GCS
Google Cloud Storage store with zero runtime dependencies. Uses raw fetch against the GCS JSON API with built-in auth — Application Default Credentials (ADC) on Cloud Run / GKE, or explicit service account JWT for non-GCP environments.
Setup
- Integrated
- Bundled
Install the package:
Configure in your code:
Add to your flow.json:
Configuration
| Property | Type | Description | More |
|---|---|---|---|
bucket | string | GCS bucket name | |
prefix | string | Key prefix prepended to all store keys for scoping | |
credentials | string | object | Service account JSON (string or object). Omit for ADC on Cloud Run/GKE |
Authentication
Cloud Run / GKE (ADC)
When running on GCP infrastructure, omit credentials. The store fetches access tokens from the metadata server automatically — no configuration needed.
Non-GCP (Service Account)
Pass a service account JSON via $env. reference. The store signs JWTs locally using node:crypto and exchanges them for access tokens via Google's OAuth2 endpoint.
The GCS_SA_KEY environment variable should contain the full service account JSON (with client_email and private_key fields).
File serving pattern
The primary use case is serving static files via the file transformer:
A request to /static/walker.js looks up public/walker.js in the my-assets bucket.
Security
- Key validation: Path traversal attempts (
.., absolute paths) are rejected - Prefix scoping: The
prefixsetting restricts all operations to a subdirectory - No ambient credentials: ADC only works on GCP infrastructure; off-GCP requires explicit SA JSON
API
get() returns Buffer for compatibility with the file transformer, which uses content instanceof Buffer for Content-Length calculation.