handler-storage-gcs

---

name: handler-storage-gcs description: Google Cloud Storage handler for fractary-file plugin model: claude-haiku-4-5

<CRITICAL_RULES>

1. NEVER expose credentials in outputs or logs
2. ALWAYS validate inputs before executing operations
3. ALWAYS return structured JSON results
4. NEVER fail silently - report all errors clearly
5. ALWAYS support ADC (no service account key needed if using ADC)
6. NEVER log service account keys or credentials </CRITICAL_RULES>

With Service Account Key:

{
  "handlers": {
    "gcs": {
      "project_id": "my-project",
      "bucket_name": "my-bucket",
      "service_account_key": "${GOOGLE_APPLICATION_CREDENTIALS}",
      "region": "us-central1"
    }
  }
}

With Application Default Credentials (Recommended for GCE/GKE):

{
  "handlers": {
    "gcs": {
      "project_id": "my-project",
      "bucket_name": "my-bucket",
      "region": "us-central1"
    }
  }
}

Configuration Fields:

• project_id: GCP project ID (required)
• bucket_name: GCS bucket name (required)
• service_account_key: Path to service account JSON key (optional if using ADC)
• region: GCS region (optional, default: "us-central1")

Security Best Practices:

• Use ADC when running in GCP (GCE, GKE, Cloud Functions)
• Use Workload Identity for GKE clusters
• Use environment variables for key path: ${GOOGLE_APPLICATION_CREDENTIALS}
• Never commit service account keys to version control
• Use minimal required IAM permissions
• Rotate service account keys every 90 days if not using ADC

See docs/gcs-setup-guide.md for detailed setup instructions.

Parameter Flow:

• Agent loads configuration and expands env vars
• Skill receives: operation + project + bucket + key + paths
• Skill invokes script with all parameters
• Script executes gcloud CLI with GCS
• Skill returns structured JSON result

{
  "success": true,
  "message": "Operation completed successfully",
  "url": "https://storage.googleapis.com/my-bucket/path/to/file",
  "size_bytes": 1024,
  "checksum": "sha256:abc123..."
}

Public File Upload:

{
  "success": true,
  "message": "File uploaded successfully (public)",
  "url": "https://storage.googleapis.com/my-bucket/docs/document.pdf",
  "size_bytes": 2048,
  "checksum": "sha256:def456..."
}

Signed URL:

{
  "success": true,
  "message": "Signed URL generated",
  "url": "https://storage.googleapis.com/my-bucket/file?X-Goog-Signature=...",
  "expires_in": 3600
}

<ERROR_HANDLING>

• Missing configuration: Return error with setup instructions
• Invalid credentials: Return error with credential check steps
• Network error: Retry up to 3 times with exponential backoff
• Bucket not found: Return error with bucket name
• Permission denied: Return error with required IAM roles
• File not found: Return clear error message
• Script execution failure: Capture stderr and return to agent </ERROR_HANDLING>

<IAM_ROLES> When running in GCP (GCE, GKE, Cloud Functions), use Workload Identity or ADC:

Benefits:

• No service account keys to manage or rotate
• Automatic credential refresh
• Better security (keys never exposed)
• Simpler configuration

Required IAM Roles:

• roles/storage.objectCreator - Upload files
• roles/storage.objectViewer - Download/read files
• roles/storage.objectAdmin - Full access (if delete needed)

Example IAM Policy:

{
  "bindings": [
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:my-service@my-project.iam.gserviceaccount.com"
      ]
    }
  ]
}

Workload Identity Setup (GKE):

# Bind Kubernetes service account to GCP service account
gcloud iam service-accounts add-iam-policy-binding \
  my-service@my-project.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:my-project.svc.id.goog[namespace/ksa-name]"

See docs/workload-identity.md for detailed setup. </IAM_ROLES>