Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En esta página, se muestra cómo crear buckets de almacenamiento aislados de Google Distributed Cloud (GDC).
Antes de comenzar
Un espacio de nombres del proyecto administra los recursos del bucket en el servidor de la API de Management. Debes tener un proyecto para trabajar con buckets y objetos.
También debes tener los permisos de bucket adecuados para realizar la siguiente operación. Consulta Cómo otorgar acceso al bucket.
Lineamientos para asignar nombres a bucket de almacenamiento
Los nombres de los buckets deben cumplir con las siguientes convenciones de nomenclatura:
Ser único en el proyecto Un proyecto agrega un prefijo único al nombre del bucket, lo que garantiza que no haya conflictos dentro de la organización. En el improbable caso de que haya un conflicto entre el prefijo y el nombre del bucket en diferentes organizaciones, se producirá un error de "nombre de bucket en uso" y no se podrá crear el bucket.
Evita incluir información de identificación personal (PII).
Ser compatible con DNS
Debe tener al menos 1 y no más de 55 caracteres.
Comienza con una letra y usa solo letras, números y guiones.
Crea un bucket
Console
En el menú de navegación, haz clic en Object Storage.
Haga clic en Crear bucket.
En el flujo de creación del bucket, asigna un nombre único para todos los buckets del proyecto.
Ingresa una descripción.
Opcional: Haz clic en el botón de activación toggle_off para establecer una política de retención y, luego, ingresa la cantidad de días que prefieras. Comunícate con tu IO si necesitas superar los límites de la política de retención.
Haz clic en Crear. Aparecerá un mensaje de confirmación y se te redireccionará a la página Buckets.
Para verificar que creaste un bucket nuevo correctamente, actualiza la página Buckets después de unos minutos y comprueba que el estado del bucket se actualice de Not ready a Ready.
CLI
Para crear un bucket, aplica una especificación de bucket al espacio de nombres de tu proyecto:
kubectlapply-fbucket.yaml
A continuación, se muestra un ejemplo de una especificación de bucket:
Ten en cuenta que solo se admite el cifrado de la versión 2 para los buckets de doble zona, y todas las operaciones para crear, actualizar o borrar un recurso de bucket de doble zona deben realizarse en el servidor de la API global.
Verifica la creación del bucket y los recursos relacionados
Una vez que se cree el bucket, puedes ejecutar el siguiente comando para confirmar y verificar los detalles del bucket:
kubectldescribebucketsBUCKET_NAME-nNAMESPACE_NAME
La sección Estado tiene dos campos importantes: Encriptación (para los detalles de encriptación) y Nombre completo (que contiene el FULLY_QUALIFIED_BUCKET_NAME).
Encriptación v1
La información se refiere a la AEADKey denominada obj-FULLY_QUALIFIED_BUCKET_NAME, que sirve como referencia a la clave de encriptación empleada para encriptar los objetos almacenados en el bucket. A continuación, se muestra un ejemplo:
La información pertenece al secreto llamado kek-ref-FULLY_QUALIFIED_BUCKET_NAME, que actúa como referencia para las claves AEAD predeterminadas activas. Las claves AEAD predeterminadas activas se seleccionan de forma aleatoria para encriptar los objetos subidos al bucket cuando no se especifica una clave AEAD en particular.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[[["\u003cp\u003eThis guide outlines the process for creating air-gapped storage buckets within Google Distributed Cloud (GDC), which requires a project namespace for resource management and appropriate bucket permissions.\u003c/p\u003e\n"],["\u003cp\u003eBucket names must be unique within a project, DNS-compliant, between 1 and 55 characters, start with a letter, and use only letters, numbers, and hyphens, while refraining from containing personally identifiable information (PII).\u003c/p\u003e\n"],["\u003cp\u003eBuckets can be created through the console by navigating to Object Storage and filling out the creation flow or via the command line using a bucket specification in a YAML file.\u003c/p\u003e\n"],["\u003cp\u003eNewly created buckets are automatically encrypted, with \u003ccode\u003ev2\u003c/code\u003e being the default and strongly recommended for better encryption and security, unless \u003ccode\u003ev1\u003c/code\u003e is specifically designated for higher performance with many small objects.\u003c/p\u003e\n"],["\u003cp\u003eVerification of bucket creation and details, including encryption information and the fully qualified name, can be performed by using \u003ccode\u003ekubectl describe buckets\u003c/code\u003e and \u003ccode\u003ekubectl get aeadkeys\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Create storage buckets for projects\n\nThis page shows you how to create Google Distributed Cloud (GDC) air-gapped storage buckets.\n\nBefore you begin\n----------------\n\nA project namespace manages bucket resources in the Management API server. You\nmust have a [project](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/project-management) to work with buckets and objects.\n\nYou must also have the appropriate bucket permissions to perform the following\noperation. See [Grant bucket access](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/grant-obtain-storage-access#grant_bucket_access).\n\nStorage bucket naming guidelines\n--------------------------------\n\nBucket names must adhere to the following naming conventions:\n\n- Be unique within the project. A project appends a unique prefix to the bucket name, ensuring there aren't clashes within the organization. In the unlikely event of a prefix and bucket name clash across organizations, the bucket creation fails with a \"bucket name in use\" error.\n- Refrain from including any personally identifiable information (PII).\n- Be DNS-compliant.\n- Have at least 1 and no more than 55 characters.\n- Start with a letter and use only letters, numbers, and hyphens.\n\nCreate a bucket\n---------------\n\n**Note:** The bucket that is created will be automatically encrypted with either version `v1` or `v2`. `v2` will be the default if the `encryption-version` label is not specified since `v2` bucket is strongly recommended as it has better encryption and security. `v1` is only recommended if you need higher performance for many small objects. \n\n### Console\n\n1. In the navigation menu, click **Object Storage**.\n2. Click **Create Bucket**.\n3. In the bucket creation flow, assign a name unique across all buckets within the project.\n4. Enter a description.\n5. Optional: Click the toggle_off toggle to set a retention policy and enter your preferred number of days. Contact your IO if you need to exceed retention policy limits.\n6. Click **Create** . A success message appears and you are directed back to the **Buckets** page.\n\nTo verify that you have successfully created a new bucket, refresh the **Buckets** page after a few minutes and check that the bucket state updates from `Not ready` to `Ready`.\n\n### CLI\n\nTo create a bucket, apply a bucket specification to your project namespace: \n\n kubectl apply -f bucket.yaml\n\nThe following is an example of a bucket specification: \n\n apiVersion: object.gdc.goog/v1\n kind: Bucket\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n spec:\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n storageClass: Standard\n bucketPolicy:\n lockingPolicy:\n defaultObjectRetentionDays: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eRETENTION_DAY_COUNT\u003c/span\u003e\u003c/var\u003e\n\nThe following is an example of a bucket specification with encryption version as `v1`: \n\n apiVersion: object.gdc.goog/v1\n kind: Bucket\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n labels:\n object.gdc.goog/encryption-version: v1\n spec:\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eDESCRIPTION\u003c/span\u003e\u003c/var\u003e\n storageClass: Standard\n bucketPolicy:\n lockingPolicy:\n defaultObjectRetentionDays: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eRETENTION_DAY_COUNT\u003c/span\u003e\u003c/var\u003e\n\nFor more details, see the [Bucket API reference](../../apis/storage-krm-api.md).\n\nThe following is an example of a dual-zone bucket in org-admin global API: \n\n apiVersion: object.global.gdc.goog/v1\n kind: Bucket\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_NAME\u003c/span\u003e\u003c/var\u003e\n spec:\n location: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eLOCATION_NAME\u003c/span\u003e\u003c/var\u003e\n description: Sample DZ Bucket\n storageClass: Standard\n\nNote that only V2 encryption is supported for dual-zone buckets and all operations for creating, updating, or deleting a dual-zone bucket resource must be performed against the global API server.\n\n### gdcloud\n\nTo create a bucket with gdcloud, follow [gdcloud storage buckets create](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-reference/gdcloud-storage-buckets-create).\n\nVerify bucket and related resource creation\n-------------------------------------------\n\nOnce the bucket is created, you can run the following command to confirm and check the details of the bucket: \n\n kubectl describe buckets \u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e -n \u003cvar translate=\"no\"\u003eNAMESPACE_NAME\u003c/var\u003e\n\nThe **Status** section has two important fields: **Encryption** (for encryption details) and **Fully Qualified Name** (which contains the \u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e). \n\n### Encryption v1\n\nThe information is about the AEADKey named as `obj-`\u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e, which serves as a reference to the encryption key employed for encrypting objects stored within the bucket. Here is an example: \n\n Status:\n Encryption:\n Key Ref:\n Kind: AEADKey\n Name: obj-\u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e\n Namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n Type: CMEK\n\n### Encryption v2\n\nThe information pertains to the Secret named as `kek-ref-`\u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e, which acts as a reference for active default AEADKeys. Active default AEADKeys are randomly selected from to encrypt objects uploaded to the bucket when specific AEADKey is not specified.\n| **Note:** Inactive default AEADKeys are those that are no longer referenced in the Secret. See the Manage Encryption Resources section for more info.\n\nHere is an example: \n\n Status:\n Encryption:\n Key Ref:\n Kind: Secret\n Name: kek-ref-\u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e\n Namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE_NAME\u003c/span\u003e\u003c/var\u003e\n Type: CMEK\n\nYou can also run the following command to verify needed AEADKeys are created: \n\n kubectl get aeadkeys -n \u003cvar translate=\"no\"\u003eNAMESPACE_NAME\u003c/var\u003e -l cmek.security.gdc.goog/resource-name=\u003cvar translate=\"no\"\u003eFULLY_QUALIFIED_BUCKET_NAME\u003c/var\u003e"]]