# Permissions

## IAM roles and permission <a href="#iam_roles_and_permission" id="iam_roles_and_permission"></a>

To use **Google Cloud Storage** as backup storage in the **GitProtect** service, it is recommended to assign the **Storage Admin** IAM role (`roles/storage.admin` – full control of buckets and objects) to the **GCS** user, or create a service account with the minimal permission set:

1. `storage.objects.list`
2. `storage.objects.get`
3. `storage.objects.create`
4. `storage.objects.delete`

***

## Support for immutable storage <a href="#support_for_immutable_storage" id="support_for_immutable_storage"></a>

{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}

{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored. It is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}

If you want to use immutable storage, the following permissions are required:

{% code title="Required to read Object Lock" overflow="wrap" %}

```json
s3:GetBucketObjectLockConfiguration
```

{% endcode %}

{% code title="Required to read the versioning configuration" overflow="wrap" %}

```json
configuration.s3:GetBucketVersioning
```

{% endcode %}

{% hint style="danger" %}
Buckets with retention enabled **cannot** be used as storage for **GitProtect**.
{% endhint %}

It must be added to the **Action** section, and after the changes, the section should look as shown below:

```json
"Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
		    "s3:GetBucketVersioning",
	            "s3:GetBucketObjectLockConfiguration"
               ],
```

***

## Useful links and items

{% embed url="<https://cloud.google.com/storage/docs/access-control/iam-roles>" %}

{% embed url="<https://cloud.google.com/storage/docs/access-control/using-iam-permissions#json>" %}

{% embed url="<https://cloud.google.com/blog/products/storage-data-transfer/protecting-cloud-storage-with-worm-key-management-and-more-updates>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://helpcenter.gitprotect.io/storage/cloud-storage/google-cloud-storage/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.