GCP Cloud Storage

Overview#

The GCP Cloud Storage connector proxies Google Cloud Storage JSON API v1 calls. Service account JSON credentials are sealed in QuantaVault and used to generate short-lived OAuth2 access tokens.

Prerequisites#

• 1A GCP project with Cloud Storage API enabled
• 2A service account with Storage Object Admin role
• 3Service account JSON key file
• 4A QuantaSeal API key

Configuration#

Follow these steps to connect GCP Cloud Storage to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1. 1

   In GCP Console, create a service account with Storage Object Admin role.

2. 2

   Download the JSON key file.

3. 3

   Seal: POST /api/v2/vault/seal with credential_type: custom_kv and values: {service_account_json: '<json content>'}.

4. 4

   Create integration: POST /api/v2/integrations with system_type: gcp_storage and config: {bucket: 'your-bucket', project_id: 'your-project'}.

Authentication Types#

Store the service account JSON as a custom_kv credential in QuantaVault with key 'service_account_json'.

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"integration_id":"int_GCS001","operation":"list_objects","payload":{"prefix":"reports/2026/"}}'

Troubleshooting#