Use tags to set a default soft delete retention duration for new buckets

This page describes how to set a default soft delete retention duration for your organization using tags.

Overview

Using tags, you can customize a default soft delete retention duration so that each time you create a new bucket, its soft delete retention duration is automatically set to a length of time of your choice. Tags let you attach a key-value pair to your resource that represents the amount of days you want Cloud Storage to retain soft-deleted data in your buckets. While the system's default soft delete retention duration is always enabled for seven days, tags give you greater control over object retention by letting you increase the number of days your data is retained. Using tags, you can also you disable soft delete on your resource by default.

Considerations

For a tag to take effect, you must create the tag as a child of the organization you want to set a default retention duration for, after which it can be attached to a project, Resource Manager folder, or organization.
When you use tags to customize a default soft delete retention duration on a resource, existing buckets in the resource don't automatically inherit the new soft delete retention duration. To change the soft delete retention duration on an existing bucket, you need to update the bucket's soft delete policy. To update an existing soft delete policy, see Edit a bucket's soft delete policy.
Settings that are implemented using tags are editable, meaning you can edit the soft delete retention duration that the tag sets during or after bucket creation.
If you set a storage.softDeletePolicySeconds organization policy constraint, which restricts the soft delete retention duration on newly created buckets to only a set of values allowed by your organization and also want to use tags to set a default soft delete retention duration, you can only set the default retention duration to a value allowed by your organization policy constraint. All other values result in an error.
Tags can take several hours to take effect.
If you delete a tag binding that was previously set on a child resource of your organization, the child resource inherits the organization's default soft delete retention duration. If you delete the organization's tag binding, your resource inherits the soft delete system default retention duration of seven days. To learn more about how tag values are inherited, see Tag inheritance.

Required roles

The following permissions are required to perform the actions outlined in this page.

Administer tags

To create, update, and delete tag definitions, you need the Tag Administrator role (roles/resourcemanager.tagAdmin).
To administer tags at the organization level, you need the Organization Viewer role (roles/resourcemanager.organizationViewer) on the organization resource.

Manage tags

To add and remove tags that are attached to resources, you need the Tag User role (roles/resourcemanager.tagUser), or another role with equivalent permissions, on both the tag value and the resources that you are attaching the tag value to.

Create a default soft delete retention duration tag and values

To set a default soft delete retention duration for your organization, you need to create a tag and set tag values.

Create a tag using the gcloud resource-manager tags key create command. Note that only the storage.defaultSoftDeletePolicy tag name updates the default soft delete policy.
```
gcloud resource-manager tags keys create storage.defaultSoftDeletePolicy \
--parent=organizations/ORGANIZATION_ID \
--description="Configures the default softDeletePolicy for new Storage buckets."
```
Replace the following:
- ORGANIZATION_ID: the permanent name of the organization you want to set a default soft delete retention duration for.
Note: Only the storage.defaultSoftDeletePolicy tag name updates the default soft delete policy.
Add a tag value using the gcloud resource-manager tags values create command and replace the following:
```
gcloud resource-manager tags value create RETENTION_DURATION \
--parent=ORGANIZATION_ID/storage.defaultSoftDeletePolicy \
--description="Sets the default soft delete retention duration for new Storage buckets to $duration."
done
```
- RETENTION_DURATION: the length of time you want to set as the new default soft delete retention duration. Format the retention duration as a number value between 7 to 90 days, such as 30d, or, to disable soft delete on your resource by default, enter 0d.
- ORGANIZATION_ID: the permanent name of the resource you want to set the soft delete retention duration for.

Attach a default soft delete retention duration tag to a resource

After you create a default soft delete retention duration tag and set its tag values, you must attach the tag to a resource using a tag binding resource in order for the new default soft delete retention duration to take effect.

Attach a tag to a resource using the gcloud resource-manager tags bindings create.

  gcloud resource-manager tags bindings create \
   --tag-value=ORGANIZATION_ID/storage.defaultSoftDeletePolicy/RETENTION_DURATION \
   --parent=//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID

Replace the following:

ORGANIZATION_ID: the permanent name of the resource you want to set a default soft delete retention duration for.
RETENTION_DURATION: the length of time you want to set the new default soft delete retention duration to. Format the retention duration as a number value between 7 to 90 days, such as 30d, or, to disable soft delete on your resource by default, enter 0d.

Remove a default soft delete retention duration tag from a resource

You can remove a default soft delete retention duration tag from a resource by deleting the tag binding resource.

Delete a tag binding using the gcloud resource-manager tag bindings delete command:

  gcloud resource-manager tags bindings delete \
   --tag-value=ORGANIZATION_ID/storage.defaultSoftDeletePolicy/RETENTION_DURATION \
   --parent=//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID

Replace the following:

ORGANIZATION_ID: the permanent ID you used to set your default soft delete retention duration, such as ORGANIZATION_ID/storage.defaultSoftDeletePolicy/7d.
RETENTION_DURATION: the length of time you entered as the default soft delete retention duration for your resource. For example, if you set a default soft delete retention duration of 10 days, enter 10d.
RESOURCE_ID: the full name of the resource, such as //cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID.

What's next

Learn how to use soft-deleted objects.
Learn more about Resource Manager tag creation and management.