Cloud Storage Source
3 minute read
About
Cloud Storage is Google Cloud’s managed service for storing
unstructured data (blobs) in containers called buckets. Buckets live in a GCP
project; objects are addressed by gs://<bucket>/<object>.
If you are new to Cloud Storage, you can try the quickstart to create a bucket and upload your first objects.
The Cloud Storage source is configured at the project level. Individual
tools take a bucket parameter, so a single configured source can operate
against any bucket the underlying credentials are authorized for.
Available Tools
Cloud Storage Source Tools
| Tool Name | Description |
|---|---|
| cloud-storage-list-buckets | A "cloud-storage-list-buckets" tool lists Cloud Storage buckets in a project, with optional prefix filtering and pagination. |
| cloud-storage-create-bucket | A "cloud-storage-create-bucket" tool creates a Cloud Storage bucket in the configured source project. |
| cloud-storage-list-objects | A "cloud-storage-list-objects" tool lists objects in a Cloud Storage bucket, with optional prefix filtering and delimiter-based grouping. |
| cloud-storage-get-bucket-metadata | A "cloud-storage-get-bucket-metadata" tool returns metadata for a Cloud Storage bucket. |
| cloud-storage-get-object-metadata | A "cloud-storage-get-object-metadata" tool returns metadata for a Cloud Storage object without reading the object payload. |
| cloud-storage-get-bucket-iam-policy | A "cloud-storage-get-bucket-iam-policy" tool returns IAM policy bindings for a Cloud Storage bucket. |
| cloud-storage-read-object | A "cloud-storage-read-object" tool reads the UTF-8 text content of a Cloud Storage object, optionally constrained to a byte range. |
| cloud-storage-delete-bucket | A "cloud-storage-delete-bucket" tool deletes an empty Cloud Storage bucket. |
| cloud-storage-download-object | A "cloud-storage-download-object" tool downloads a Cloud Storage object to an absolute path on the Toolbox server filesystem. |
| cloud-storage-upload-object | A "cloud-storage-upload-object" tool uploads a local file from the Toolbox server filesystem to a Cloud Storage object. |
| cloud-storage-write-object | A "cloud-storage-write-object" tool writes text content directly to a Cloud Storage object. |
| cloud-storage-copy-object | A "cloud-storage-copy-object" tool copies a Cloud Storage object to another object, including across buckets. |
| cloud-storage-move-object | A "cloud-storage-move-object" tool atomically moves or renames a Cloud Storage object within the same bucket. |
| cloud-storage-delete-object | A "cloud-storage-delete-object" tool deletes a Cloud Storage object. |
Requirements
IAM Permissions
Cloud Storage uses Identity and Access Management (IAM) to control access to buckets and objects. Toolbox uses your Application Default Credentials (ADC) to authorize and authenticate when interacting with Cloud Storage.
In addition to setting the ADC for your server, ensure the IAM identity has the appropriate role for the tools being exposed. Common roles:
roles/storage.bucketViewer— read-only access to bucket metadata, including listing buckets withcloud-storage-list-bucketsand reading bucket metadata withcloud-storage-get-bucket-metadata.roles/storage.objectViewer— read-only access to objects and object metadata, sufficient forcloud-storage-list-objects,cloud-storage-get-object-metadata,cloud-storage-read-object, andcloud-storage-download-object.roles/storage.objectUser— read and write access to objects, sufficient forcloud-storage-upload-object,cloud-storage-write-object, andcloud-storage-copy-object.roles/storage.admin— full control, including bucket management
Object mutation tools require the corresponding object permissions:
cloud-storage-upload-object,cloud-storage-write-object, andcloud-storage-copy-objectrequire object create or update permissions on the destination object.cloud-storage-move-objectrequiresstorage.objects.moveandstorage.objects.createin the same bucket. If the destination object already exists,storage.objects.deleteis also required.cloud-storage-delete-objectrequires object delete permission.cloud-storage-create-bucketrequires bucket create permission in the configured project.cloud-storage-get-bucket-iam-policyrequires permission to read bucket IAM policy.cloud-storage-delete-bucketrequires bucket delete permission, and the target bucket must be empty.
See Cloud Storage IAM roles for the full list.
Tools that read from or write to local files operate on the filesystem of the Toolbox server process, not the client machine. The server process must have the corresponding local file permissions.
Example
kind: source
name: my-gcs-source
type: "cloud-storage"
project: "my-project-id"
allowedBuckets:
- "my-app-bucket"
- "my-backup-bucket"
allowedLocalRoots:
- "/workspace"
Reference
| field | type | required | description |
|---|---|---|---|
| type | string | true | Must be “cloud-storage”. |
| project | string | true | Id of the GCP project the configured source is associated with (e.g. “my-project-id”). |
| allowedBuckets | []string | false | List of GCS bucket names allowed for operations. If omitted, all buckets are allowed. |
| allowedLocalRoots | []string | false | List of absolute local filesystem directories allowed for file uploads and downloads. If omitted, all paths are allowed. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.