Google Cloud Storage

Google Cloud Storage Drive Icon

Google Cloud Storage is an S3 compatible service with pricing based on usage. Google Cloud Storage is interoperable with S3.

Connecting

Interoperable Access

For interoperable access please use an S3-compatible protocol (like Amazon S3, not Google Storage) with the server set to storage.googleapis.com.

You need to obtain the login credentials (Access Key and Secret) from the Google Cloud Platform settings for “Storage”. Please navigate to the storage settings. Open the Interoperability-tab and enable Interoperable Access. After enabling you may now create a new key. For more information refer to the Google Storage Documentation.

In the login prompt of Cyberduck you enter the Access Key for the username and Secret for the password. This allows you to connect to one project configured in your account.

OAuth 2.0 Access

  1. Obtain the project ID (x-goog-project-id) of your project from the Google Cloud Platform under Storage Access from the Google Cloud Storage tab. Direct link to Google Cloud Storage settings.

    Project ID Bookmark Configuration
  2. Choose Open Connection… or add a New Bookmark to save the connection settings.

  3. Enter the x-goog-project-id for the Username

  4. Choose Connect to open your web browser.

  5. Login to your Google account and grant access to Google Cloud Storage.

  6. Allow to “Open Cyberduck” in your web browser to submit the authorization code used to retrieve the access token for authenticating with Google Cloud Storage. Subsequent connections will not require authorization, unless the refresh token expired due to inactivity.

Attention

Using Advanced Protection Program will cause the OAuth login flow to fail.

Tip

Users require an IAM role that includes the storage.buckets.list and storage.buckets.get permissions.

Storage Object Viewer Role

When connecting with a user with a viewer role only, attempting to list buckets will show the error …does not have storage.buckets.list access to the Google Cloud project. Permission 'storage.buckets.list' denied on resource (or it may not exist).. You can still connect to a single bucket by entering the bucket name in Path.

Reset OAuth Tokens

If you have accidentally logged in with the wrong Google Cloud Storage username or want to change the login of the Google Cloud Storage bookmark delete the current bookmark and create a new one to start a new authentication flow.

Alternatively, you can reset the OAuth token by deleting the entries related to duck:googlecloudstorage?user=(user) out of the Windows Credential Manager or on macOS the entries related to accounts.google.com out of Keychain Access.app.

Custom OAuth Client ID

You can register a custom OAuth 2.0 client ID with Google to operate independently of our registered client ID.

Cyberduck CLI

You can list all buckets with Cyberduck CLI using

duck --username <projectid> --list gs:/`

Refer to the Cyberduck CLI documentation for more operations.

Creating a Bucket

When connecting the first time, you must first create a new bucket with File → New Folder… (macOS ⌘N Windows Ctrl+Shift+N). You can choose the default bucket region in Preferences (macOS ⌘, Windows Ctrl+,) → Google Storage. The following multi-regions are supported to select from:

  • us. Data centers in the United States.

  • eu. Data centers within member states of the European Union.

  • asia. Data centers in Asia.

Storage Class

You can set the default storage class for new files uploaded in Preferences (macOS ⌘, Windows Ctrl+,) → Google Storage → Default Storage Class. A minimum storage duration applies to data stored using one of these storage classes. You can delete the data before it has been stored for this duration, but at the time of deletion you are charged as if the data was stored for the minimum duration. Available options are

  • STANDARD. Standard Storage. No minimum storage duration.

  • MULTI_REGIONAL. Equivalent to Standard Storage, except Multi-Regional Storage can only be used for objects stored in multi-regions or dual-regions.

  • REGIONAL. Equivalent to Standard Storage, except Regional Storage can only be used for objects stored in regions.

  • NEARLINE. Nearline Storage is a better choice than Standard Storage in scenarios where slightly lower availability, a 30-day minimum storage duration.

  • COLDLINE. Coldline Storage is a very-low-cost, highly durable storage service for storing infrequently accessed data. Coldline Storage is a better choice than Standard Storage or Nearline Storage in scenarios where slightly lower availability, a 90-day minimum storage duration.

Bucket Access Logging

When this option is enabled in the Google Cloud Storage panel of the Info (File → Info (macOS ⌘I Windows Alt+Return)) window for a bucket or any file within, available log records for this bucket are periodically aggregated into log files and delivered to root in the target logging bucket specified. It is considered best practice to choose a logging target that is different from the origin bucket.

Google Cloud Storage

Folders

Creating a folder inside a bucket will create a placeholder object named after the directory, has no data content, and the mime-type application/x-directory. Directory placeholder objects created in Google Storage Manager are not supported.

Files

Metadata

You can edit standard HTTP headers add custom HTTP headers to files to store metadata. Choose File → Info → Google Storage to edit headers.

Support for Custom-Time

Modification dates are supported through the Custom-Time metadata parameter. The parameter gets set on file upload through Mountain Duck and Cyberduck.

Versioning

A list of file versions can be viewed in the Versions tab of the Info window. Files can be reverted to a chosen version of this list. Additionally, versions of the list can be deleted.

Note

Bucket Versioning has to be enabled within the Google Storage tab of the Info window before the versions of the files are displayed.

ACLs

Default ACLs

You can choose canned ACLs to be added to uploaded files or created buckets per default. Canned ACLs are predefined sets of permissions. The default ACL can be set within Preferences (macOS ⌘, Windows Ctrl+,) → Google Storage → Default ACL.

Applies to Buckets

Applies to Files

private

public-read

public-read-write

authenticated-read

bucket-owner-read

bucket-owner-full-control

Granting Access to Selected Users

You can give access to a specific user to a document by granting READ access to the email address registered with Google. The Authenticated URL from the ACL tab in the Info window with the format https://sandbox.google.com/storage/<container>/<file> will verify access to the resource using the Google Account login credentials.

Google Storage ACLs

The link will redirect to the file only after the user has successfully logged in to their Google Account and is listed in the ACL you have just edited.

Granting Access to Google App Domain

Google Apps customers can associate their email accounts with an Internet domain name. When you do this, each email account takes the form username@yourdomain.com. You can specify a scope by using any Internet domain name that is associated with a Google Apps account.

Granting Access to Members of Google Group

Every Google group has a unique email address that is associated with the group. For example, the Google Storage for Developers group has the following email address: gs-discussion@googlegroups.com. You can find the email address that is associated with a Google group by clicking About this group, which appears on the homepage of every Google group.

Permissions

The following permissions can be given to grantees:

Bucket

Files

READ

Allows grantee to list the files in the bucket

Allows grantee to download the file and its metadata

WRITE

Allows grantee to create, overwrite, and delete any file in the bucket

Not applicable

FULL_CONTROL

Allows grantee all permissions on the bucket

Allows grantee all permissions on the object

Website Configuration

To host a static website on Google Cloud Storage, It is possible to define a bucket as a Website Endpoint. The configuration in File → Info (macOS ⌘I Windows Alt+Return) → Distribution allows you to enable website configuration. Choose Website Configuration (HTTP) from Delivery Method and define an index document name that is searched for and returned when requests are made to the root or the subfolder in your bucket.

Website Configuration parameters will only affect requests directed to CNAME aliases of a bucket.

Index File

Simulates directory index behavior at both bucket and “directory” levels. The file specified is served for requests to the website endpoint as the main page for the bucket and for requests to “directories” contained by the bucket.

Limitations

  • No content distribution (CDN) configuration.

  • Torrent URLs are not supported.

  • Signed URLs are not supported.

References