Storage Transfer Service supports transfers to Cloud Storage buckets protected by VPC Service Controls.
Storage Transfer Service requires access to Cloud Storage buckets in order to move data into or between Cloud Storage buckets. If you have buckets within a VPC Service Controls service perimeter, extra setup is required to use Storage Transfer Service to transfer data to Cloud Storage.
To protect your
TransferOperation requests, you can
add the Storage Transfer Service API as a protected service to your service perimeters.
To protect the underlying Cloud Storage buckets and objects, you also need to
add the Cloud Storage API as a protected service to your service
To learn more about VPC Service Controls, see Overview of VPC Service Controls.
For information about using VPC Service Controls with file system transfers, see Configure VPC Service Controls for file system transfers.
You can configure Storage Transfer Service to work with Cloud Storage buckets protected by VPC Service Controls with the following methods:
You can add your Storage Transfer Service project to the service perimeter of your Cloud Storage buckets if either of the following are true:
- You can configure your Cloud Storage buckets within a single service perimeter.
- All of your Cloud Storage buckets are within the same service perimeter.
This option is the easiest option to set up and manage.
Create a perimeter bridge to all projects that contain the Cloud Storage buckets you're using in a transfer if either of the following are true:
- You cannot change the service perimeters of your Cloud Storage buckets.
- You have Cloud Storage buckets in different service perimeters.
This option allows your Storage Transfer Service project to transfer data between your Cloud Storage projects, even if both projects are in different service perimeters. This option also ensures that access to your Cloud Storage bucket perimeters is from a restricted set of services and resources.
Add the Storage Transfer Service service account to an access level if any of the following apply to you:
- Your Storage Transfer Service project is outside of your Cloud Storage bucket's service perimeter.
Your service account doesn't fit the form
project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com, even if the service account belongs to a project inside a perimeter.
To find your service account's format, use the
This option doesn't require you to place the Storage Transfer Service project within a service perimeter. It also lets you configure the access level to only allow requests from the Storage Transfer Service service account.
To use a service perimeter, follow the instructions in Create a service perimeter to include the following projects and services:
- Cloud Storage bucket projects
- Cloud Storage API (storage.googleapis.com)
- Storage Transfer Service API (storagetransfer.googleapis.com)
To use a perimeter bridge:
Create a service perimeter for Storage Transfer Service.
Create a perimeter bridge to connect:
- Cloud Storage bucket projects
After you create your access level, add the access level to your service perimeter that restricts access to the Google Cloud projects containing your Cloud Storage buckets.
For help troubleshooting, see VPC Service Controls Troubleshooting.