Cloud Storage
Service 06

Cloud Storage

StorageObject StoreDurable

Cloud Storage is Google's object storage service. It stores files of any size and type as immutable objects in containers called buckets. Objects are identified by a key, not a path. Individual objects can be up to 5 TiB with no bucket size limit, and the platform replicates data automatically.

Cloud Storage is the de facto storage substrate for a wide range of workloads: static website hosting, build artifacts, backup and archival, data lake ingestion for BigQuery and Dataflow, media storage, and batch processing I/O.

Storage Classes

All classes share the same APIs, millisecond first-byte latency, and 11-nines annual durability. The difference is storage cost versus retrieval cost:

ClassAccess frequencyRetrieval feeMin storage duration
StandardFrequently accessedNoneNone
Nearline~Once per monthPer-GB fee30 days
Coldline~Once per quarterHigher per-GB fee90 days
Archive~Once per yearHighest per-GB fee365 days

Object Lifecycle Management transitions objects between classes automatically — move to Nearline after 30 days, Coldline after 90, Archive after 365. This is the correct way to manage cost on aging data.

Bucket Configuration

Object Versioning retains previous versions when objects are overwritten or deleted. Retention policies prevent deletion for a specified period. Uniform bucket-level access disables per-object ACLs and enforces IAM as the only access control — the recommended configuration.

Access Control

Use IAM with uniform bucket-level access. Key roles: objectViewer for read-only, objectCreator to upload without reading existing objects, objectAdmin for full CRUD, storage.admin for full bucket management. Signed URLs grant temporary access to specific objects without requiring a Google account.

Events

Cloud Storage supports Pub/Sub notifications: when objects are created, updated, or deleted, a message is published to a Pub/Sub topic. This triggers Cloud Functions or Cloud Run without polling.

Common Mistakes
  • Making a bucket public without an intentional access policy review.
  • Not enabling Object Versioning on critical data. The default soft delete window catches accidental deletes and overwrites for only 7 days — versioning is the durable protection.
  • Using Cloud Storage as a filesystem via FUSE mount for workloads with many small sequential writes — performance suffers significantly.
  • Leaving all data in Standard class without lifecycle rules.
  • Using per-object ACLs instead of uniform bucket-level access.
Best Practices
  • Enable Object Versioning on any bucket holding critical data.
  • Enable uniform bucket-level access and manage permissions via IAM only.
  • Configure lifecycle rules to transition cold objects to lower-cost storage classes.
  • Enable "Prevent public access" at the organization level.
  • Use Signed URLs for sharing with external users.
  • Set up Pub/Sub notifications for event-driven pipelines.
Comparable services AWS S3 Azure Azure Blob Storage

Knowledge Check

What annual durability does Cloud Storage provide across all storage classes?

  • 99.9% — three nines availability
  • 99.999% — five nines availability
  • 99.999999999% — eleven nines
  • 99.99% — four nines availability

Which storage class is appropriate for data accessed approximately once per quarter?

  • Standard — no retrieval fee, any access frequency
  • Nearline — designed for approximately once-monthly access
  • Coldline — designed for approximately quarterly access
  • Archive — designed for approximately annual access

What does Object Versioning protect against?

  • Unauthorized access to objects by external users who lack the right IAM permissions
  • Accidental overwrites and deletions — previous versions are retained and recoverable
  • Data corruption that silently occurs while an object is being uploaded over the network
  • Exceeding the bucket's maximum total size limit

What does Object Lifecycle Management do?

  • Automatically backs up objects to Persistent Disk on a configurable recurring schedule
  • Transitions objects to a colder storage class based on age or other conditions
  • Permanently deletes any object that has not been read or accessed within a set window
  • Continuously replicates objects to a secondary backup bucket in another region

What is a Signed URL used for?

  • To cryptographically verify the integrity of an object's content after a download
  • To grant temporary access to a specific object without requiring a Google account
  • To make an entire bucket and all its objects publicly accessible to anyone
  • To sign objects for regulatory compliance and long-term audit purposes

You got correct