Enable and use object retention configurations (original) (raw)

Skip to main content

• Technology areas

  • Overview
  • Guides
  • Reference
  • Samples
  • Resources

• Cross-product tools

• Console

• Discover

• Product overview

• Storage Intelligence overview

• Get started

• Terraform support for Cloud Storage

• Configure and manage Storage Intelligence

• Create buckets

• Create a bucket

• Domain-named bucket verification

• Access and manage buckets

• List buckets

• Change the default storage class of a bucket

• Move and rename buckets

• Delete buckets

• Upload and download objects

• About objects

• Overview of uploads and downloads

• Access and manage objects

• List objects

• Copy, rename, and move objects

• Change an object's storage class

• Tools to access and manage objects using a directory structure

• Object transcoding

• Delete objects

• Get insights on your stored data

• Analyze stored data with Gemini Cloud Assist

• Cache objects

• About caching

• Control data lifecycles

• Options for controlling data lifecycles

• Make requests

• Consistency in Cloud Storage operations

• Batched requests

• Use long-running operations

• Paginate results

• URI wildcards

• Secure data

• Access control

  • Overview
  • Bucket IP filtering
    * Overview
    * Create a bucket with IP filtering rules
    * Create or update IP filtering rules on an existing bucket
    * Get IP bucket filtering rules
    * List bucket IP filtering rules
    * Delete bucket IP filtering rules
    * Disable bucket IP filtering
    * Bypass bucket IP filtering rules
  • Sharing and collaboration scenarios
  • Access control best practices

• Monitor data and usage

• Use Cloud Audit Logs with Cloud Storage

• Usage logs and storage logs

• Use Cloud Audit Logs with storage batch operations

• Use Cloud Logs with storage batch operations

• Use Cloud Audit Logs with Storage Insights

• Use gRPC client-side metrics

• Use client-side traces

• Protection, backup, and recovery

• Overview

• Soft delete

  • Overview
  • Set and manage soft delete policies
  • Use soft-deleted objects
  • Use soft-deleted buckets
  • Set a default soft delete retention duration
  • Use soft delete recommendations
  • Disable soft delete

• Mount buckets with Cloud Storage FUSE

• Overview

• Quickstart

• Install Cloud Storage FUSE

• Mount buckets

• Performance

  • Performance tuning best practices
  • Profile-based configurations for AI/ML workloads
  • Automated configuration values for high-performance machine types
  • Use pre-configured GKE YAML files to optimize Cloud Storage FUSE performance

• Work across products, Clouds, and platforms

• Best practices for media workloads

• Interoperability

• Use Cloud Storage with Big Data

• Integration with Google Cloud Platform services and tools

• Troubleshoot

• Troubleshooting common issues

• Troubleshooting Storage Insights issues

• Troubleshooting Cloud Storage FUSE issues

Enable and use object retention configurations

Overview

This page describes how to use the Object Retention Lock feature, including enabling it for a bucket and setting retention configurations for objects within the bucket.

Required roles

To get the permissions that you need to enable the Object Retention Lock feature for a bucket and set retention configurations on objects, ask your administrator to grant you the Storage Admin (roles/storage.admin) IAM role on the bucket or the project that contains the bucket. Thispredefined role contains the permissions required to set and manage retention configurations. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

• storage.buckets.create
• storage.buckets.enableObjectRetention
• storage.buckets.get
• storage.buckets.list
  • This permission is only required if you plan on using the Google Cloud console to perform the instructions on this page.
• storage.objects.get
• storage.objects.list
  • This permission is only required if you plan on using the Google Cloud console to perform the instructions on this page.
• storage.objects.overrideUnlockedRetention
  • This permission is only required if you plan on locking or shortening an existing retention configuration.
• storage.objects.setRetention
• storage.objects.update

You might also be able to get these permissions with custom roles.

For information about granting roles on buckets, seeSet and manage IAM policies on buckets. For information about granting roles on projects, see Manage access to projects.

Enable object retentions for a bucket

Use the following instructions to allow retention configurations for objects in a bucket. If you want to enable object retention configurations for an existing bucket, you must follow the Google Cloud console instructions.

Console

To enable object retention configurations for a new bucket:

1. Create a bucket as you normally would, and in the Choose how to protect object data step, select **Retention (For compliance)**followed by Enable object retention.

To enable object retention configurations for an existing bucket:

1. In the Google Cloud console, go to the Cloud Storage Buckets page.
   Go to Buckets
2. In the list of buckets, click the name of the bucket for which you want to enable object retentions.
3. Select the Protection tab near the top of the page.
   The bucket's object retention status is displayed in theObject retention section.
4. In the Object retention section, clickObject Retention Not Enabled.
5. In the dialog that appears, click Confirm.

Command line

Create a bucket as you normally would, and include the--enable-per-object-retention flag in the command.

Client libraries

C++

For more information, see theCloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

C#

For more information, see theCloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Java

For more information, see theCloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Node.js

For more information, see theCloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

PHP

For more information, see theCloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Python

For more information, see theCloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

REST APIs

JSON API

Create a bucket as you normally would, and include the query parameter enableObjectRetention=true as part of the request.

XML API

Create a bucket as you normally would, and include the headerx-goog-bucket-object-lock-enabled: True as part of the request.

View a bucket's object retention status

To see if retention configurations can be set for objects in a bucket:

Console

1. In the Google Cloud console, go to the Cloud Storage Buckets page.
   Go to Buckets
2. Click the name of the bucket whose status you want to check.
3. Click the Protection tab.
4. The bucket's object retention status is displayed in theObject retention section.

Command line

Use the gcloud storage buckets describe command with the--format flag:

gcloud storage buckets describe gs://BUCKET_NAME --format="default(per_object_retention)"

Where BUCKET_NAME is the name of the bucket whose retention policy you want to view. For example, my-bucket.

If successful and a retention policy exists for the bucket, the response is similar to the following:

per_object_retention: mode: Enabled

If successful and a retention policy does not exist for the bucket, the response is similar to the following:

null

Client libraries

C++

For more information, see theCloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

C#

For more information, see theCloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

Java

For more information, see theCloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

Node.js

For more information, see theCloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

PHP

For more information, see theCloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

Python

For more information, see theCloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view a bucket's object retention configuration, follow the instructions for displaying a bucket's metadata and look for the object retention field in the response.

REST APIs

JSON API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Use cURL to call the JSON API with aGET Bucket request that includes the objectRetention field:
   curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=objectRetention"
   Where BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

XML API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Use cURL to call the XML API with aGET Bucket request scoped to ?object-lock:
   curl -X GET \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   "https://storage.googleapis.com/BUCKET_NAME?object-lock"
   Where BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

Set an object's retention configuration

In order to set a retention configuration for an object, the object must be stored in a bucket for which object retentions are enabled. To set a retention configuration for an object:

Console

1. In the Google Cloud console, go to the Cloud Storage Buckets page.
   Go to Buckets
2. In the list of buckets, click the name of the bucket that contains the object whose retention configuration you want to set or modify.
   The Bucket details page opens, with the Objects tab selected.
3. Navigate to the object, which might be located in a folder.
4. Click the name of the object.
   The Object details page opens, which displays object metadata.
5. In the Protection section, click the Edit icon () associated with From object retention configuration.
   The Edit retention pane opens.
6. In the Object retention configuration section, click Enabledor Disabled.
   1. If the retention configuration is enabled, select a date and time for the configuration in the Retain until time section, and click Unlocked or Locked in the Retention mode section.
7. Click Confirm.

Command line

Use the gcloud storage objects update command with the appropriate flags. To add or modify a retention configuration, use the following command. Note that you must additionally include the--override-unlocked-retention flag if you are modifying an existing configuration in a way that locks it or shortens its retain-until time:

gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --retain-until=DATETIME --retention-mode=STATE

Where:

• BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
• OBJECT_NAME is the name of the relevant object. For example, kitten.png.
• DATETIME is the earliest date and time that the object can be deleted. For example, 2028-02-15T05:30:00Z.
• STATE is either Locked or Unlocked.

If successful, the response looks similar to the following example:

Updating gs://my-bucket/kitten.png... Completed 1

To remove a retention configuration from an object, use the following command:

gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --clear-retention --override-unlocked-retention

Where:

• BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
• OBJECT_NAME is the name of the relevant object. For example, kitten.png.

Client libraries

C++

For more information, see theCloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

C#

For more information, see theCloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Java

For more information, see theCloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Node.js

For more information, see theCloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

PHP

For more information, see theCloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

Python

For more information, see theCloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

REST APIs

JSON API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Create a JSON file that contains the following information:
   {
   "retention": {
   "mode": STATE,
   "retainUntilTime": "DATETIME"
   }
   }
   Where:
   • STATE is either Locked or Unlocked.
   • DATETIME is the earliest date and time that the object can be deleted. For example,2028-02-15T05:30:00Z.
3. Use cURL to call the JSON API with aPATCH Object request:
   curl -X PATCH --data-binary @JSON_FILE_NAME \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   -H "Content-Type: application/json" \
   "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME?overrideUnlockedRetention=BOOLEAN"
   Where:
   • JSON_FILE_NAME is the path for the file that you created in Step 2.
   • BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
   • OBJECT_NAME is the URL-encoded name of the relevant object. For example, pets/kitten.png, URL-encoded aspets%2Fkitten.png.
   • BOOLEAN must be true if the request shortens, removes, or locks an existing retention configuration. Otherwise, the overrideUnlockedRetention parameter can be excluded from the request entirely.

XML API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Create an XML file that contains the following information: STATE DATETIME Where: * `STATE` is either `GOVERNANCE` or`COMPLIANCE`. * `DATETIME` is the earliest date and time that the object can be deleted. For example,`2028-02-15T05:30:00Z`.
3. Use cURL to call the XML API with aPUT Object request scoped to ?retention:
   curl -X PUT --data-binary @XML_FILE_NAME \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   -H "x-goog-bypass-governance-retention: BOOLEAN" \
   "https://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME?retention"
   Where:
   • XML_FILE_NAME is the path for the XML file that you created in Step 2.
   • BOOLEAN must be true if the request shortens, removes, or locks an existing retention configuration. Otherwise, the x-goog-bypass-governance-retention header can be excluded from the request entirely.
   • BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
   • OBJECT_NAME is the URL-encoded name of the relevant object. For example, pets/kitten.png, URL-encoded aspets%2Fkitten.png.

View an object's retention configuration

To view what, if any, retention configuration is set on an object:

Console

1. In the Google Cloud console, go to the Cloud Storage Buckets page.
   Go to Buckets
2. In the list of buckets, click the name of the bucket that contains the object whose retention configuration you want to view.
   The Bucket details page opens, with the Objects tab selected.
3. Navigate to the object, which might be located in a folder.
4. Click the name of the object.
   The Object details page opens, which displays object metadata. Information about any retention configuration the object has is shown in the Protection section.

Command line

Use the gcloud storage objects describe command with the--format flag:

gcloud storage objects describe gs://BUCKET_NAME/OBJECT_NAME --format="default(retention_settings)"

Where:

• BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
• OBJECT_NAME is the name of the relevant object. For example, kitten.png.

If successful and a retention configuration exists for the object, the response is similar to the following:

retention_settings: mode: Unlocked retainUntilTime: '2028-11-30T14:11:14+00:00'

If successful and a retention configuration does not exist for the object, the response is similar to the following:

null

Client libraries

C++

For more information, see theCloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

C#

For more information, see theCloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

Java

For more information, see theCloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

Node.js

For more information, see theCloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

PHP

For more information, see theCloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

Python

For more information, see theCloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

To view an object's retention configuration, follow the instructions for displaying a object's metadata and look for the retention field in the response.

REST APIs

JSON API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Use cURL to call the JSON API with aGET Object request that includes the retention field:
   curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/OBJECT_NAME?fields=retention"
   Where:
   • BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
   • OBJECT_NAME is the name of the relevant object. For example, kitten.png.

XML API

1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
2. Use cURL to call the XML API with aGET Object request scoped to ?retention:
   curl -X GET \
   -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   "https://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME?retention"
   Where:
   • BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
   • OBJECT_NAME is the name of the relevant object. For example, kitten.png.

What's next

• Learn more about retention configurations.
• Learn about other features that protect your Cloud Storage data.
• Learn about Object Lifecycle Management, which can automatically delete files once they reach their retention period.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-09 UTC.