Google Cloud Storage

Store backups in Google Cloud Storage for reliable, integrated cloud storage.

Prerequisites

• Google Cloud account
• GCS bucket created
• Service account with access

Create Service Account

1. Go to Google Cloud Console
2. Select your project
3. Navigate to IAM & Admin > Service Accounts
4. Click Create Service Account
5. Name: supascale-backups
6. Grant role: Storage Object Admin
7. Create and download JSON key

Required Permissions

The service account needs:

• storage.objects.create
• storage.objects.get
• storage.objects.delete
• storage.objects.list
• storage.buckets.get

Or use the predefined role: Storage Object Admin

Create GCS Bucket

1. Go to Cloud Storage
2. Click Create bucket
3. Name: your-company-supascale-backups
4. Location: Choose region or multi-region
5. Storage class: Standard (or based on needs)
6. Access control: Uniform

Recommended Settings

• Location: Regional (cheapest) or Multi-regional (highest availability)
• Storage class: Standard for frequent access
• Versioning: Enabled
• Encryption: Google-managed or customer-managed keys

Configure in Supascale

Via Web UI

1. Navigate to Cloud Storage
2. Click Add Provider
3. Select Google Cloud Storage
4. Enter:
   • Name: "Production GCS"
   • Bucket name
   • Paste service account JSON key
5. Click Test Connection
6. Click Save

Via API

curl -X POST https://supascale.example.com/api/v1/cloud-storage \
  -H "X-API-Key: your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production GCS",
    "type": "gcs",
    "isDefault": false,
    "gcsConfig": {
      "bucket": "your-bucket-name",
      "credentials": {
        "type": "service_account",
        "project_id": "your-project-id",
        "private_key_id": "key-id",
        "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
        "client_email": "[email protected]",
        "client_id": "123456789",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token"
      }
    }
  }'

Configuration Options

GCS Locations

Regional

Single region, lowest cost:

• us-central1 - Iowa
• us-east1 - South Carolina
• europe-west1 - Belgium
• asia-east1 - Taiwan

Multi-Regional

Higher availability, higher cost:

• us - United States
• eu - European Union
• asia - Asia Pacific

Storage Classes

Lifecycle Management

Configure automatic transitions in GCS:

1. Go to bucket Lifecycle
2. Add rule:
   • Action: Set storage class to Nearline
   • Condition: Age > 30 days

Example rules:

{
  "lifecycle": {
    "rule": [
      {
        "action": {"type": "SetStorageClass", "storageClass": "NEARLINE"},
        "condition": {"age": 30}
      },
      {
        "action": {"type": "SetStorageClass", "storageClass": "COLDLINE"},
        "condition": {"age": 90}
      },
      {
        "action": {"type": "Delete"},
        "condition": {"age": 365}
      }
    ]
  }
}

Test Connection

curl -X POST https://supascale.example.com/api/v1/cloud-storage/provider-id/test \
  -H "X-API-Key: your-api-key"

Security

IAM Best Practices

1. Use dedicated service account
2. Grant minimum required permissions
3. Rotate service account keys periodically
4. Enable audit logging

Encryption

GCS encrypts all data at rest by default. For additional control:

• Google-managed: Default, no configuration
• Customer-managed (CMEK): Use Cloud KMS
• Customer-supplied (CSEK): You manage keys

Access Control

• Use IAM for access control (recommended)
• Enable uniform bucket-level access
• Avoid legacy ACLs

Troubleshooting

"Permission denied"

1. Verify service account has correct role
2. Check bucket permissions
3. Verify service account email is correct
4. Re-download credentials JSON

"Bucket not found"

1. Verify bucket name spelling
2. Check bucket exists in the project
3. Verify service account has bucket access

"Invalid credentials"

1. Re-download service account JSON
2. Verify JSON is complete and valid
3. Check service account isn't disabled
4. Verify project ID matches