This page describes Cloud Storage and how it works.
How Cloud Storage works
Cloud Storage is a scalable and managed storage service offered by Cloud de Confiance by S3NS that lets you store data as objects in containers called buckets.
All buckets are associated with a project, and you group your projects under an organization. After you create a project, you can create buckets, upload objects to your buckets, and download objects from your buckets. You can also grant permissions to make your data accessible to principals you specify or accessible to everyone on the public internet. Directory capabilities let you utilize Cloud Storage more similarly to a hard drive or Network Attached Storage (NAS): folders let you organize objects in a directory structure, and managed folders let you simplify access control to your objects.
Each project, bucket, object, folder, and managed folder is a resource in Cloud de Confiance by S3NS, as are things such as Compute Engine instances.
The Cloud de Confiance by S3NS hierarchy
Here's how the Cloud Storage structure can apply to a real-world case:
Organization: Your company, called Example Inc., creates a Cloud de Confiance by S3NS organization called
exampleinc.org.Project: Example Inc. is building several applications, and each one is associated with a project. Each project has its own set of Cloud Storage APIs, as well as other resources.
Bucket: Each project can contain multiple buckets, which are containers to store your objects. For example, you might create a
photosbucket for all the image files your app generates and a separatevideosbucket. Cloud Storage offers different storage classes and locations for your buckets, letting you choose the durability and availability of your data to suit the needs of your workloads.Buckets serve as a primary data foundation in the broader Cloud de Confiance by S3NS ecosystem. You can connect your buckets as storage backends for other Cloud de Confiance by S3NS services, such as AI Hypercomputer, Vertex AI, and Google Kubernetes Engine.
Object: Buckets contain objects, such as an image called puppy.png.
An object is an immutable piece of data consisting of a file of any format.
Each bucket can contain essentially unlimited individual objects.
Folder: Buckets with hierarchical namespace enabled can contain folders. Folders enable a real file system for storing objects, as opposed to a simulated file system. You can atomically rename a folder and all the objects within it in one operation.
Managed folder: Each bucket can also contain managed folders, which grant or revoke additional access beyond the IAM permissions set on the bucket. Managed folders don't use a true directory tree structure; rather, a managed folder is a resource overlay used only for permission checking.
Tools for Cloud Storage
You can interact with Cloud Storage by using the following tools:
Cloud de Confiance console: The Cloud de Confiance console provides a visual interface for you to manage your data in a browser.
Google Cloud CLI: The gcloud CLI lets you interact with Cloud Storage through a terminal using
gcloud storagecommands.Client libraries: The Cloud Storage client libraries allow you to manage your data using one of your preferred languages, including C++, C#, Go, Java, Node.js, PHP, Python, and Ruby.
Terraform: Terraform is an infrastructure-as-code (IaC) tool that you can use to provision the infrastructure for Cloud Storage. For more information, see Provision resources with Cloud Storage.
Cloud Storage FUSE: Cloud Storage FUSE lets you mount Cloud Storage buckets to your local file system. This enables your applications to read from a bucket or write to a bucket by using standard file system semantics.
Securing your data
Once you upload your objects to Cloud Storage, you have fine-grained control over how you secure and share your data. Here are some ways to secure the data you upload to Cloud Storage:
Identity and Access Management: Use IAM to control who has access to the resources in your Cloud de Confiance project. Resources include Cloud Storage buckets and objects, as well as other Cloud de Confiance entities such as Compute Engine instances. You can grant principals certain types of access to buckets and objects, such as
update,create, ordelete.Data encryption: Cloud Storage uses server-side encryption to encrypt your data by default. You can also use supplemental data encryption options such as customer-managed encryption keys and customer-supplied encryption keys.
Authentication: Ensure that anyone who accesses your data has proper credentials.
Bucket Lock: Govern how long objects in buckets must be retained by specifying a retention policy.
Resource names
Each resource has a unique name that identifies it, much like a filename.
Buckets have a resource name in the form of
projects/_/buckets/BUCKET_NAME, where
BUCKET_NAME is the ID of the bucket. Objects have a
resource name in the form of
projects/_/buckets/BUCKET_NAME/objects/OBJECT_NAME,
where OBJECT_NAME is the ID of the object.
A #NUMBER appended to the end of the resource name
indicates a specific generation of the object. #0 is a special identifier for
the most recent version of an object. #0 is useful to add when the name of
the object ends in a string that would otherwise be interpreted as a generation
number.
Quickstart guides
To learn the fundamentals of using Cloud Storage, visit the following guides:
Looking for other products?
If Cloud Storage is not the right storage solution for you, see more information about the following storage services:
Google Cloud Managed Lustre: Store your data in a high-performance, fully managed parallel file system that's optimized for AI and HPC workloads.
Explore more storage services offered by S3NS.
What's next
- Learn the fundamentals of Cloud Storage through the Cloud de Confiance console or Google Cloud CLI.
- Get started with client libraries.