This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Storage Transfer Service with Resource Location restrictions

Posted on 12-15-2023 09:29 AM
cp_b
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I have an organisation with a Resource Location Restriction in europe-west3-locations applicable to all projects in the organisation. I want to set up a Storage Transfer Service job to take data from an external project (managed by an external organisation) with location in the us-central1-locations into my european buckets. We have already successfully assigned read-write permissions to the the storage transfer service's service account for both locations. The data transfer works only if I modify my policy to allow resources in the US locations, otherwise the request gets blocked by the policy. Is this how this is supposed to work? I'm a bit surprised since a simple gsutil cp between the same locations is not blocked by the Resource Location Restriction. Any help appreciated.

Solved Solved
2 2 712
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cp_b
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

These two links are useful to explain the behaviour.

https://cloud.google.com/storage-transfer/docs/known-limitations-transfer#locations

https://cloud.google.com/knowledge/kb/source-location-in-storage-transfer-service-violates-resource-...

So, what I experience is as expected.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
cp_b
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

After a bit more research, it seems to me that this behavior may be related to the fact that the Storage Transfer Service is creating temporary resources or performing operations in the source location (in this case, us-central1-locations) during the transfer process, which triggers the organization policy and result in the blocking of the job... while the gsutil cp being a client-side tool it does not create temporary resources in the source location. It directly reads data from the source bucket and writes it to the destination bucket. But then how is one supposed to use the Storage Transfer Service without triggering the resource location organization policy?

Jump to Solution

Posted on --/--/---- --:-- AM
cp_b
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

 

These two links are useful to explain the behaviour.

https://cloud.google.com/storage-transfer/docs/known-limitations-transfer#locations

https://cloud.google.com/knowledge/kb/source-location-in-storage-transfer-service-violates-resource-...

So, what I experience is as expected.

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all