This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket settings across an entire project or organization.
Cloud Storage constraints
The following constraints can be applied to an organization policy and relate to Cloud Storage:
Retention policy duration in seconds
When you apply the
retentionPolicySeconds constraint, you specify one or more
durations as part of the constraint. Once set, bucket retention policies
must include one of the specified durations.
enforced with new bucket creation or when adding/updating the retention period
of a pre-existing bucket; however, it's not otherwise enforced on pre-existing
If you set multiple
retentionPolicySeconds constraints at different resource
levels, they are enforced hierarchically. For this reason, it's recommended
that you set the
inheritFromParent field to
true, which ensures that
policies at higher layers are also considered.
Enforce uniform bucket-level access
When you apply the
uniformBucketLevelAccess constraint, buckets must use
uniform bucket-level access. This constraint is enforced with new bucket creation
and for any pre-existing bucket that has uniform bucket-level access enabled; however,
it's not enforced on pre-existing buckets that have uniform bucket-level access
Disable HMAC key creation
When you apply this constraint, HMAC keys cannot be created for service accounts in applicable projects. If an applicable project has pre-existing HMAC keys when you enable this constraint, those keys continue to exist.
- Learn about the resource hierarchy that applies to organization policies.
- See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud Console.
- See Using constraints for instructions on working with constraints and organization policies in gcloud.
- See the Resource Manager API reference documentation for relevant API
methods, such as