Checkpoints
Create a Cloud Storage bucket
/ 15
Make file publicly readable
/ 15
Customer-supplied encryption keys (CSEK)
/ 15
Enable lifecycle management
/ 15
Enable versioning
/ 15
Create the resources in the second project
/ 15
Create and verify the resources in the first project
/ 10
Cloud Storage
- Overview
- Objectives
- Task 1. Preparation
- Task 2. Access control lists (ACLs)
- Task 3. Customer-supplied encryption keys (CSEK)
- Task 4. Rotate CSEK keys
- Task 5. Enable lifecycle management
- Task 6. Enable versioning
- Task 7. Synchronize a directory to a bucket
- Task 8. Cross-project sharing
- Task 9. Review
- End your lab
Overview
Cloud Storage is a fundamental resource in Google Cloud, with many advanced features. In this lab, you exercise many Cloud Storage features that could be useful in your designs. You explore Cloud Storage using both the console and the gsutil tool.
Objectives
In this lab, you learn how to perform the following tasks:
- Create and use buckets
- Set access control lists to restrict access
- Use your own encryption keys
- Implement version controls
- Use directory synchronization
- Share a bucket across projects using IAM
Qwiklabs setup
For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.
-
Sign in to Qwiklabs using an incognito window.
-
Note the lab's access time (for example,
1:15:00
), and make sure you can finish within that time.
There is no pause feature. You can restart if needed, but you have to start at the beginning. -
When ready, click Start lab.
-
Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.
-
Click Open Google Console.
-
Click Use another account and copy/paste credentials for this lab into the prompts.
If you use other credentials, you'll receive errors or incur charges. -
Accept the terms and skip the recovery resource page.
Task 1. Preparation
Create a Cloud Storage bucket
- On the Navigation menu (), click Cloud Storage > Buckets.
PROJECT_ID_1
in the name to help make it unique. For example, if the PROJECT_ID_1
is myproj-154920
your bucket name might be storecore154920
- Click Create.
- Specify the following, and leave the remaining settings as their defaults:
Property | Value (type value or select option as specified) |
---|---|
Name | Enter a globally unique name |
Location type | Region |
Region | |
Enforce public access prevention on this bucket | unchecked |
Access control | Fine-grained (object-level permission in addition to your bucket-level permissions) |
- Make a note of the bucket name. It will be used later in this lab and referred to as [BUCKET_NAME_1].
- Click Create.
Click Check my progress to verify the objective.
Download a sample file using CURL and make two copies
- In the Cloud Console, click Activate Cloud Shell ().
- If prompted, click Continue.
- Store [BUCKET_NAME_1] in an environment variable:
- Verify it with echo:
- Run the following command to download a sample file (this sample file is a publicly available Hadoop documentation HTML file):
- To make copies of the file, run the following commands:
Task 2. Access control lists (ACLs)
Copy the file to the bucket and configure the access control list
- Run the following command to copy the first file to the bucket:
- To get the default access list that's been assigned to setup.html, run the following command:
- To set the access list to private and verify the results, run the following commands:
- To update the access list to make the file publicly readable, run the following commands:
Click Check my progress to verify the objective.
Examine the file in the Cloud Console
- In the Cloud Console, on the Navigation menu (), click Cloud Storage > Buckets.
- Click [BUCKET_NAME_1].
- Verify that for file setup.html, Public access has a Public link available.
Delete the local file and copy back from Cloud Storage
- Return to Cloud Shell. If necessary, click Activate Cloud Shell ().
- Run the following command to delete the setup file:
- To verify that the file has been deleted, run the following command:
- To copy the file from the bucket again, run the following command:
Task 3. Customer-supplied encryption keys (CSEK)
Generate a CSEK key
For the next step, you need an AES-256 base-64 key.
- Run the following command to create a key:
Result (this is example output):
- Copy the value of the generated key excluding
b'
and\n'
from the command output. Key should be in form oftmxElCaabWvJqR7uXEWQF39DhWTcDvChzuCmpHe6sb0=
.
Modify the boto file
The encryption controls are contained in a gsutil configuration file named .boto
.
- To view and open the boto file, run the following commands:
Note: If the .boto
file is empty, close the nano editor with Ctrl+X and generate a new .boto
file using the gsutil config -n
command. Then, try opening the file again with the above commands.
.boto
file is still empty, you might have to locate it using the gsutil version -l
command.- Locate the line with "
#encryption_key=
"
- Uncomment the line by removing the # character, and paste the key you generated earlier at the end.
Example (this is an example):
- Press Ctrl+O, ENTER to save the boto file, and then press Ctrl+X to exit nano.
Upload the remaining setup files (encrypted) and verify in the Cloud Console
- To upload the remaining setup.html files, run the following commands:
- Return to the Cloud Console.
- Click [BUCKET_NAME_1]. Both setup2.html and setup3.html files show that they are customer-encrypted.
Click Check my progress to verify the objective.
Delete local files, copy new files, and verify encryption
- To delete your local files, run the following command in Cloud Shell:
- To copy the files from the bucket again, run the following command:
- To cat the encrypted files to see whether they made it back, run the following commands:
Task 4. Rotate CSEK keys
Move the current CSEK encrypt key to decrypt key
- Run the following command to open the
.boto
file:
- Comment out the current encryption_key line by adding the # character to the beginning of the line.
- Uncomment decryption_key1 by removing the # character, and copy the current key from the encryption_key line to the decryption_key1 line.
Result (this is example output):
- Press Ctrl+O, ENTER to save the boto file, and then press Ctrl+X to exit nano.
Generate another CSEK key and add to the boto file
- Run the following command to generate a new key:
- Copy the value of the generated key excluding
b'
and\n'
from the command output. Key should be in form oftmxElCaabWvJqR7uXEWQF39DhWTcDvChzuCmpHe6sb0=
. - To open the boto file, run the following command:
- Uncomment encryption and paste the new key value for
encryption_key=
.
Result (this is example output):
- Press Ctrl+O, ENTER to save the boto file, and then press Ctrl+X to exit nano.
Rewrite the key for file 1 and comment out the old decrypt key
When a file is encrypted, rewriting the file decrypts it using the decryption_key1 that you previously set, and encrypts the file with the new encryption_key.
You are rewriting the key for setup2.html, but not for setup3.html, so that you can see what happens if you don't rotate the keys properly.
- Run the following command:
- To open the boto file, run the following command:
- Comment out the current decryption_key1 line by adding the # character back in.
Result (this is example output):
- Press Ctrl+O, ENTER to save the boto file, and then press Ctrl+X to exit nano.
Download setup 2 and setup3
- To download setup2.html, run the following command:
- To download setup3.html, run the following command:
Task 5. Enable lifecycle management
View the current lifecycle policy for the bucket
- Run the following command to view the current lifecycle policy:
Create a JSON lifecycle policy file
- To create a file named life.json, run the following command:
- Paste the following value into the life.json file:
- Press Ctrl+O, ENTER to save the file, and then press Ctrl+X to exit nano.
Set the policy and verify
- To set the policy, run the following command:
- To verify the policy, run the following command:
Click Check my progress to verify the objective.
Task 6. Enable versioning
View the versioning status for the bucket and enable versioning
- Run the following command to view the current versioning status for the bucket:
- To enable versioning, run the following command:
- To verify that versioning was enabled, run the following command:
Click Check my progress to verify the objective.
Create several versions of the sample file in the bucket
- Check the size of the sample file:
- Open the setup.html file:
- Delete any 5 lines from setup.html to change the size of the file.
- Press Ctrl+O, ENTER to save the file, and then press Ctrl+X to exit nano.
- Copy the file to the bucket with the -v versioning option:
- Open the setup.html file:
- Delete another 5 lines from setup.html to change the size of the file.
- Press Ctrl+O, ENTER to save the file, and then press Ctrl+X to exit nano.
- Copy the file to the bucket with the -v versioning option:
List all versions of the file
- To list all versions of the file, run the following command:
- Highlight and copy the name of the oldest version of the file (the first listed), referred to as [VERSION_NAME] in the next step.
- Store the version value in the environment variable [VERSION_NAME].
- Verify it with echo:
Result (this is example output):
Download the oldest, original version of the file and verify recovery
- Download the original version of the file:
- To verify recovery, run the following commands:
Task 7. Synchronize a directory to a bucket
Make a nested directory and sync with a bucket
Make a nested directory structure so that you can examine what happens when it is recursively copied to a bucket.
- Run the following commands:
- To sync the firstlevel directory on the VM with your bucket, run the following command:
Examine the results
- In the Cloud Console, on the Navigation menu (), click Cloud Storage > Buckets.
- Click [BUCKET_NAME_1]. Notice the subfolders in the bucket.
- Click on /firstlevel and then on /secondlevel.
- Compare what you see in the Cloud Console with the results of the following command:
- Exit Cloud Shell:
Task 8. Cross-project sharing
Switch to the second project
- Open a new incognito tab.
- Navigate to console.cloud.google.com to open a Cloud Console.
- Click the project selector dropdown in the title bar.
- Click All, and then click the second project provided for you in the Qwiklabs Connection Details dialog. Remember that the Project ID is a unique name across all Google Cloud projects. The second project ID will be referred to as [PROJECT_ID_2].
Prepare the bucket
- In the Cloud Console, on the Navigation menu (), click Cloud Storage > Buckets.
- Click Create.
- Specify the following, and leave the remaining settings as their defaults:
Property | Value (type value or select option as specified) |
---|---|
Name | Enter a globally unique name |
Location type | Region |
Region | |
Access control | Fine-grained (object-level permission in addition to your bucket-level permissions) |
- Note the bucket name. It will be referred to as [BUCKET_NAME_2] in the following steps.
- Click Create.
Upload a text file to the bucket
- Upload a file to [BUCKET_NAME_2]. Any small example file or text file will do.
- Note the file name (referred to as [FILE_NAME]); you will use it later.
Create an IAM Service Account
- In the Cloud Console, on the Navigation menu (), click IAM & admin > Service accounts.
- Click Create service account.
- On Service account details page, specify the Service account name as
cross-project-storage
. - Click Create and Continue.
- On the Service account permissions page, specify the role as Cloud Storage > Storage Object Viewer.
- Click Continue and then Done.
- Click the cross-project-storage service account to add the JSON key.
- In Keys tab, click Add Key dropdown and select Create new key.
- Select JSON as the key type and click Create. A JSON key file will be downloaded. You will need to find this key file and upload it in into the VM in a later step.
- Click Close.
- On your hard drive, rename the JSON key file to credentials.json.
- In the upper pane, switch back to [PROJECT_ID_1].
Click Check my progress to verify the objective.
Create a VM
- On the Navigation menu (), click Compute Engine > VM instances.
- Click Create Instance.
- Specify the following, and leave the remaining settings as their defaults:
Property | Value (type value or select option as specified) |
---|---|
Name | crossproject |
Region | |
Zone | |
Series | E2 |
Machine type | e2-medium |
Boot disk | Debian GNU/Linux 11 (bullseye) |
- Click Create.
SSH to the VM
- For crossproject, click SSH to launch a terminal and connect.
- Store [BUCKET_NAME_2] in an environment variable:
- Verify it with echo:
- Store [FILE_NAME] in an environment variable:
- Verify it with echo:
- List the files in [PROJECT_ID_2]:
Result (this is example output):
Authorize the VM
- To upload credentials.json through the SSH VM terminal, click on the up arrow icon () in the upper-right corner, and then click Upload file.
- Select credentials.json and upload it.
- Click Close in the File Transfer window.
- Verify that the JSON file has been uploaded to the VM:
Result (this is example output):
- Enter the following command in the terminal to authorize the VM to use the Google Cloud API:
Note: The image you are using has the Google Cloud SDK pre-installed; therefore, you don't need to initialize the Google Cloud SDK.
If you are attempting this lab in a different environment, make sure you have followed these procedures from the Install the gcloud CLI guide regarding installing the Google Cloud SDK.Verify access
- Retry this command:
- Retry this command:
- Try to copy the credentials file to the bucket:
Result (this is example output):
Modify role
- In the upper pane, switch back to [PROJECT_ID_2].
- In the Cloud Console, on the Navigation menu (), click IAM & admin > IAM.
- Click the pencil icon for the cross-project-storage service account (You might have to scroll to the right to see this icon).
- Click on the Storage Object Viewer role, and then click Cloud Storage > Storage Object Admin.
- Click Save. If you don't click Save, the change will not be made.
Click Check my progress to verify the objective.
Verify changed access
- Return to the SSH terminal for crossproject.
- Copy the credentials file to the bucket:
Result (this is example output):
Note: In this example the VM in PROJECT_ID_1
can now upload files to Cloud Storage in a bucket that was created in another project.
PROJECT_ID_1
, but instead to PROJECT_ID_2
.Task 9. Review
In this lab you learned to create and work with buckets and objects, and you learned about the following features for Cloud Storage:
- CSEK: Customer-supplied encryption key
- Use your own encryption keys
- Rotate keys
- ACL: Access control list
- Set an ACL for private, and modify to public
- Lifecycle management
- Set policy to delete objects after 31 days
- Versioning
- Create a version and restore a previous version
- Directory synchronization
- Recursively synchronize a VM directory with a bucket
- Cross-project resource sharing using IAM
- Use IAM to enable access to resources across projects
End your lab
When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.
You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.
The number of stars indicates the following:
- 1 star = Very dissatisfied
- 2 stars = Dissatisfied
- 3 stars = Neutral
- 4 stars = Satisfied
- 5 stars = Very satisfied
You can close the dialog box if you don't want to provide feedback.
For feedback, suggestions, or corrections, please use the Support tab.
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.