Configure VPC Service Controls for cloud object storage transfers

Storage Transfer Service supports transfers to Cloud Storage buckets protected by VPC Service Controls.

Storage Transfer Service requires access to Cloud Storage buckets in order to move data into or between Cloud Storage buckets. If you have buckets within a VPC Service Controls service perimeter, extra setup is required to use Storage Transfer Service to transfer data to Cloud Storage.

To protect your TransferJob and TransferOperation requests, you can add the Storage Transfer Service API as a protected service to your service perimeters. To protect the underlying Cloud Storage buckets and objects, you also need to add the Cloud Storage API as a protected service to your service perimeter.

To learn more about VPC Service Controls, see Overview of VPC Service Controls.

For information about using VPC Service Controls with file system transfers, see Configure VPC Service Controls for file system transfers.

Supported configurations

You can configure Storage Transfer Service to work with Cloud Storage buckets protected by VPC Service Controls with the following methods:

  • You can add your Storage Transfer Service project to the service perimeter of your Cloud Storage buckets if either of the following are true:

    • You can configure your Cloud Storage buckets within a single service perimeter.
    • All of your Cloud Storage buckets are within the same service perimeter.

    This option is the easiest option to set up and manage.

  • Create a perimeter bridge to all projects that contain the Cloud Storage buckets you're using in a transfer if either of the following are true:

    • You cannot change the service perimeters of your Cloud Storage buckets.
    • You have Cloud Storage buckets in different service perimeters.

    This option allows your Storage Transfer Service project to transfer data between your Cloud Storage projects, even if both projects are in different service perimeters. This option also ensures that access to your Cloud Storage bucket perimeters is from a restricted set of services and resources.

  • Add the Storage Transfer Service service account to an access level if any of the following apply to you:

    • Your Storage Transfer Service project is outside of your Cloud Storage bucket's service perimeter.

    • Your service account doesn't fit the form project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com, even if the service account belongs to a project inside a perimeter.

      To find your service account's format, use the googleServiceAccounts.get API call.

    This option doesn't require you to place the Storage Transfer Service project within a service perimeter. It also lets you configure the access level to only allow requests from the Storage Transfer Service service account.

Service perimeter

To use a service perimeter, follow the instructions in Create a service perimeter to include the following projects and services:

  • The TransferJob project
  • Cloud Storage bucket projects
  • Cloud Storage API (storage.googleapis.com)
  • Storage Transfer Service API (storagetransfer.googleapis.com)

Perimeter bridge

To use a perimeter bridge:

  1. Create a service perimeter for Storage Transfer Service.

  2. Create a perimeter bridge to connect:

    • The TransferJob project
    • Cloud Storage bucket projects

Access level

To use an access level, follow the instructions in Creating an access level to grant access to the TransferJob service account.

After you create your access level, add the access level to your service perimeter that restricts access to the Google Cloud projects containing your Cloud Storage buckets.

Troubleshooting

For help troubleshooting, see VPC Service Controls Troubleshooting.