This article is for IT administrators who want to configure their own custom buckets for use when users create Document Management libraries using Google Cloud Storage.
If you’re using Google Cloud Storage as the storage platform for the attachments in your Document Management libraries, you have a choice between using:
-
One or more AODocs Google Cloud Storage buckets
One bucket is created for each document class in your library. A bucket is created when you create your library and each time you create a document class. -
A single custom Google Cloud Storage bucket
A single bucket that you create and manage stores all the attachments of your library. This bucket must exist already and be correctly configured as outlined in this article.
Learn more: Define where to store the attachments in your library.
This article explains how to configure a single custom bucket for use with AODocs.
Automatically generated table of contents
Requirements
Service agent
You must activate the Google Cloud Storage service agent.
You can do this by requesting the service agent’s name, using this procedure.
Service account permissions
The AODocs service account depends on the AODocs instance you are using.
- aodocs-object-storage@appspot.gserviceaccount.com (US instance)
- aodocs-object-storage-eu-1@appspot.gserviceaccount.com (EU instance)
Learn more: What are AODocs instances?
The service account must have the following permissions on the bucket:
- storage.objects.create
- storage.objects.get
- storage.objects.update
- storage.objects.delete
- storage.buckets.get
To simplify the setup, you can also give the AODocs service account the following permission on the bucket: storage.buckets.update
Set these permissions in the Google Cloud Platform console.
Learn more:
Cross-origin resource sharing (CORS) configuration
If the service account has the storage.buckets.update permission, the CORS configuration is set automatically. If this is not the case, set the following CORS configuration for the bucket manually.
US instance:
{
"origin": ["https://aodocs.altirnao.com"],
"method": ["POST","GET","PUT"],
"responseHeader": ["*"],
"maxAgeSeconds": 3600
}
EU instance:
{
"origin": ["https://eu.aodocs.com"],
"method": ["POST","GET","PUT"],
"responseHeader": ["*"],
"maxAgeSeconds": 3600
}
Learn more: Configure cross-origin resource sharing (CORS).
Pub/Sub notifications
If the service account has the storage.buckets.update permission, the Pub/Sub notifications are set automatically. If this is not the case, add the following Pub/Sub notification to the bucket’s configuration:
gcs_to_oss_notification topic, with JSON_API_V1
payload format.
Learn more: Configure Pub/Sub notifications for Cloud Storage.
Versioning
Deactivate object versioning on the bucket. AODocs uses its own built-in versioning mechanism that doesn’t rely on the storage system.
Retention policy
AODocs doesn’t currently support buckets with a Google Cloud Services retention policy. Learn more in the Google Help Center: Retention policies and retention policy locks.
However, the AODocs Retention Module lets you apply retention policies regardless of the storage platform you're using.
Encryption
You must set the bucket to use either a:
- Google-managed key
- Customer-Managed Encryption Key (CMEK) – learn more: Use AODocs with customer-managed encryption keys (CMEK)
Note: AODocs doesn't currently support Customer-Supplied Encryption Keys.
Set the encryption in the bucket settings in the Google Cloud Console.
Recommendations
For compliance and safety reasons, we recommend that only the AODocs service account has access to the bucket.
Giving access to other accounts will not prevent the integration from functioning in any way, but if these accounts update or delete files in the bucket, this could lead to issues within AODocs (mainly these attachments no longer being accessible).
Use the custom bucket URI
You must enter the bucket's URI when you create a Document Management library in AODocs.
You can find the bucket's URI in the Google Cloud Console. The format is gs://mybucket.