Skip to main content

Creating a Cloud Storage Bucket

This guide provides the step-by-step process for provisioning a new, secure Google Cloud Storage bucket using Infrastream.

By default, all buckets created by the platform are private, encrypted at rest, and have versioning enabled to protect against accidental data loss. As a user, you will define the bucket in its own manifest file and then grant your application permission to access it.

Prerequisites

  • You must have an existing Application manifest to grant access to.
  • You need to know the identity of your project: organization, organizational-unit, environment, and project.

Step 1: Create a New Manifest File for the Bucket

First, create a new YAML file for your bucket inside your infrastream-manifests Git repository.

Note on File Location: Unlike legacy systems, the Infrastream Engine does not require manifests to be placed in a specific directory structure. You have the flexibility to organize your repository in the way that best suits your team. The Engine automatically discovers all manifest files and resolves their project identity using the values defined in the metadata block.

A common convention is to group buckets within a bucket subdirectory: ../project/{project-name}/bucket/{bucket-name}.yaml

Step 2: Define Your Bucket Manifest

Open your new file and add the following content. This manifest declares your intent to create a new storage bucket.

apiVersion: lowops.manifests.v1
kind: Bucket
metadata:
  name: transaction-receipts
  # The identity of your project is defined here:
  project: payment-gateway
  environment: production
  organizational-unit: retail-banking
  organization: fincorp
spec:
  region: us-central1
  storageClass: STANDARD
  scanForMalware: true

Note: The computed block for a Bucket manifest is read-only and should not be defined in your manifest. It will be populated by the platform with output values like the globally unique bucket name.

Step 3: Grant Your Application Access to the Bucket

By default, no application can access your new bucket. You must explicitly grant access by editing your application's manifest.

Locate your Application manifest file (e.g., ../application/payment-api.yaml). Inside its spec block, add an accessControl section to reference the bucket.

# In your Application manifest (e.g., payment-api.yaml)
# ... apiVersion, kind, metadata ...
spec:
  # ... other application settings like source, target ...

  accessControl:
    buckets:
      - name: transaction-receipts
        permission: WRITE # Can be READ or WRITE
        path: "processed/*" # Optional: Restrict access to a specific path

This configuration instructs Infrastream to grant the payment-api application's identity the ability to read and write objects within the transaction-receipts bucket, but only under the processed/ path.

Step 4: Commit, Review, and Merge

Commit the changes to both your new bucket manifest and your updated application manifest in a single pull request.

After your PR is reviewed and approved, merge it. The platform will automatically provision the new bucket, create the specific, least-privilege IAM policy for your application, and restart the application with the permissions ready to use.