Discover
Get started
Create buckets
Access and manage buckets
Upload and download objects
Access and manage objects
Get insights on your stored data
Cache objects
Control data lifecycles
Make requests
Secure data
Monitor data and usage
Protection, backup, and recovery
Mount buckets with Cloud Storage FUSE
Work across products, Clouds, and platforms
Troubleshoot
Stay organized with collections Save and categorize content based on your preferences.
This page describes how to use the Bucket Lock feature, including working with retention policies and permanently locking them on buckets.
Before you beginBefore you can use the Bucket Lock feature, make sure the steps in the following sections have been completed.
Get required rolesTo get the permissions that you need to use Bucket Lock, ask your administrator to grant you the Storage Admin (roles/storage.admin) role on the bucket. This predefined role contains the permissions required to use Bucket Lock. To see the exact permissions required, expand the Required permissions section:
storage.buckets.getstorage.buckets.list
storage.buckets.updateYou might also be able to get these permissions with custom roles.
For information about granting roles on buckets, see Set and manage IAM policies on buckets.
Set a retention policy on a bucketTo add, modify, or remove a retention policy on a bucket:
ConsoleIn the list of buckets, click the name of the bucket whose retention policy you want to change.
Select the Protection tab near the top of the page.
In the Retention policy section, set your retention policy:
If no retention policy currently applies to the bucket, click the add_box Set Retention Policy link. Choose a unit of time and a length of time for your retention period.
If a retention policy currently applies to a bucket, it appears in the section. Click Edit to modify the retention time or Delete to remove the retention policy entirely.
See Retention periods for information about how the Google Cloud console converts between different units of time.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command lineUse the gcloud storage buckets update command with the appropriate flag:
gcloud storage buckets update gs://BUCKET_NAME FLAG
Where:
BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
FLAG is the desired setting for the bucket's retention period. Use one of the following formats:
--retention-period and a retention period, if you want to add or change a retention policy. For example, --retention-period=1d43200s.--clear-retention-period, if you want to remove the retention policy on the bucket.If successful, the response looks like:
Updating gs://my-bucket/... Completed 1Client libraries C++
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following sample sets a retention policy on a bucket:
The following sample removes the retention policy from a bucket:
REST APIs Lock a bucket Caution: Locking a bucket is an irreversible action. Once you lock a bucket:To lock a bucket and permanently restrict edits to the bucket's retention policy:
ConsoleIn the list of buckets, click the name of the bucket that you want to lock the retention policy for.
Select the Protection tab near the top of the page.
In the Retention policy section, click the Lock button.
The Lock retention policy? dialog box appears.
Read the Permanent notice.
In the Bucket name text box, type in the name of your bucket.
Click Lock policy.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command lineUse the gcloud storage buckets update command with the --lock-retention-period flag:
gcloud storage buckets update gs://BUCKET_NAME --lock-retention-period
Where BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
If successful, the response looks similar to the following example:
Updating gs://my-bucket/... Completed 1Client libraries C++
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
REST APIs JSON APIHave gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
Use cURL to call the JSON API with a POST Bucket request:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/lockRetentionPolicy?ifMetagenerationMatch=BUCKET_METAGENERATION_NUMBER"
Where:
BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.BUCKET_METAGENERATION_NUMBER is the metageneration value for the bucket. For example, 8. You can find the metageneration value for your bucket by calling the JSON API with a GET Bucket request.The XML API cannot be used to lock a bucket. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
View a bucket's retention policy and lock statusTo view what, if any, retention policy is set on a bucket and whether that retention policy is locked:
ConsoleClick the name of the bucket whose status you want to view.
If a bucket has a retention policy, the retention period is displayed in the Protection field for the bucket. If the retention policy is not locked, a lock icon appears next to the retention period in an unlocked state. If the retention policy is locked, a lock icon appears next to the retention period in a locked state.
Use the gcloud storage buckets describe command with the --format flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(retention_policy)"
Where BUCKET_NAME is the name of the bucket whose retention policy you want to view. For example, my-bucket.
If successful and a retention policy exists for the bucket, the response is similar to the following:
retention_policy: effectiveTime: '2022-10-04T18:51:22.161000+00:00' retentionPeriod: '129600'
If successful and a retention policy does not exist for the bucket, the response is similar to the following:
nullClient libraries C++
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
C#For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
GoFor more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
JavaFor more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
Node.jsFor more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PHPFor more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
PythonFor more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
RubyFor more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
REST APIs JSON APIHave gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.
Use cURL to call the JSON API with a GET Bucket request that includes the desired fields:
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=retentionPolicy"
Where BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
If the bucket has a retention policy set on it, the response looks like the following example:
{
"retentionPolicy": {
"retentionPeriod": "TIME_IN_SECONDS",
"effectiveTime": "DATETIME",
"isLocked": "BOOLEAN"
},
}The XML API cannot be used to view the retention policy on a bucket. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5