Organization policy constraints for Cloud Storage

This page provides supplemental information about organization policy constraints that apply to Cloud Storage. Use constraints to enforce bucket settings across an entire project or organization.

Cloud Storage constraints

The following constraints can be applied to an organization policy and relate to Cloud Storage:

Retention policy duration in seconds

API Name: constraints/storage.retentionPolicySeconds

When you apply the retentionPolicySeconds constraint, you specify one or more durations as part of the constraint. Once set, bucket retention policies must include one of the specified durations. retentionPolicySeconds is enforced with new bucket creation or when adding/updating the retention period of a pre-existing bucket; however, it's not otherwise enforced on pre-existing buckets.

If you set multiple retentionPolicySeconds constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

Enforce uniform bucket-level access

API Name: constraints/storage.uniformBucketLevelAccess

When you apply the uniformBucketLevelAccess constraint, buckets must use uniform bucket-level access. This constraint is enforced with new bucket creation and for any pre-existing bucket that has uniform bucket-level access enabled; however, it's not enforced on pre-existing buckets that have uniform bucket-level access disabled.

Disable HMAC key creation

API Name: constraints/storage.disableServiceAccountHmacKeyCreation

When you apply this constraint, HMAC keys cannot be created for service accounts in applicable projects. If an applicable project has pre-existing HMAC keys when you enable this constraint, those keys continue to exist.

What's next