Use object contexts

This page describes how to attach and manage contexts on Cloud Storage objects in the form of key-value pairs.

Get the required roles

To get the permissions that you need to create and manage object contexts, ask your administrator to grant you the following IAM roles on object:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create and manage object contexts. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create and manage object contexts:

  • Create an object with object contexts:
    • storage.objects.create
    • storage.objects.createContext
  • Attach, update, and delete object contexts:
    • storage.objects.update
    • storage.objects.createContext
    • storage.objects.updateContext
    • storage.objects.deleteContext
  • View object contexts:
    • storage.objects.get
    • storage.objects.list

You might also be able to get these permissions with custom roles or other predefined roles.

Attach contexts to new objects

Attach contexts to objects when you upload new objects to Cloud Storage buckets. Each context consists of a key and a value.

JSON API

To attach contexts to objects when you upload new objects, use any of the following methods:

Attach or modify contexts to an existing object

You can attach new contexts to your existing objects in the Cloud Storage buckets.

JSON API

  1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.

  2. Create a JSON file that contains the settings for the object, which must include the contexts configuration fields for the object.

    To add, modify, or overwrite existing contexts, use the following format:

      {
    "contexts": {
      "custom": {
        "KEY": {
          "value": "VALUE"
        },
        ...
      }
    }
  }

    Where:

    • KEY is the context key to attach to an object. For example, Department. You can specify multiple key-value pairs in the custom object.

    • VALUE is the value to associate with the context key. For example, Human resources.

      To delete all existing contexts, use the following format:

      {
  "contexts": {
    "custom": null
  }
}

      To delete a specific key from the context, use the following format:

      {
  "contexts": {
    "custom": {
      "KEY": null,
      ...
    }
  }
}

      Where:

      KEY is the context key that you want to delete from an object. For example, Department. You can specify multiple keys to delete from the custom object.

  3. Use cURL to call the JSON API with an PATCH Object request:

    curl -X PATCH --data-binary @JSON_FILE_NAME \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  "https://storage.s3nsapis.fr/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME"

    Where:

    • JSON_FILE_NAME is the path to the file that includes the object contexts information.
    • BUCKET_NAME is the name of the bucket that contains the object for which you want to edit context. For example, my-bucket.
    • OBJECT_NAME is the URL-encoded name of the object. For example, pets/dog.png is URL-encoded as pets%2Fdog.png.

Alternatively, you can replace an object's context with a PUT Object request. The PUT object request also replaces other object metadata. Therefore, we don't recommend using the PUT object request.

View object contexts

You can view an object's contexts by listing object metadata or describing a specific object.

JSON API

  1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.

  2. Use cURL to call the JSON API with a GET Object request:

    curl -X GET \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://storage.s3nsapis.fr/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME"

    Where:

    • BUCKET_NAME is the name of the bucket containing the object whose context you want to view. For example, my-bucket.
    • OBJECT_NAME is the URL-encoded name of the object whose context you want to view. For example, pets/dog.png, URL-encoded as pets%2Fdog.png.

    If successful, the response looks similar to the following example:

      {
    "kind": "storage#object",
    "name": "employees.txt",
    "bucket": "my-bucket",
    "contexts": {
      "custom": {
        "Department": {
          "value": "HR",
          "createTime": "2023-01-01T00:00:00.000Z",
          "updateTime": "2023-01-01T00:00:00.000Z"
        },
        "DataClassification": {
          "value": "Confidential",
          "createTime": "2023-01-01T00:00:00.000Z",
          "updateTime": "2023-01-01T00:00:00.000Z"
        }
      }
    }
  }

Filter objects by contexts

Filter objects by the existence of object context keys or their specific values. Filtering objects by contexts helps to locate and manage particular groups of objects efficiently. For details, see Filter by object contexts.

Manage object contexts during object operations

Object contexts are preserved by default when you copy, rewrite, compose, move, or restore objects. You can also modify contexts during the copy, rewrite, and compose operations.

JSON API

  • To modify contexts during a copy or a rewrite object operation, include the contexts.custom property in the request body. If you don't include this property, contexts from the source object are preserved by default.

  • When you compose objects, contexts from source objects merge into the destination object by default. Cloud Storage resolves conflicts by prioritizing contexts from source objects processed later. For more information about the object context behavior during a compose operation, see Composite object contexts. You can also specify new contexts for the destination object in the destination.contexts.custom property.

What's next