staging, prod, staging-gcp, and prod-gcp under the same Reducto organization.
Setup
- In Studio, go to Settings → Hybrid VPC.
- Add a new environment and choose Google Cloud Storage as the provider.
- Enter the GCP region, bucket name, project ID, and optional bucket folder.
- Create a service account with access to the bucket and grant it both of these roles on the bucket:
roles/storage.objectAdmin: read, write, and delete objectsroles/storage.legacyBucketReader: read bucket metadata
- Generate a JSON key for that service account and paste it into
service_account_json. - Click Verify storage access. Reducto writes and deletes a small verification object.
- Save the configuration after verification succeeds.
| Value | Description |
|---|---|
storage_type | Use gcs for Google Cloud Storage environments |
region | GCP region, for example us-central1 or europe-west1 |
bucket | GCS bucket name |
project_id | GCP project ID that owns the bucket |
bucket_folder | Optional key prefix for all objects |
service_account_json | Required. Service account credentials JSON for an account with roles/storage.objectAdmin and roles/storage.legacyBucketReader on the bucket |
Security
- Scoped IAM: The service account is granted
roles/storage.objectAdminandroles/storage.legacyBucketReaderon the specific bucket only - Customer-provided credentials: You supply the service account JSON in
service_account_json; scope its IAM to the single bucket and rotate the key on your own schedule - Lifecycle management: Configure object lifecycle rules on the bucket for automatic cleanup