Skip to main content

Google Cloud Blob Store

Only available in Sonatype Nexus Repository Pro. Interested in a free trial? Start here.

Configure the following properties when creating a new Google Cloud Storage (GCS) blob store.

  • Name

    Provide the blob store a unique name.

  • Project ID

    A project is a container containing related resources for a Google Cloud solution. Enter the Google Cloud Project ID for the project that owns the bucket where the files are stored. Provide the identifier from the user interface, the configuration properties file, or the credentials JSON file.

    nexus.gcloud.projectId
  • Bucket

    Provide a globally unique name for the Google Cloud bucket where blobs will be stored.

    Follow the GCS naming conventions.

  • Prefix

    Provide the path within your Cloud Storage bucket where blob data should be stored.

    For example, enter "blob-data/" as the path prefix to store data in a folder named "blob-data."

  • Region

    Enter the region where the Google Cloud bucket is hosted; this should be the same region in which Nexus Repository is running.

  • Authentication

    Nexus Repository needs to authenticate with Google Cloud to access your GCS bucket. There are two options for authentication:

    • Use Google Application Default Credentials

      This option uses the credentials already configured in your environment, simplifying setup and enhancing security. You can also directly provide a service account key file.

      See Google's documentation about application default credentials.

    • Use a separate credential JSON file

      This option provides more granular control over authentication. You can use a dedicated service account with specific permissions for accessing your GCS bucket. Select this option to upload a service account key file (JSON) through the user interface. This service account must have permission to access your GCS bucket.

      See Google's documentation on creating and deleting service account keys.

    Note

    HTTP proxy shouldn't be used for authentication between Nexus Repository and GCS.

Using a Custom Encryption Key

Data stored in a GCP bucket is encrypted by default. No action is required to use the default encryption. GCS integrates with Cloud Key Management Service (KMS) to configure a custom encryption key to use when saving blobs to the bucket.

The encryption settings may not by modified after creating the bucket. Changing encryption types leads previously uploaded data becoming unavailable.

To use KMS-managed encryption, take the following steps:

  1. Use the Google Cloud console or Cloud KMS API to create a Cloud KMS key ring. The key ring region must correspond with where the Nexus Repository is deployed.

  2. Within the key ring, create a CryptoKey that GCS will use for encryption.

  3. Select the Enable KMS managed encryption checkbox when creating your blob store in Nexus Repository.

  4. Provide your KMS Key ID (resource name) using the following format:

    projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME
    1. You can obtain your KMS Key ID from the GCP console using the KMS key context menu and selecting Copy resource name. Alternatively, you can use the CLI to retrieve the KMS Key ID with a command such as the following:

      gcloud kms keys list --location <location> --keyring <keyring-name> --format="value(name)"

GCS automatically encrypts and decrypts the data using the specified CryptoKey as objects are added or accessed from the storage as long as the requester has the necessary permissions to use the key

Permissions Management

Ensure that the service account or user interacting with the GCS bucket has the necessary roles for Cloud KMS to allow encryption and decryption operations.

roles/cloudkms.cryptoKeyEncrypterDecrypter

Soft Quota

This section allows you to enable a soft quota for the blob store, which will raise an alert when a blob store exceeds a constraint. See Adding a Soft Quota for more information.