Skip to main content

Storagebuckets

  1. IAM Member for KMS Encryption:

    • Grants a service account the role of roles/cloudkms.cryptoKeyEncrypterDecrypter for the project, enabling it to encrypt and decrypt data using the specified KMS key.

  2. Google Cloud Storage Buckets:

    • care-facility: A bucket for storing facility images.
    • care-patient-data: A bucket for storing patient files.
      • Both buckets share similar configurations:
        • Naming Convention: Follows a specific pattern based on the project name and region.
        • Location: Specifies the region for data storage.
        • Storage Class: Utilizes the STANDARD storage class for general-purpose storage.
        • Versioning: Enabled to retain multiple versions of objects.
        • Encryption: Configured to utilize the KMS key specified in a remote Terraform state for data encryption.
        • Dependency: Relies on the IAM member resource to ensure proper sequencing during deployment.
        • Public Access Restriction: Enforced to prevent unauthorized public access to the buckets.
        • Labels: Optional labels for organizing and categorizing resources.
        • Uniform Bucket Level Access: Activated to regulate access to buckets and objects using IAM policies.

  3. IAM Policy Management for Buckets:

    • Assigns the role of roles/storage.admin to a designated user (example@mail.com) for each bucket, granting administrative privileges to manage the buckets and their contents.

  4. Configure CORS:

    • Activates Cloud Shell for executing commands.
    • Provides a sample bucket-config.json file containing CORS configuration settings.
    • Instructs users to replace the placeholder origins with their actual deployed frontend URLs.
    • Guides users to apply the CORS configuration for both buckets using the gcloud CLI.

Here's the CORS configuration code for bucket-config.json:

[
   {
     "origin": ["https://care.ohc.network", "https://care.coronasafe.in"],
     "method": ["GET", "PUT"],
     "responseHeader": ["*"],
     "maxAgeSeconds": 3600
   }
]

Following this configuration, users can execute the following commands in Cloud Shell to apply the CORS configuration to each bucket:

gcloud storage buckets update gs://<prefix>-care-facility --cors-file=bucket-config.json
gcloud storage buckets update gs://<prefix>-care-patient-data --cors-file=bucket-config.json

Setup ensures the creation of secure storage buckets with proper encryption, access controls, and CORS configuration in Google Cloud Storage.