Cloud Storage
Cloud Storage is Google's object storage service. It stores files of any size and type as immutable objects in containers called buckets. Objects are identified by a key, not a path. Individual objects can be up to 5 TiB with no bucket size limit, and the platform replicates data automatically.
Cloud Storage is the de facto storage substrate for a wide range of workloads: static website hosting, build artifacts, backup and archival, data lake ingestion for BigQuery and Dataflow, media storage, and batch processing I/O.
Storage Classes
All classes share the same APIs, millisecond first-byte latency, and 11-nines annual durability. The difference is storage cost versus retrieval cost:
| Class | Access frequency | Retrieval fee | Min storage duration |
|---|---|---|---|
| Standard | Frequently accessed | None | None |
| Nearline | ~Once per month | Per-GB fee | 30 days |
| Coldline | ~Once per quarter | Higher per-GB fee | 90 days |
| Archive | ~Once per year | Highest per-GB fee | 365 days |
Object Lifecycle Management transitions objects between classes automatically — move to Nearline after 30 days, Coldline after 90, Archive after 365. This is the correct way to manage cost on aging data.
Bucket Configuration
Object Versioning retains previous versions when objects are overwritten or deleted. Retention policies prevent deletion for a specified period. Uniform bucket-level access disables per-object ACLs and enforces IAM as the only access control — the recommended configuration.
Access Control
Use IAM with uniform bucket-level access. Key roles: objectViewer for read-only, objectCreator to upload without reading existing objects, objectAdmin for full CRUD, storage.admin for full bucket management. Signed URLs grant temporary access to specific objects without requiring a Google account.
Events
Cloud Storage supports Pub/Sub notifications: when objects are created, updated, or deleted, a message is published to a Pub/Sub topic. This triggers Cloud Functions or Cloud Run without polling.
- Making a bucket public without an intentional access policy review.
- Not enabling Object Versioning on critical data. The default soft delete window catches accidental deletes and overwrites for only 7 days — versioning is the durable protection.
- Using Cloud Storage as a filesystem via FUSE mount for workloads with many small sequential writes — performance suffers significantly.
- Leaving all data in Standard class without lifecycle rules.
- Using per-object ACLs instead of uniform bucket-level access.
- Enable Object Versioning on any bucket holding critical data.
- Enable uniform bucket-level access and manage permissions via IAM only.
- Configure lifecycle rules to transition cold objects to lower-cost storage classes.
- Enable "Prevent public access" at the organization level.
- Use Signed URLs for sharing with external users.
- Set up Pub/Sub notifications for event-driven pipelines.
Knowledge Check
What annual durability does Cloud Storage provide across all storage classes?
- 99.9% — three nines availability
- 99.999% — five nines availability
- 99.999999999% — eleven nines
- 99.99% — four nines availability
Which storage class is appropriate for data accessed approximately once per quarter?
- Standard — no retrieval fee, any access frequency
- Nearline — designed for approximately once-monthly access
- Coldline — designed for approximately quarterly access
- Archive — designed for approximately annual access
What does Object Versioning protect against?
- Unauthorized access to objects by external users who lack the right IAM permissions
- Accidental overwrites and deletions — previous versions are retained and recoverable
- Data corruption that silently occurs while an object is being uploaded over the network
- Exceeding the bucket's maximum total size limit
What does Object Lifecycle Management do?
- Automatically backs up objects to Persistent Disk on a configurable recurring schedule
- Transitions objects to a colder storage class based on age or other conditions
- Permanently deletes any object that has not been read or accessed within a set window
- Continuously replicates objects to a secondary backup bucket in another region
What is a Signed URL used for?
- To cryptographically verify the integrity of an object's content after a download
- To grant temporary access to a specific object without requiring a Google account
- To make an entire bucket and all its objects publicly accessible to anyone
- To sign objects for regulatory compliance and long-term audit purposes
You got correct