This topic gives you reference information about the Google Storage Bucket service (csb-google-storage-bucket). It details the plans, configuration parameters, and binding credentials.
Note Release v1.2.0 removes brokerpak pre-configured plans for Google Storage Bucket. All plans must be configured through the tile. If you have instances of Google Storage Bucket that were created in previous versions and that you want to maintain, see Previously Provided Pre-configured Plans. For more information about upgrade steps, see Upgrading Tanzu Cloud Service Broker for GCP.
Plan Configuration Parameters
When configuring Cloud Service Broker for GCP you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for GCP.
The following table lists parameters which can only be configured for additional plans:
| Parameter Name | Values | Default |
|---|---|---|
name* |
The plan name | n/a |
id* |
A unique GUID | n/a |
description* |
Description of the new plan | n/a |
free |
When false, Service Instances of this Service Plan have a cost | true |
bindable |
Specifies whether Service Instances of the Service Plan can bind to applications | true |
plan_updateable |
Whether the Plan supports upgrade/downgrade/sidegrade to another version | true |
* Required
You can also add any of the configuration parameters listed in the parameters section to your plan.
Note If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.
Configuration Parameters
You can provision a service by running:
cf create-service csb-google-storage-bucket PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
You can update the configuration parameters for a service instance by running:
cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, by using the -c flag, when provisioning a csb-google-storage-bucket service:
| Parameter Name | Type | Description | Default | Operation |
|---|---|---|---|---|
name |
string | The name of the bucket to create. To see the requirements the name must meet, see the Google Cloud documentation. Names that contain dots require verification, see the Google Cloud documentation. | csb-INSTANCE-ID |
provision |
storage_class |
string | The storage class of the new bucket. Accepted values are STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, or ARCHIVE. When setting Multi-Region, you must choose a valid region for Multi-Region. See region field for more information. |
MULTI_REGIONAL |
provision and update |
versioning |
boolean | Whether the versioning configuration is enabled. For more information about versioning, see the Google Cloud documentation. | false |
provision and update |
uniform_bucket_level_access |
boolean | Enables uniform bucket-level access to a bucket. When enabled, the option becomes permanent after 90 days. It deactivates ACLs. For more information about uniform bucket-level access, see the Google Cloud documentation. | false |
provision and update |
predefined_acl |
string | The predefined ACL to apply to the bucket. For example, private and publicRead. For more information about predefined ACLs, see the Google Cloud documentation. It cannot be specified with uniform_bucket_level_access. |
"" |
provision and update |
region |
string | The region of the bucket instance. When using Multi-Region buckets, you must choose a valid region for Multi-Region configuration either in the plan or at provisioning time, for example, us, eu, asia, etc. The default region set by the operator in the tile configuration section might not work for multi-region. For more information about the regions, see the Google Cloud documentation. |
The value the operator entered for Region in Ops Manager. | provision |
placement_dual_region_data_locations |
array | The list of individual regions that comprise a dual-region bucket. Check the list of valid storage classes for dual-region. For more information about valid regions, see the Google Cloud documentation. The MULTI_REGIONAL and REGIONAL storage classes cannot be used for a dual-region bucket. Example configuration:-c '{"placement_dual_region_data_locations": ["us-east1","us-east4"], "storage_class": "STANDARD", "region": "us"}'. |
[] |
provision |
public_access_prevention |
string | Prevents public access to a bucket. Accepted values are inherited or enforced. |
enforced |
provision and update |
default_kms_key_name |
string | The id of a Cloud KMS key that is used to encrypt objects inserted into this bucket. Its default value is "", so a Google-managed encryption key is used instead. For more information about creating customer-managed encryption keys, see the Google Cloud documentation.The key ring must be in the same location as the data you intend to encrypt (the same location as the region property) but it can be in a different project. For available Cloud KMS locations, see the Google Cloud documentation.For most dual-regions, you must create the key ring in the associated multi-region, but for predefined dual-regions, you must create the key ring in the same predefined dual-region. Each project has a special Cloud Storage service account called a service agent that performs encryption and decryption with customer-managed encryption keys. For more information about service agents, see the Google Cloud documentation. For more information about finding the email address of a project's Cloud Storage service agent, see the Google Cloud documentation. To get the id of a Cloud KMS key, follow these steps. |
"" |
provision and update |
autoclass |
boolean | Automatically transitions each object to hotter or colder storage based on object-level activity. This is to optimize for cost and latency. The default can only be set at the provision phase. Caution: Only the STANDARD storage class is accepted when you enable the Autoclass feature. Any attempt to set it using a storage class other than STANDARD causes an error. For more information about the Autoclass feature, see the Google Cloud documentation. |
false |
provision |
retention_policy_retention_period |
number | This configures the data retention policy for the bucket, which is the period of time in seconds that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The maximum value is 2147483647 (2,147,483,647 seconds). For more information about the retention policy feature, see Google Cloud documentation. |
0 |
provision and update |
retention_policy_is_locked |
boolean | The retention_policy_is_locked property locks a retention policy to permanently set it on the bucket. Caution: Locking a retention policy is an irreversible action. After you set it to true, any attempt to set it to false causes an error. A locked retention policy means:
retention_policy_retention_period must be set with a value greater than 0. For more information about policy locks, see Google Cloud documentation. |
false |
provision and update |
credentials |
string | The GCP credentials. | The value the operator entered for Credentials in Ops Manager. | provision and update |
project |
string | The GCP project to use. | The value the operator entered for Project in Ops Manager. | provision and update |
Binding Parameters
You can bind a service by running:
cf bind-service APP-NAME SERVICE-INSTANCE --binding-name BINDING-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, by using the -c flag, when binding to a csb-google-storage-bucket service:
| Parameter Name | Type | Description | Default |
|---|---|---|---|
role |
string | (Required) The role for the account without the "roles" prefix. For more information, see the Google Cloud documentation. Your operator can override the default enumeration. Options are roles/storage.objectAdmin, roles/storage.objectCreator, and roles/storage.objectViewer. |
n/a |
credentials |
string | The GCP credentials. | The value the operator entered for Credentials in Ops Manager. |
project |
string | The GCP project to use. | The value the operator entered for Project in Ops Manager. |
Binding Credentials
Binding to a Cloud Storage bucket creates a Google Cloud service account that is granted a role within the bucket. The role granted depends on the role property specified when the binding is created.
The format for binding credentials for a Cloud Storage bucket is as follows:
{
"bucket_name" : "BUCKET-NAME",
"id" : "BUCKET-ID",
"credentials" : "SERVICE-ACCOUNT-CREDENTIALS",
"email" : "SERVICE-ACCOUNT-EMAIL",
"name" : "SERVICE-ACCOUNT-NAME",
"private_key_data" : "SERVICE-ACCOUNT-PRIVATE-KEY",
"project_id" : "GCP-PROJECT-ID",
"unique_id" : "SERVICE-ACCOUNT-UNIQUE-ID"
}
Where:
SERVICE-ACCOUNT-CREDENTIALSis what you normally get as a file when creating service account keys through the CLI or web console (JSON format).SERVICE-ACCOUNT-PRIVATE-KEYis the base64-encoded private key in JSON format.
Previously Provided Pre-configured Plans
The following table lists the previously provided plans for the Google Cloud Storage service:
| Plan | Description |
|---|---|
| private | Private Storage bucket |
| public-read | Public-read Storage bucket |
To keep these plans in this version of the broker, add them through the tile as custom plans. For how to configure plans through the tile, see Configure Services with Cloud Service Broker for GCP.
Add the following block to keep the private plan:
{
"name": "private",
"id": "bbc4853e-8a63-11ea-a54e-670ca63cee0b",
"description": "Private Storage bucket",
"metadata": {
"displayName": "Private"
}
}
Add the following block to keep the public-read plan:
{
"name": "public-read",
"id": "c07f21a6-8a63-11ea-bc1b-d38b123189cb",
"description": "Public-read Storage bucket",
"metadata": {
"displayName": "Public Read"
}
}
