Reputation: 33911
Is it possible to have a bucket that only allows new files to be added?
My goal here is to use GCP as a backup medium that would only allow additional files to be saved.
So no file modifications would be permitted. Is this supported natively?
Upvotes: 1
Views: 435
Answers (2)
Reputation: 38379
Yes, this is possible in several ways. One option would be to grant the account doing the writing the IAM permission "roles/storage.objectCreator" and no other permissions.
Another, stronger option would be to use GCS retention policies to ensure that no user can delete objects for a period of months or years after the object is created. See https://cloud.google.com/storage/docs/bucket-lock for details.
The gist of it is that you run:
gsutil retention set TIME_DURATION gs://BUCKET_NAME
to set a retention policy. Test it carefully, and once you're happy with it, you may choose to run this (dangerously irrevocable) command to lock the policy in place so that you cannot remove it:
gsutil retention lock gs://BUCKET_NAME
Upvotes: 2
Reputation: 49473
As Brandon mentioned, there is no mechanism to allow only new files to be added.
Although you might be able to convert your use case into one based on permissions and access control.
You can restrict who can upload files into which buckets using IAM and/or service accounts.
If you want more control at object level within the buckets, you can use Access Control Lists to achieve that.
Do read this section if ACLs are what you really want:
Should you use access control lists?
In most cases, Identity and Access Management (IAM) is the recommended method for controlling access to your resources. IAM and ACLs work in tandem to grant access to your buckets and objects: a user only needs permission from either IAM or an ACL to access a bucket or object.
You most likely want to use ACLs if you need to customize access to individual objects within a bucket, since IAM permissions apply to all objects within a bucket. However, you should still use IAM for any access that is common to all objects in a bucket, because this reduces the amount of micro-managing you have to do.
Upvotes: 1
Related Questions
- Can you set lifecycle policies at the folder/prefix level for Google Cloud Storage buckets?
- Google Cloud Storage: invalidate cache on new file uploads
- How to make a Google Cloud Storage bucket append-only?
- how to restrict google cloud storage upload
- How do I limit access to a bucket in GCS?
- Google Cloud Storage - How to limit access to specific bucket
- Create/append file in Google cloud bucket
- Google Cloud: deny access to a single file in a given bucket
- How can I restrict the file types of my Google Cloud Storage bucket?
- Allow Creating but not Overriding or Deleting Objects in a bucket in GCS and S3