12.2 Managing and Securing Cloud Storage Objects & Lifecycle Policies
Key Takeaways
- Uniform bucket-level access (IAM-only) is the recommended default; enabling it disables legacy per-object ACLs entirely for that bucket.
- Signed URLs grant time-boxed access to a single object for identities outside Google Cloud, capped at 7 days (604,800 seconds) under V4 signing.
- A lifecycle rule pairs AND-combined conditions (age, matchesStorageClass, numNewerVersions, and others) with one action: Delete, SetStorageClass, or AbortIncompleteMultipartUpload.
- Nearline/Coldline/Archive carry 30/90/365-day minimum storage durations; moving or deleting an object early still bills the remainder.
- Retention policies (Bucket Lock) and object holds prevent early deletion; lifecycle rules cause eventual deletion — compliance setups typically combine both.
Why This Matters for the ACE Exam
Domain 4 of the official exam guide lists two Cloud Storage bullets under "Ensuring successful operation of a cloud solution": managing and securing objects, and setting object lifecycle management policies. Chapter 4 covered choosing a storage class; this section covers what happens after data lands in a bucket — who is allowed to touch it, how to share a single file without opening the whole bucket, and how to make aging data cheaper automatically instead of manually re-uploading it every few months.
Access Control: IAM, ACLs, and Signed URLs
Cloud Storage supports two overlapping access-control systems, plus a bridge mechanism for external sharing:
- Uniform bucket-level access — the recommended default. Once enabled on a bucket, only IAM policies grant access; legacy per-object ACLs stop applying entirely, and any attempt to set or read an ACL on that bucket or its objects fails.
- Fine-grained access — the older model, where per-object access control lists (ACLs, using roles like
READERandOWNER) work alongside IAM. This is only available when uniform bucket-level access is not enabled. - Signed URLs — a way to grant time-boxed access to one specific object to a party who has no Google Cloud identity at all (a customer downloading an invoice, for example). A signed URL is neither an IAM grant nor an ACL; it is a cryptographically signed link with a built-in expiration.
| IAM role | Permission level |
|---|---|
roles/storage.admin | Full control of buckets and objects |
roles/storage.objectAdmin | Full control of objects only (create, read, delete, list) |
roles/storage.objectCreator | Upload-only — cannot read or delete existing objects |
roles/storage.objectViewer | Read-only access to objects |
For signed URLs, the current V4 signing scheme allows a maximum expiration of 604,800 seconds — 7 days — because the signing mechanism itself is only valid for that long. In practice, best practice is to use a far shorter window than the maximum: minutes for a one-time upload link, an hour or less for a download link, and never the full 7 days for anything sensitive.
Object Lifecycle Management
A lifecycle configuration is a set of independent rules attached to a bucket. Each rule pairs one or more conditions (combined with AND logic — every condition in the rule must match) with exactly one action. Multiple rules on the same bucket are evaluated independently (effectively OR'd), so a bucket commonly has several rules working together to build a full aging pipeline.
| Condition | Meaning |
|---|---|
age | Object has existed for N days since creation |
createdBefore | Object was created before a specific date |
customTimeBefore / daysSinceCustomTime | Based on a user-set Custom-Time metadata value |
isLive | True for the current (live) version, false for noncurrent versions |
matchesStorageClass | Object is currently in a specified storage class |
matchesPrefix / matchesSuffix | Object name matches a prefix or suffix pattern |
noncurrentTimeBefore / daysSinceNoncurrentTime | Based on when a versioned object became noncurrent |
numNewerVersions | At least N newer versions exist (requires object versioning) |
| Action | Effect |
|---|---|
Delete | Removes the object (subject to any active retention policy or hold) |
SetStorageClass | Transitions the object to a cheaper (or different) storage class |
AbortIncompleteMultipartUpload | Cancels stalled uploads; only usable with age, matchesPrefix, or matchesSuffix |
Two operational facts matter for scenario questions: Cloud Storage evaluates rules regularly rather than instantly, so a lifecycle configuration change can take up to 24 hours to take effect, and even once effective, the action itself runs asynchronously — there can be a lag between the moment an object meets a condition and the moment the action fires.
Storage Class Minimums and Cost
Each non-Standard class carries a minimum storage duration; deleting or transitioning an object out early still bills for the remaining minimum period as an early-deletion charge.
| Class | Minimum storage duration |
|---|---|
| Standard | None |
| Nearline | 30 days |
| Coldline | 90 days |
| Archive | 365 days |
A typical exam-style lifecycle policy tiers objects down automatically as they age:
{
"rule": [
{ "action": {"type": "SetStorageClass", "storageClass": "NEARLINE"},
"condition": {"age": 30, "matchesStorageClass": ["STANDARD"]} },
{ "action": {"type": "SetStorageClass", "storageClass": "COLDLINE"},
"condition": {"age": 90, "matchesStorageClass": ["NEARLINE"]} },
{ "action": {"type": "SetStorageClass", "storageClass": "ARCHIVE"},
"condition": {"age": 365, "matchesStorageClass": ["COLDLINE"]} },
{ "action": {"type": "Delete"},
"condition": {"age": 2555} }
]
}
Here the matchesStorageClass condition is essential — without it, an object already in Archive would keep re-matching the age: 30 rule and be pushed back down to Nearline.
Retention Policies and Holds: Not the Same as Lifecycle
A lifecycle policy eventually deletes data; a retention policy (Bucket Lock) does the opposite — it prevents deletion or overwriting of any object in the bucket until a configured retention period elapses, even by a project owner. Object holds (temporary or event-based) block deletion of a specific object regardless of any lifecycle rule, until the hold is explicitly released. Compliance scenarios often combine both: a retention policy guarantees data isn't deleted too early, while a lifecycle rule guarantees it eventually is deleted once the requirement expires.
Common Traps
- Enabling uniform bucket-level access and then trying to run an ACL command against that bucket — it fails, because ACLs are disabled entirely, not merged with IAM.
- Assuming a lifecycle action fires the instant a condition is met — configuration changes take up to 24 hours to activate, and actions run asynchronously afterward.
- Forgetting that versioning-related conditions (
numNewerVersions,isLive,noncurrentTimeBefore) only do anything on a bucket with object versioning enabled. - Treating a signed URL as equivalent to an IAM grant — it is a separate, time-limited mechanism capped at 7 days for external, identity-less sharing.
Key Takeaways
- Uniform bucket-level access (IAM-only) is the recommended default; enabling it disables legacy ACLs entirely for that bucket.
- Signed URLs grant time-boxed access to a single object for non-Google-Cloud identities and cap out at 7 days under V4 signing.
- A lifecycle rule = conditions (AND) + one action (
Delete,SetStorageClass, orAbortIncompleteMultipartUpload); rules on a bucket act independently. - Nearline/Coldline/Archive carry 30/90/365-day minimum storage durations; deleting early still bills the remainder.
- Retention policies and holds prevent early deletion; lifecycle rules cause eventual deletion — compliance setups typically use both together.
A bucket has uniform bucket-level access enabled. An administrator then tries to grant a user read access to one object using a legacy ACL. What happens?
Which lifecycle configuration automatically cancels multipart uploads that have been incomplete for more than 7 days, without touching any completed objects?
What is the maximum expiration time for a Cloud Storage signed URL generated using the current V4 signing process?