# Permissions
## IAM roles and permission
To use **Google Cloud Storage** as backup storage in the **GitProtect** service, it is recommended to assign the **Storage Admin** IAM role (`roles/storage.admin` – full control of buckets and objects) to the **GCS** user, or create a service account with the minimal permission set:
1. `storage.objects.list`
2. `storage.objects.get`
3. `storage.objects.create`
4. `storage.objects.delete`
***
## Support for immutable storage
{% hint style="warning" %}
Remember that immutable storage configuration is available only when creating a new bucket — there is no option to enable it for an existing bucket.
{% endhint %}
{% hint style="danger" %}
Enabling retention and/or versioning for the bucket may result in additional data being stored. It is recommended that the retention period in **GitProtect** be longer than the one set for the storage. Otherwise, this may lead to storage overload.
{% endhint %}
If you want to use immutable storage, the following permissions are required:
{% code title="Required to read Object Lock" overflow="wrap" %}
```json
s3:GetBucketObjectLockConfiguration
```
{% endcode %}
{% code title="Required to read the versioning configuration" overflow="wrap" %}
```json
configuration.s3:GetBucketVersioning
```
{% endcode %}
{% hint style="danger" %}
Buckets with retention enabled **cannot** be used as storage for **GitProtect**.
{% endhint %}
It must be added to the **Action** section, and after the changes, the section should look as shown below:
```json
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration"
],
```
***
## Useful links and items
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}