSON_API_V1" or "NONE".

property topic

topic: pulumi.Input<string>;

The Cloud PubSub topic to which this subscription publishes. Expects either the topic name, assumed to belong to the default GCP provider project, or the project-level name, i.e. projects/my-gcp-project/topics/my-topic or my-topic. If the project is not set in the provider, you will need to use the project-level name.

interface NotificationState

interface NotificationState

Input properties used for looking up and filtering Notification resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket.

property customAttributes

customAttributes?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A set of key/value attribute pairs to attach to each Cloud PubSub message published for this notification subscription

property eventTypes

eventTypes?: pulumi.Input<pulumi.Input<string>[]>;

List of event type filters for this notification config. If not specified, Cloud Storage will send notifications for all event types. The valid types are: "OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE", "OBJECT_DELETE", "OBJECT_ARCHIVE"

property notificationId

notificationId?: pulumi.Input<string>;

The ID of the created notification.

property objectNamePrefix

objectNamePrefix?: pulumi.Input<string>;

Specifies a prefix path filter for this notification config. Cloud Storage will only send notifications for objects in this bucket whose names begin with the specified prefix.

property payloadFormat

payloadFormat?: pulumi.Input<string>;

The desired content of the Payload. One of "JSON_API_V1" or "NONE".

property selfLink

selfLink?: pulumi.Input<string>;

The URI of the created resource.

property topic

topic?: pulumi.Input<string>;

The Cloud PubSub topic to which this subscription publishes. Expects either the topic name, assumed to belong to the default GCP provider project, or the project-level name, i.e. projects/my-gcp-project/topics/my-topic or my-topic. If the project is not set in the provider, you will need to use the project-level name.

interface ObjectAccessControlArgs

interface ObjectAccessControlArgs

The set of arguments for constructing a ObjectAccessControl resource.

property bucket

bucket: pulumi.Input<string>;

The name of the bucket.

property entity

entity: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property object

object: pulumi.Input<string>;

The name of the object to apply the access control to.

property role

role: pulumi.Input<string>;

The access permission for the entity.

interface ObjectAccessControlState

interface ObjectAccessControlState

Input properties used for looking up and filtering ObjectAccessControl resources.

property bucket

bucket?: pulumi.Input<string>;

The name of the bucket.

property domain

domain?: pulumi.Input<string>;

The domain associated with the entity.

property email

email?: pulumi.Input<string>;

The email address associated with the entity.

property entity

entity?: pulumi.Input<string>;

The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as “user-liz@example.com”) * group-{{groupId}} * group-{{email}} (such as “group-example@googlegroups.com”) * domain-{{domain}} (such as “domain-example.com”) * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

property entityId

entityId?: pulumi.Input<string>;

The ID for the entity

property generation

generation?: pulumi.Input<number>;

The content generation of the object, if applied to an object.