Google Cloud Storage
FlexFS supports Google Cloud Storage (GCS) as a block store backend using the native GCS client library. Authentication is handled via service account JSON credentials or the Application Default Credentials (ADC) chain.
Bucket creation
Section titled “Bucket creation”Create a dedicated GCS bucket for flexFS block storage:
gcloud storage buckets create gs://my-flexfs-blocks \ --location=us-central1 \ --uniform-bucket-level-accessRecommended bucket settings
Section titled “Recommended bucket settings”- Uniform bucket-level access: Recommended. FlexFS does not use object-level ACLs.
- Public access prevention: Enable. FlexFS never requires public access.
- Versioning: Not required.
- Lifecycle rules: Not required. FlexFS manages its own block lifecycle.
- Storage class: Standard is recommended for active workloads. Nearline or Coldline may be suitable for archival volumes with infrequent access.
Service account
Section titled “Service account”Create a service account with the minimum required permissions:
# Create the service accountgcloud iam service-accounts create flexfs-block-store \ --display-name="flexFS Block Store"
# Grant Storage Object Admin on the bucketgcloud storage buckets add-iam-policy-binding gs://my-flexfs-blocks \ --member="serviceAccount:flexfs-block-store@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin"The roles/storage.objectAdmin role grants the necessary permissions to read, write, and delete objects in the bucket.
Service account key (static credentials)
Section titled “Service account key (static credentials)”Generate a service account key in JSON format:
gcloud iam service-accounts keys create flexfs-sa-key.json \ --iam-account=flexfs-block-store@PROJECT_ID.iam.gserviceaccount.comWhen configuring the flexFS block store credentials:
- blockUser: Not used for GCS native authentication (leave empty)
- blockPass: The entire contents of the service account JSON key file
The JSON key is passed directly to the GCS client library for authentication.
Application Default Credentials
Section titled “Application Default Credentials”When no blockPass is provided, flexFS creates the GCS client without explicit credentials, which causes it to use the Application Default Credentials (ADC) chain. This supports:
- GCE instance metadata: On Compute Engine VMs, the attached service account is used automatically.
- GKE Workload Identity: On GKE, the Kubernetes service account can be bound to a GCP service account.
GOOGLE_APPLICATION_CREDENTIALS: Set this environment variable to the path of a service account JSON key file.gcloud auth application-default login: For local development.
ADC is the recommended authentication method for production deployments on GCP.
HMAC keys (S3 interop)
Section titled “HMAC keys (S3 interop)”GCS also supports authentication via HMAC keys, which provide S3-compatible access. When using HMAC keys, configure GCS as an S3-compatible store:
- API code:
s3(notgcs) - Endpoint:
https://storage.googleapis.com - Region: The GCS region
- blockUser: HMAC access ID
- blockPass: HMAC secret
To create HMAC keys:
gcloud storage hmac create \ flexfs-block-store@PROJECT_ID.iam.gserviceaccount.comBlock store configuration
Section titled “Block store configuration”When creating a block store via configure.flexfs (Enterprise) or the installer, provide:
| Field | Value |
|---|---|
| Provider | gcp |
| Region | GCS location (e.g. us-central1) |
| API | gcs |
| Bucket | Your GCS bucket name |
| Prefix | Optional key prefix for multi-tenant buckets |
| Endpoint | Leave empty for standard GCS |
| blockUser | Leave empty (not used with native GCS auth) |
| blockPass | Service account JSON key contents (or leave empty for ADC) |