Setting organization policies for Cloud Storage

This page shows you how to set Cloud Storage-specific organization policies at or above the project level, which can be useful for managing bucket settings across your organization. Cloud Storage has two such organization policies currently available: one for enforcing the use of Bucket Lock retention policies and one for enforcing the use of Bucket Policy Only.

Setting a retention policy constraint

To require that buckets across your organization be created with proper retention policies:

gcloud

  1. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    {
        "constraint": "constraints/storage.retentionPolicySeconds",
        "listPolicy": {
          "allowedValues": [SET_OF_TIMES_IN_SECONDS],
          "inheritFromParent": "[BOOLEAN]"
        }
      }

    Note that your constraint can have multiple allowed values, for example:

    "allowedValues": [ "100", "200", "1000" ]
  2. Use the gcloud beta resource-manager org-policies set-policy command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gcloud beta resource-manager org-policies set-policy [JSON_FILE_NAME].json --[RESOURCE_TYPE]=[RESOURCE_NAME]

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    {
        "constraint": "constraints/storage.retentionPolicySeconds",
        "listPolicy": {
          "allowedValues": [SET_OF_TIMES_IN_SECONDS],
          "inheritFromParent": "[BOOLEAN]"
        }
      }

    Note that your constraint can have multiple allowed values, for example:

    "allowedValues": [ "100", "200", "1000" ]
  3. Use cURL to call the JSON API with a POST request, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
    -H "Authorization: Bearer [OAUTH2_TOKEN]" \
    -H "Content-Type: application/json" \
    "https://cloudresourcemanager.googleapis.com/v1/[RESOURCE_TYPE]/[RESOURCE_ID]:setOrgPolicy"

Setting a Bucket Policy Only constraint

To require that buckets across your organization be created with Bucket Policy Only enabled and prevent existing buckets from disabling Bucket Policy Only:

gcloud

  1. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    {
        "constraint": "constraints/storage.bucketPolicyOnly",
        "booleanPolicy": {
          "enforced": "[BOOLEAN]"
        }
      }

  2. Use the gcloud beta resource-manager org-policies set-policy command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gcloud beta resource-manager org-policies set-policy [JSON_FILE_NAME].json --[RESOURCE_TYPE]=[RESOURCE_NAME]

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    {
        "constraint": "constraints/storage.bucketPolicyOnly",
        "booleanPolicy": {
          "enforced": "[BOOLEAN]"
        }
      }
  3. Use cURL to call the JSON API with a POST request, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
    -H "Authorization: Bearer [OAUTH2_TOKEN]" \
    -H "Content-Type: application/json" \
    "https://cloudresourcemanager.googleapis.com/v1/[RESOURCE_TYPE]/[RESOURCE_ID]:setOrgPolicy"

Removing an organization policy constraint

To remove an existing organization policy constraint:

gcloud

  1. Use the gcloud beta resource-manager org-policies delete command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    gcloud beta resource-manager org-policies delete [CONSTAINT_NAME] --[RESOURCE_TYPE]=[RESOURCE_NAME]

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
  2. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    {
        "constraint": "[CONSTRAINT_NAME]",
      }
  3. Use cURL to call the JSON API with a POST request, replacing [VALUES_IN_BRACKETS] with the appropriate values:

    curl -X POST --data-binary @[JSON_FILE_NAME].json \
    -H "Authorization: Bearer [OAUTH2_TOKEN]" \
    -H "Content-Type: application/json" \
    "https://cloudresourcemanager.googleapis.com/v1/[RESOURCE_TYPE]/[RESOURCE_ID]:clearOrgPolicy"

Considerations when using organization policies

  • You can apply a constraint to any resource at the project-level or higher, including for an Organization resource.

  • A constraint is enforced when creating new buckets in the resource, as well as when adding/updating the relevant parameter on existing buckets in the resource.

  • A constraint is not enforced retroactively on existing buckets, except when the relevant parameter is being set on such a bucket.

  • For retention policy constraints, if you set multiple constraints at different resource levels, they are enforced hierarchically. For this reason, it's recommended that you set the inheritFromParent field to true, ensuring that policies at higher layers are also considered.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.