Google Cloud Storage

This page details on how to link your own Google Cloud Storage (GCS) bucket to Buildkite Package Registries, through a private storage link.

By default, Buildkite Package Registries provides its own storage (called Buildkite storage). However, linking your own GCS bucket to Package Registries lets you:

  • Keep packages and artifacts close to your geographical region for faster downloads.
  • Retain full sovereignty over your packages and artifacts, while Buildkite continues to manage their metadata and indexing.

Google Cloud's Workload Identity Federation feature

Each time Buildkite Package Registries uploads, downloads, or signs an object, the Buildkite platform presents its own OIDC token to Google Cloud's Security Token Service (STS). The STS swaps this OIDC token for a short-lived access token representing your configured Google Cloud service account. This exchange is part of Google Cloud's Workload Identity Federation feature, and allows Package Registries to perform its required actions inside your GCS bucket without the need for any storage of long-lived credentials.

Key security benefits of Workload Identity Federation:

  • No long-lived service account keys—tokens are generated when they're required and expire automatically.

  • Least-privilege access—Buildkite Package Registries only requires these Google Cloud Identity and Access Management (IAM) roles:

    • roles/storage.bucketViewer on the GCS bucket, to allow Package Registries to read the bucket's metadata.
    • roles/storage.objectUser on the GCS bucket to allow Package Registries to create, read, update, delete, and tag objects.
    • roles/iam.serviceAccountTokenCreator on the Google Cloud service account so it can create signed URLs. You can audit or revoke these at any time.
  • Full audit history—every token exchange and object access is recorded in Google Cloud service's audit logs.

Before you start

Before you begin, you'll need a GCS bucket in a Google Cloud project that Buildkite can access.

Learn more about:

Once you have a bucket, the Buildkite wizard will guide you through:

  1. Creating (or selecting) a service account for Buildkite to impersonate.
  2. Creating a Workload Identity Pool and Provider.
  3. Granting IAM roles to wire everything together.

Deleting packages

Buildkite does not delete objects straight away. When a package is removed it:

  • Adds a metadata tag of buildkite:deleted=<ISO8601_timestamp>.
  • Sets the object’s customTime field to the same timestamp.
Metadata key Value (UTC)
buildkite:deleted ISO 8601 timestamp

Create a Lifecycle rule that removes objects a set number of days after their customTime. For example, to purge 30 days after deletion:

{
  "rule": [
    {
      "action": { "type": "Delete" },
      "condition": { "daysSinceCustomTime": 30 }
    }
  ]
}