Use a custom bucket in Google Cloud Storage when creating a new Document Management library

This article is for IT administrators who want to configure their own custom buckets for use when users create Document Management libraries using Google Cloud Storage.

If you’re using Google Cloud Storage as the storage platform for the attachments in your Document Management libraries, you have a choice between using: 

  • One or more AODocs Google Cloud Storage buckets
    One bucket is created for each document class in your library. A bucket is created when you create your library and each time you create a document class.
  • A single custom Google Cloud Storage bucket
    A single bucket that you create and manage stores all the attachments of your library. This bucket must exist already and be correctly configured as outlined in this article.

Learn more: Define where to store the attachments in your library.

This article explains how to configure a single custom bucket for use with AODocs. 

Requirements
          Service agent
          Service account permissions
          CORS configuration
          Pub/Sub notifications
          Retention policy
          Encryption
Recommendations
How to use the custom bucket for an AODocs library
Switching OSS pre-R58 libraries to OSS R58 libraries

Requirements

Service agent

You must activate the Google Cloud Storage service agent.

You can do this by requesting the service agent’s name, using this procedure.

Service account permissions

The AODocs service account (aodocs-object-storage@appspot.gserviceaccount.com) must have the following permissions on the bucket:

  • storage.objects.create
  • storage.objects.get
  • storage.objects.update
  • storage.objects.delete
  • storage.buckets.get

To simplify the setup, you can give the AODocs service account the following permission on the bucket: storage.buckets.update

Set these permissions in the Google Cloud Platform console.

Learn more: 

Cross-origin resource sharing (CORS) configuration

If the service account has the storage.buckets.update permission, the CORS configuration is set automatically. If this is not the case, set the following CORS configuration for the bucket manually:

{
 "origin":  ["https://aodocs.altirnao.com"],
 "method": ["POST","GET","PUT"],
 "responseHeader": ["*"],
 "maxAgeSeconds": 3600
}

Learn more: Configure cross-origin resource sharing (CORS).

Pub/Sub notifications

If the service account has the storage.buckets.update permission, the Pub/Sub notifications are set automatically. If this is not the case, add the following Pub/Sub notification to the bucket’s configuration:

gcs_to_oss_notification topic, with JSON_API_V1 payload format.

Learn more: Configure Pub/Sub notifications for Cloud Storage.

Retention policy

AODocs doesn’t currently support buckets with a Google Cloud Services retention policy. Learn more in the Google Help Center: Retention policies and retention policy locks.

However, the AODocs Retention Module lets you apply retention policies regardless of the storage platform you're using.

Encryption

You must set the bucket to use a Google-managed key.

Note: AODocs doesn't currently support Customer-Supplied Encryption Keys.

Set the encryption in the bucket settings in the Google Cloud Console.

image01.png

Recommendations

For compliance and safety reasons, we recommend that only the AODocs service account has access to the bucket.

Giving access to other accounts will not prevent the integration from functioning in any way, but if these accounts update or delete files in the bucket, this could lead to issues within AODocs (mainly these attachments no longer being accessible).

How to use the custom bucket for an AODocs library

Create a Document Management library in AODocs and enter the bucket’s URI, which you can see in the Google Cloud Console, in the Bucket name field. The format is gs://mybucket.

image02.png

Was this article helpful? 2 out of 2 found this helpful
If you didn’t find what you were looking for, don’t hesitate to leave a comment!
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.