LFS HarborLFS Harbor

Set up Google Cloud Storage

Create a GCS bucket for LFS Harbor to store objects in, and generate a least-privilege service account key.

1

Create a bucket

A single-region bucket is the cheapest option — multi-region and dual-region carry a storage premium and offer redundancy you don't need for LFS objects (they're always re-pushable). Pick a region close to your development machine to minimise latency when pushing and pulling large files.

Use Standard storage class. Nearline and Coldline have lower storage costs but charge a per-GB retrieval fee that adds up quickly for frequently-accessed LFS objects.

  1. 1. Open Cloud Storage → Buckets and click Create.
  2. 2. Enter a globally unique bucket name.
  3. 3. Under Location type, choose Region and select a region near your development machine.
  4. 4. Set Storage class to Standard.
  5. 5. Under Access control, choose Uniform.
  6. 6. Leave Prevent public access enabled (default).
  7. 7. Leave versioning and lifecycle rules off. Click Create.
2

Create a service account

Create a dedicated service account for LFS Harbor. Don't reuse an existing account — a dedicated one makes it easy to rotate keys or revoke access without affecting anything else.

  1. 1. Open IAM & Admin → Service Accounts and click Create service account.
  2. 2. Set the name to lfsharbor-storage and add a description.
  3. 3. Skip the optional Permissions and Principles with access steps — you'll grant bucket-scoped access in the next step instead.
  4. 4. Click Done.
3

Grant storage access

Grant the service account the Storage Object User role (roles/storage.objectUser) scoped to the bucket only — not at the project level. This allows LFS Harbor to upload, download, and delete objects, but nothing else: no bucket configuration, no IAM, no other buckets.

  1. 1. Open your bucket in Cloud Storage → Buckets and go to the Permissions tab.
  2. 2. Click Grant access.
  3. 3. In New principals, enter the service account email: lfsharbor-storage@PROJECT_ID.iam.gserviceaccount.com. Set the role to Storage Object User.
  4. 4. Click Save.
4

Generate a private key

Generate a JSON key for the service account. LFS Harbor uses this to authenticate with GCS.

  1. 1. Open IAM & Admin → Service Accounts and click the lfsharbor-storage account.
  2. 2. Go to the Keys tab and click Add key → Create new key.
  3. 3. Choose JSON and click Create. The key file downloads automatically.
Keep this key secret. Don't commit it to version control. If it's ever exposed, delete it immediately in IAM & Admin → Service Accounts → Keys and generate a new one.
5

Add the key to LFS Harbor

Connect your GCS bucket to LFS Harbor through the dashboard.

  1. 1. Go to the LFS Harbor dashboard.
  2. 2. Click on your repository.
  3. 3. Edit the object store configuration.
  4. 4. Choose GCS as the storage provider.
  5. 5. Paste your bucket name.
  6. 6. Copy or drag and drop the service account key JSON file.
6

Set up LFS Harbor as your Git LFS server

Choose the guide that fits your situation: