This page describes how to disable the soft delete feature on all new and existing buckets across your organization.
Soft delete is enabled on new buckets by default to prevent data loss. If needed, you can disable soft delete for existing buckets by modifying the soft delete policy, and you can disable soft delete by default for new buckets by setting an organization-wide default tag. Note that once you disable soft delete, your deleted data cannot be recovered, including accidental or malicious deletions.
Required roles
To get the permissions that you need to disable soft delete, ask your administrator to grant you the following IAM roles on the organization level:
-
Storage Admin (
roles/storage.admin
) -
Tag Administrator (
roles/resourcemanager.tagAdmin
) -
Organization Viewer (
roles/resourcemanager.organizationViewer
)
These predefined roles contain the permissions required to disable soft delete. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to disable soft delete:
-
storage.buckets.get
-
storage.buckets.update
-
storage.buckets.list
(this permission is only required if you plan to use the Google Cloud console to perform the instructions on this page)For required permissions that are included as part of the Tag Admin (
roles/resourcemanager.tagAdmin
) role, see Required permissions for administering tags.
For information about granting roles, see Use IAM with buckets or Manage access to projects.
Disable soft delete on future bucket creation
While soft delete is enabled by default on new buckets,
you can prevent soft delete from default enablement using tags.
Tags use the storage.defaultSoftDeletePolicy
key to apply a 0d
(zero days)
soft delete policy at the organization level, which disables the
feature and prevents future retention of deleted data.
Use the following instructions to disable soft delete by default when you create new buckets. Note that the following instructions aren't equivalent to setting an organization policy that mandates a particular soft delete policy, meaning you can still enable soft delete on specific buckets by specifying a policy if needed.
Create the
storage.defaultSoftDeletePolicy
tag which is used to change the default soft delete retention duration on new buckets. Note that only thestorage.defaultSoftDeletePolicy
tag name updates the default soft delete retention duration.Create a tag key using the
gcloud resource-manager tags keys create
command:gcloud resource-manager tags keys create storage.defaultSoftDeletePolicy \ --parent=organizations/ORGANIZATION_ID \ --description="Configures the default softDeletePolicy for new Storage buckets."
Replace the following:
ORGANIZATION_ID
: the numeric ID of the organization you want to set a default soft delete retention duration for. For example,12345678901
. To learn how to find the organization ID, see Getting your organization resource ID.
Create a tag value for
0d
(zero days) to disable the soft delete retention period by default on new buckets using thegcloud resource-manager tags values create
command:gcloud resource-manager tags values create 0d \ --parent=ORGANIZATION_ID/storage.defaultSoftDeletePolicy \ --description="Disables soft delete for new Storage buckets." done
Replace the following:
ORGANIZATION_ID
: the numeric ID of the organization you want to set the default soft delete retention duration for. For example,12345678901
.
Attach the tag to your resource using the
gcloud resource-manager tags bindings create
command:gcloud resource-manager tags bindings create \ --tag-value=ORGANIZATION_ID/storage.defaultSoftDeletePolicy/0d \ --parent=RESOURCE_ID
Replace the following:
ORGANIZATION_ID
: the numeric ID of the organization under which the tag was created. For example,12345678901
.RESOURCE_ID
: the full name of the organization you want to create the tag binding for. For example, to attach a tag toorganizations/7890123456
, enter//cloudresourcemanager.googleapis.com/organizations/7890123456
.
Disable soft delete on existing buckets
To disable soft delete on existing buckets, run the
gcloud storage buckets update
command with the --clear-soft-delete
flag:
gcloud projects list --format="value(projectId)" | while read project do gcloud storage buckets update --project=PROJECT_ID --clear-soft-delete gs://* done
Replace the following:
PROJECT_ID
: the name of the project whose soft delete policy you want to disable.
Cloud Storage disables soft delete on existing buckets. Objects that have already been soft deleted will remain in the buckets until their soft delete retention duration completes, after which, they are permanently deleted.
What's next
Review considerations before re-enabling soft delete.
Learn about how soft delete interacts with other Cloud Storage features.