Google Storage Bucket Reference

This topic gives you reference information about the Google Storage Bucket service (csb-google-storage-bucket). It details the plans, configuration parameters, and binding credentials.

Note Release v1.2.0 removes brokerpak pre-configured plans for Google Storage Bucket. All plans must be configured through the tile. If you have instances of Google Storage Bucket that were created in previous versions and that you want to maintain, see Previously Provided Pre-configured Plans. For more information about upgrade steps, see Upgrading Tanzu Cloud Service Broker for GCP.

Plan Configuration Parameters

When configuring Cloud Service Broker for GCP you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for GCP.

The following table lists parameters which can only be configured for additional plans:

Parameter Name	Values	Default
`name`*	The plan name	n/a
`id`*	A unique GUID	n/a
`description`*	Description of the new plan	n/a
`free`	When false, Service Instances of this Service Plan have a cost	true
`bindable`	Specifies whether Service Instances of the Service Plan can bind to applications	true
`plan_updateable`	Whether the Plan supports upgrade/downgrade/sidegrade to another version	true

^* Required

You can also add any of the configuration parameters listed in the parameters section to your plan.

Note If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.

Configuration Parameters

You can provision a service by running:

cf create-service csb-google-storage-bucket PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

You can update the configuration parameters for a service instance by running:

cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

The following table lists the parameters that you can configure, by using the -c flag, when provisioning a csb-google-storage-bucket service:

Parameter Name	Type	Description	Default	Operation
`name`	string	The name of the bucket to create. To see the requirements the name must meet, see the Google Cloud documentation. Names that contain dots require verification, see the Google Cloud documentation.	`csb-INSTANCE-ID`	provision
`storage_class`	string	The storage class of the new bucket. Accepted values are `STANDARD`, `MULTI_REGIONAL`, `REGIONAL`, `NEARLINE`, `COLDLINE`, or `ARCHIVE`. When setting Multi-Region, you must choose a valid `region` for Multi-Region. See `region` field for more information.	`MULTI_REGIONAL`	provision and update
`versioning`	boolean	Whether the versioning configuration is enabled. For more information about versioning, see the Google Cloud documentation.	`false`	provision and update
`uniform_bucket_level_access`	boolean	Enables uniform bucket-level access to a bucket. When enabled, the option becomes permanent after 90 days. It deactivates ACLs. For more information about uniform bucket-level access, see the Google Cloud documentation.	`false`	provision and update
`predefined_acl`	string	The predefined ACL to apply to the bucket. For example, `private` and `publicRead`. For more information about predefined ACLs, see the Google Cloud documentation. It cannot be specified with `uniform_bucket_level_access`.	`""`	provision and update
`region`	string	The region of the bucket instance. When using Multi-Region buckets, you must choose a valid region for Multi-Region configuration either in the plan or at provisioning time, for example, `us`, `eu`, `asia`, etc. The default region set by the operator in the tile configuration section might not work for multi-region. For more information about the regions, see the Google Cloud documentation.	The value the operator entered for Region in Tanzu Operations Manager.	provision
`placement_dual_region_data_locations`	array	The list of individual regions that comprise a dual-region bucket. Check the list of valid storage classes for dual-region. For more information about valid regions, see the Google Cloud documentation. The `MULTI_REGIONAL` and `REGIONAL` storage classes cannot be used for a dual-region bucket. Example configuration: `-c '{"placement_dual_region_data_locations": ["us-east1","us-east4"], "storage_class": "STANDARD", "region": "us"}'`.	`[]`	provision
`public_access_prevention`	string	Prevents public access to a bucket. Accepted values are `inherited` or `enforced`.	`enforced`	provision and update
`default_kms_key_name`	string	The `id` of a Cloud KMS key that is used to encrypt objects inserted into this bucket. Its default value is `""`, so a Google-managed encryption key is used instead. For more information about creating customer-managed encryption keys, see the Google Cloud documentation. The key ring must be in the same location as the data you intend to encrypt (the same location as the `region` property) but it can be in a different project. For available Cloud KMS locations, see the Google Cloud documentation. For most dual-regions, you must create the key ring in the associated multi-region, but for predefined dual-regions, you must create the key ring in the same predefined dual-region. Each project has a special Cloud Storage service account called a service agent that performs encryption and decryption with customer-managed encryption keys. For more information about service agents, see the Google Cloud documentation. For more information about finding the email address of a project's Cloud Storage service agent, see the Google Cloud documentation. To get the `id` of a Cloud KMS key, follow these steps.	`""`	provision and update
`autoclass`	boolean	Automatically transitions each object to hotter or colder storage based on object-level activity. This is to optimize for cost and latency. The default can only be set at the provision phase. Caution: Only the `STANDARD` storage class is accepted when you enable the Autoclass feature. Any attempt to set it using a storage class other than `STANDARD` causes an error. For more information about the Autoclass feature, see the Google Cloud documentation.	`false`	provision
`retention_policy_retention_period`	number	This configures the data retention policy for the bucket, which is the period of time in seconds that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The maximum value is `2147483647` (2,147,483,647 seconds). For more information about the retention policy feature, see Google Cloud documentation.	`0`	provision and update
`retention_policy_is_locked`	boolean	The `retention_policy_is_locked` property locks a retention policy to permanently set it on the bucket. Caution: Locking a retention policy is an irreversible action. After you set it to `true`, any attempt to set it to `false` causes an error. A locked retention policy means: It is not possible to remove the retention policy. It is not possible to delete a bucket unless every object in the bucket has met the retention period. It is not possible to reduce or increase the retention period of a locked retention policy. For the property to take effect, the property `retention_policy_retention_period` must be set with a value greater than `0`. For more information about policy locks, see Google Cloud documentation.	`false`	provision and update
`credentials`	string	The GCP credentials.	The value the operator entered for Credentials in Tanzu Operations Manager.	provision and update
`project`	string	The GCP project to use.	The value the operator entered for Project in Tanzu Operations Manager.	provision and update

Binding Parameters

You can bind a service by running:

cf bind-service APP-NAME SERVICE-INSTANCE --binding-name BINDING-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'

The following table lists the parameters that you can configure, by using the -c flag, when binding to a csb-google-storage-bucket service:

Parameter Name	Type	Description	Default
`role`	string	(Required) The role for the account without the "roles" prefix. For more information, see the Google Cloud documentation. Your operator can override the default enumeration. Options are `roles/storage.objectAdmin`, `roles/storage.objectCreator`, and `roles/storage.objectViewer`.	n/a
`credentials`	string	The GCP credentials.	The value the operator entered for Credentials in Tanzu Operations Manager.
`project`	string	The GCP project to use.	The value the operator entered for Project in Tanzu Operations Manager.

Binding Credentials

Binding to a Cloud Storage bucket creates a Google Cloud service account that is granted a role within the bucket. The role granted depends on the role property specified when the binding is created.

The format for binding credentials for a Cloud Storage bucket is as follows:

{
    "bucket_name" : "BUCKET-NAME",
    "id" : "BUCKET-ID",
    "credentials" : "SERVICE-ACCOUNT-CREDENTIALS",
    "email" : "SERVICE-ACCOUNT-EMAIL",
    "name" : "SERVICE-ACCOUNT-NAME",
    "private_key_data" : "DEPRECATED - SERVICE-ACCOUNT-PRIVATE-KEY",
    "project_id" : "DEPRECATED - GCP-PROJECT-ID",
    "PrivateKeyData" : "SERVICE-ACCOUNT-PRIVATE-KEY",
    "ProjectId" : "GCP-PROJECT-ID",
    "unique_id" : "SERVICE-ACCOUNT-UNIQUE-ID"
}

Where:

SERVICE-ACCOUNT-CREDENTIALS is what you normally get as a file when creating service account keys through the CLI or web console (JSON format).
SERVICE-ACCOUNT-PRIVATE-KEY is the base64-encoded private key in JSON format.

Important The binding duplicates the credential properties **private key data** and **project id** to match old and new naming conventions to ensure seamless integration and backward compatibility. The `private_key_data` and `project_id` are deprecated and will be deleted in later versions.

Previously Provided Pre-configured Plans

The following table lists the previously provided plans for the Google Cloud Storage service:

Plan	Description
private	Private Storage bucket
public-read	Public-read Storage bucket

To keep these plans in this version of the broker, add them through the tile as custom plans. For how to configure plans through the tile, see Configure Services with Cloud Service Broker for GCP.

Add the following block to keep the private plan:

{
    "name": "private",
    "id": "bbc4853e-8a63-11ea-a54e-670ca63cee0b",
    "description": "Private Storage bucket",
    "metadata": {
      "displayName": "Private"
    }
}

Add the following block to keep the public-read plan:

{
    "name": "public-read",
    "id": "c07f21a6-8a63-11ea-bc1b-d38b123189cb",
    "description": "Public-read Storage bucket",
    "metadata": {
      "displayName": "Public Read"
    }
}