google-cloud-storage 1.18.1 → 1.44.0

data/lib/google/cloud/storage/bucket.rb

@@ -109,6 +109,15 @@ module Google
           @gapi.id
         end
 
+        ##
+        # The autoclass configuration of the bucket
+        #
+        # @return [Google::Apis::StorageV1::Bucket::Autoclass]
+        #
+        def autoclass
+          @gapi.autoclass
+        end
+
         ##
         # The name of the bucket.
         #
@@ -234,7 +243,7 @@ module Google
         #   rule.action #=> "SetStorageClass"
         #   rule.storage_class #=> "COLDLINE"
         #   rule.age #=> 10
-        #   rule.matches_storage_class #=> ["MULTI_REGIONAL", "REGIONAL"]
+        #   rule.matches_storage_class #=> ["STANDARD", "NEARLINE"]
         #
         # @example Updating the bucket's lifecycle management rules in a block.
         #   require "google/cloud/storage"
@@ -279,12 +288,42 @@ module Google
         #
         # @return [String]
         #
-        # @see https://cloud.google.com/storage/docs/concepts-techniques
+        # @see https://cloud.google.com/storage/docs/locations
         #
         def location
           @gapi.location
         end
 
+        ##
+        # The bucket's location type. Location type defines the geographic
+        # placement of the bucket's data and affects cost, performance, and
+        # availability. There are three possible values:
+        #
+        #  * `region` - Lowest latency within a single region
+        #  * `multi-region` - Highest availability across largest area
+        #  * `dual-region` - High availability and low latency across 2 regions
+        #
+        # @return [String] The location type code: "region", "multi-region", or
+        #   "dual-region"
+        #
+        def location_type
+          @gapi.location_type
+        end
+
+        ##
+        # Returns the list of regional locations for custom dual-region buckets.
+        #
+        # @return [String, nil] Returns nil if the property has not been set before creation,
+        # if the bucket's resource has not been loaded from the server,
+        # or if the bucket is not a dual-regions bucket.
+
+        # @see https://cloud.google.com/storage/docs/json_api/v1/buckets and
+        # https://cloud.google.com/storage/docs/locations
+        #
+        def data_locations
+          @gapi.custom_placement_config&.data_locations
+        end
+
         ##
         # The destination bucket name for the bucket's logs.
         #
@@ -293,12 +332,15 @@ module Google
         # @see https://cloud.google.com/storage/docs/access-logs Access Logs
         #
         def logging_bucket
-          @gapi.logging.log_bucket if @gapi.logging
+          @gapi.logging&.log_bucket
         end
 
         ##
         # Updates the destination bucket for the bucket's logs.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @see https://cloud.google.com/storage/docs/access-logs Access Logs
         #
         # @param [String] logging_bucket The bucket to hold the logging output
@@ -317,7 +359,7 @@ module Google
         # @return [String]
         #
         def logging_prefix
-          @gapi.logging.log_object_prefix if @gapi.logging
+          @gapi.logging&.log_object_prefix
         end
 
         ##
@@ -328,6 +370,9 @@ module Google
         # By default, the object prefix is the name of the bucket for which the
         # logs are enabled.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @see https://cloud.google.com/storage/docs/access-logs Access Logs
         #
         # @param [String] logging_prefix The logging object prefix.
@@ -341,8 +386,9 @@ module Google
         ##
         # The bucket's storage class. This defines how objects in the bucket are
         # stored and determines the SLA and the cost of storage. Values include
-        # `MULTI_REGIONAL`, `REGIONAL`, `NEARLINE`, `COLDLINE`, and
-        # `DURABLE_REDUCED_AVAILABILITY`.
+        # `STANDARD`, `NEARLINE`, `COLDLINE`, and `ARCHIVE`. `REGIONAL`,`MULTI_REGIONAL`,
+        # and `DURABLE_REDUCED_AVAILABILITY` are supported as legacy storage
+        # classes.
         #
         # @return [String]
         #
@@ -353,11 +399,16 @@ module Google
         ##
         # Updates the bucket's storage class. This defines how objects in the
         # bucket are stored and determines the SLA and the cost of storage.
-        # Accepted values include `:multi_regional`, `:regional`, `:nearline`,
-        # and `:coldline`, as well as the equivalent strings returned by
-        # {Bucket#storage_class}. For more information, see [Storage
+        # Accepted values include `:standard`, `:nearline`, `:coldline`, and
+        # `:archive`, as well as the equivalent strings returned by
+        # {Bucket#storage_class}. `:multi_regional`, `:regional`, and
+        # `durable_reduced_availability` are accepted as legacy storage classes.
+        # For more information, see [Storage
         # Classes](https://cloud.google.com/storage/docs/storage-classes).
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Symbol, String] new_storage_class Storage class of the bucket.
         #
         def storage_class= new_storage_class
@@ -365,6 +416,43 @@ module Google
           patch_gapi! :storage_class
         end
 
+        ##
+        # Whether Autoclass is enabled for the bucket.
+        #
+        # @return [Boolean]
+        #
+        def autoclass_enabled
+          @gapi.autoclass&.enabled?
+        end
+
+        ##
+        # Toggle time of the autoclass
+        #
+        # @return [DateTime]
+        #
+        def autoclass_toggle_time
+          @gapi.autoclass&.toggle_time
+        end
+
+        ##
+        # Updates bucket's autoclass configuration. This defines the default class for objects in the
+        # bucket and down/up-grades the storage class of objects based on the access patterns.
+        # Accepted values are `:false`, and `:true`.
+        #
+        # For more information, see [Storage
+        # Classes](https://cloud.google.com/storage/docs/using-autoclass).
+        #
+        # Note: Only patch requests that disable autoclass are currently supported.
+        # To enable autoclass, you must set it at bucket creation time.
+        #
+        # @param [Boolean] toggle for autoclass configuration of the bucket.
+        #
+        def autoclass_enabled= toggle
+          @gapi.autoclass ||= API::Bucket::Autoclass.new
+          @gapi.autoclass.enabled = toggle
+          patch_gapi! :autoclass
+        end
+
         ##
         # Whether [Object
         # Versioning](https://cloud.google.com/storage/docs/object-versioning)
@@ -373,7 +461,7 @@ module Google
         # @return [Boolean]
         #
         def versioning?
-          @gapi.versioning.enabled? unless @gapi.versioning.nil?
+          @gapi.versioning&.enabled?
         end
 
         ##
@@ -381,6 +469,9 @@ module Google
         # Versioning](https://cloud.google.com/storage/docs/object-versioning)
         # is enabled for the bucket.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Boolean] new_versioning true if versioning is to be enabled
         #   for the bucket.
         #
@@ -403,12 +494,15 @@ module Google
         # @return [String] The main page suffix.
         #
         def website_main
-          @gapi.website.main_page_suffix if @gapi.website
+          @gapi.website&.main_page_suffix
         end
 
         ##
         # Updates the main page suffix for a static website.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @see https://cloud.google.com/storage/docs/website-configuration#step4
         #   How to Host a Static Website
         #
@@ -430,7 +524,7 @@ module Google
         # @return [String]
         #
         def website_404
-          @gapi.website.not_found_page if @gapi.website
+          @gapi.website&.not_found_page
         end
 
         ##
@@ -448,6 +542,9 @@ module Google
         ##
         # Updates the hash of user-provided labels.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Hash(String => String)] labels The user-provided labels.
         #
         def labels= labels
@@ -459,6 +556,9 @@ module Google
         # Updates the page returned from a static website served from the bucket
         # when a site visitor requests a resource that does not exist.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @see https://cloud.google.com/storage/docs/website-configuration#step4
         #   How to Host a Static Website
         #
@@ -479,7 +579,7 @@ module Google
         #   the bucket.
         #
         def requester_pays
-          @gapi.billing.requester_pays if @gapi.billing
+          @gapi.billing&.requester_pays
         end
         alias requester_pays? requester_pays
 
@@ -490,6 +590,9 @@ module Google
         # {Project#bucket} and {Project#buckets} to indicate the project to
         # which the access costs should be billed.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Boolean] new_requester_pays When set to `true`, requester pays
         #   is enabled for the bucket.
         #
@@ -531,14 +634,18 @@ module Google
         #   bucket.default_kms_key #=> kms_key_name
         #
         def default_kms_key
-          @gapi.encryption && @gapi.encryption.default_kms_key_name
+          @gapi.encryption&.default_kms_key_name
         end
 
         ##
         # Set the Cloud KMS encryption key that will be used to protect files.
         # For example: `projects/a/locations/b/keyRings/c/cryptoKeys/d`
         #
-        # @param [String] new_default_kms_key New Cloud KMS key name.
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
+        # @param [String, nil] new_default_kms_key New Cloud KMS key name, or
+        #   `nil` to delete the Cloud KMS encryption key.
         #
         # @example
         #   require "google/cloud/storage"
@@ -552,6 +659,15 @@ module Google
         #
         #   bucket.default_kms_key = kms_key_name
         #
+        # @example Delete the default Cloud KMS encryption key:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.default_kms_key = nil
+        #
         def default_kms_key= new_default_kms_key
           @gapi.encryption = API::Bucket::Encryption.new \
             default_kms_key_name: new_default_kms_key
@@ -570,7 +686,7 @@ module Google
         #   retention policy exists for the bucket.
         #
         def retention_period
-          @gapi.retention_policy && @gapi.retention_policy.retention_period
+          @gapi.retention_policy&.retention_period
         end
 
         ##
@@ -588,6 +704,9 @@ module Google
         # See also: {#lock_retention_policy!}, {#retention_period},
         # {#retention_effective_at}, and {#retention_policy_locked?}.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Integer, nil] new_retention_period The retention period
         #   defined in seconds. The value must be between 0 and 100 years (in
         #   seconds), or `nil`.
@@ -629,7 +748,7 @@ module Google
         #   policy, if a policy exists.
         #
         def retention_effective_at
-          @gapi.retention_policy && @gapi.retention_policy.effective_time
+          @gapi.retention_policy&.effective_time
         end
 
         ##
@@ -686,6 +805,9 @@ module Google
         #
         # See {File#event_based_hold?} and {File#set_event_based_hold!}.
         #
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
         # @param [Boolean] new_default_event_based_hold The default event-based
         #   hold field for the bucket.
         #
@@ -761,20 +883,12 @@ module Google
         end
 
         ##
-        # Whether the bucket's file IAM configuration enables Bucket Policy
-        # Only. The default is false. This value can be modified by calling
-        # {Bucket#policy_only=}.
-        #
-        # If true, access checks only use bucket-level IAM policies or above,
-        # all object ACLs within the bucket are no longer evaluated, and
-        # access-control is configured solely through the bucket's IAM policy.
-        # Any requests which attempt to use the ACL API to view or manipulate
-        # ACLs will fail with 400 errors.
+        # Whether the bucket's file IAM configuration enables uniform bucket-level access. The default is false. This
+        # value can be modified by calling {Bucket#uniform_bucket_level_access=}.
         #
-        # @return [Boolean] Returns `false` if the bucket has no IAM
-        #   configuration or if Bucket Policy Only is not enabled in the IAM
-        #   configuration. Returns `true` if Bucket Policy Only is enabled in
-        #   the IAM configuration.
+        # @return [Boolean] Returns `false` if the bucket has no IAM configuration or if uniform bucket-level access is
+        #   not enabled in the IAM configuration. Returns `true` if uniform bucket-level access is enabled in the IAM
+        #   configuration.
         #
         # @example
         #   require "google/cloud/storage"
@@ -783,30 +897,30 @@ module Google
         #
         #   bucket = storage.bucket "my-bucket"
         #
-        #   bucket.policy_only = true
-        #   bucket.policy_only? # true
+        #   bucket.uniform_bucket_level_access = true
+        #   bucket.uniform_bucket_level_access? # true
         #
-        def policy_only?
-          return false unless @gapi.iam_configuration &&
-                              @gapi.iam_configuration.bucket_policy_only
-          !@gapi.iam_configuration.bucket_policy_only.enabled.nil? &&
-            @gapi.iam_configuration.bucket_policy_only.enabled
+        def uniform_bucket_level_access?
+          return false unless @gapi.iam_configuration&.uniform_bucket_level_access
+          !@gapi.iam_configuration.uniform_bucket_level_access.enabled.nil? &&
+            @gapi.iam_configuration.uniform_bucket_level_access.enabled
         end
 
         ##
-        # If enabled, access checks only use bucket-level IAM policies or above,
-        # all object ACLs within the bucket are no longer evaluated, and
-        # access-control is configured solely through the bucket's IAM policy.
-        # Any requests which attempt to use the ACL API to view or manipulate
-        # ACLs will fail with 400 errors.
+        # Sets whether uniform bucket-level access is enabled for this bucket. When this is enabled, access to the
+        # bucket will be configured through IAM, and legacy ACL policies will not work. When it is first enabled,
+        # {#uniform_bucket_level_access_locked_at} will be set by the API automatically. The uniform bucket-level access
+        # can then be disabled until the time specified, after which it will become immutable and calls to change it
+        # will fail. If uniform bucket-level access is enabled, calls to access legacy ACL information will fail.
         #
-        # Before enabling Bucket Policy Only please review [feature
-        # documentation](https://cloud.google.com/storage/docs/bucket-policy-only),
-        # as well as [Should you use Bucket Policy
-        # Only?](https://cloud.google.com/storage/docs/bucket-policy-only#should-you-use).
+        # Before enabling uniform bucket-level access please review [uniform bucket-level
+        # access](https://cloud.google.com/storage/docs/uniform-bucket-level-access).
         #
-        # @param [Boolean] new_policy_only When set to `true`, Bucket Policy
-        #   Only is enabled in the bucket's IAM configuration.
+        # To pass metageneration preconditions, call this method within a
+        # block passed to {#update}.
+        #
+        # @param [Boolean] new_uniform_bucket_level_access When set to `true`, uniform bucket-level access is enabled in
+        #   the bucket's IAM configuration.
         #
         # @example
         #   require "google/cloud/storage"
@@ -815,31 +929,29 @@ module Google
         #
         #   bucket = storage.bucket "my-bucket"
         #
-        #   bucket.policy_only = true
-        #   bucket.policy_only? # true
+        #   bucket.uniform_bucket_level_access = true
+        #   bucket.uniform_bucket_level_access? # true
         #
         #   bucket.default_acl.public! # Google::Cloud::InvalidArgumentError
         #
-        #   # The deadline for disabling Bucket Policy Only.
-        #   puts bucket.policy_only_locked_at
+        #   # The deadline for disabling uniform bucket-level access.
+        #   puts bucket.uniform_bucket_level_access_locked_at
         #
-        def policy_only= new_policy_only
-          @gapi.iam_configuration ||= API::Bucket::IamConfiguration.new \
-            bucket_policy_only: \
-              API::Bucket::IamConfiguration::BucketPolicyOnly.new
-          @gapi.iam_configuration.bucket_policy_only.enabled = new_policy_only
+        def uniform_bucket_level_access= new_uniform_bucket_level_access
+          @gapi.iam_configuration ||= API::Bucket::IamConfiguration.new
+          @gapi.iam_configuration.uniform_bucket_level_access ||= \
+            API::Bucket::IamConfiguration::UniformBucketLevelAccess.new
+          @gapi.iam_configuration.uniform_bucket_level_access.enabled = new_uniform_bucket_level_access
           patch_gapi! :iam_configuration
         end
 
         ##
-        # The deadline time for disabling Bucket Policy Only by calling
-        # {Bucket#policy_only=}. After the locked time the Bucket Policy Only
-        # setting cannot be changed from true to false. Corresponds to the
-        # property `locked_time`.
+        # The deadline time for disabling uniform bucket-level access by calling {Bucket#uniform_bucket_level_access=}.
+        # After the locked time the uniform bucket-level access setting cannot be changed from true to false.
+        # Corresponds to the property `locked_time`.
         #
-        # @return [DateTime, nil] The deadline time for changing
-        #   {Bucket#policy_only=} from true to false, or `nil` if
-        #   {Bucket#policy_only?} is false.
+        # @return [DateTime, nil] The deadline time for changing {Bucket#uniform_bucket_level_access=} from true to
+        #   false, or `nil` if {Bucket#uniform_bucket_level_access?} is false.
         #
         # @example
         #   require "google/cloud/storage"
@@ -848,15 +960,195 @@ module Google
         #
         #   bucket = storage.bucket "my-bucket"
         #
-        #   bucket.policy_only = true
+        #   bucket.uniform_bucket_level_access = true
+        #
+        #   # The deadline for disabling uniform bucket-level access.
+        #   puts bucket.uniform_bucket_level_access_locked_at
         #
-        #   # The deadline for disabling Bucket Policy Only.
-        #   puts bucket.policy_only_locked_at
+        def uniform_bucket_level_access_locked_at
+          return nil unless @gapi.iam_configuration&.uniform_bucket_level_access
+          @gapi.iam_configuration.uniform_bucket_level_access.locked_time
+        end
+
+        ##
+        # @deprecated Use {#uniform_bucket_level_access?} instead.
+        #
+        def policy_only?
+          uniform_bucket_level_access?
+        end
+
+        ##
+        # @deprecated Use {#uniform_bucket_level_access=} instead.
+        #
+        def policy_only= new_policy_only
+          self.uniform_bucket_level_access = new_policy_only
+        end
+
+        ##
+        # @deprecated Use {#uniform_bucket_level_access_locked_at} instead.
         #
         def policy_only_locked_at
-          return nil unless @gapi.iam_configuration &&
-                            @gapi.iam_configuration.bucket_policy_only
-          @gapi.iam_configuration.bucket_policy_only.locked_time
+          uniform_bucket_level_access_locked_at
+        end
+
+        ##
+        # The value for Public Access Prevention in the bucket's IAM configuration. Currently, `inherited` and
+        # `enforced` are supported. When set to `enforced`, Public Access Prevention is enforced in the bucket's IAM
+        # configuration. This value can be modified by calling {#public_access_prevention=}.
+        #
+        # @return [String, nil] Currently, `inherited` and `enforced` are supported. Returns `nil` if the bucket has
+        #    no IAM configuration.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.public_access_prevention = :enforced
+        #   bucket.public_access_prevention #=> "enforced"
+        #
+        def public_access_prevention
+          @gapi.iam_configuration&.public_access_prevention
+        end
+
+        ##
+        # Sets the value for Public Access Prevention in the bucket's IAM configuration. This value can be queried by
+        # calling {#public_access_prevention}.
+        #
+        # @param [Symbol, String] new_public_access_prevention The bucket's new Public Access Prevention configuration.
+        #   Currently, `inherited` and `enforced` are supported. When set to `enforced`, Public Access
+        #   Prevention is enforced in the bucket's IAM configuration.
+        #
+        # @example Set Public Access Prevention to enforced:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.public_access_prevention = :enforced
+        #   bucket.public_access_prevention #=> "enforced"
+        #
+        # @example Set Public Access Prevention to inherited:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.public_access_prevention = :inherited
+        #   bucket.public_access_prevention #=> "inherited"
+        #
+        def public_access_prevention= new_public_access_prevention
+          @gapi.iam_configuration ||= API::Bucket::IamConfiguration.new
+          @gapi.iam_configuration.public_access_prevention = new_public_access_prevention.to_s
+          patch_gapi! :iam_configuration
+        end
+
+        ##
+        # Whether the bucket's file IAM configuration enforces Public Access Prevention. The default is `false`. This
+        # value can be modified by calling {Bucket#public_access_prevention=}.
+        #
+        # @return [Boolean] Returns `false` if the bucket has no IAM configuration or if Public Access Prevention is
+        #   not `enforced` in the IAM configuration. Returns `true` if Public Access Prevention is `enforced` in the IAM
+        #   configuration.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.public_access_prevention = :enforced
+        #   bucket.public_access_prevention_enforced? # true
+        #
+        def public_access_prevention_enforced?
+          return false unless @gapi.iam_configuration&.public_access_prevention
+          @gapi.iam_configuration.public_access_prevention.to_s == "enforced"
+        end
+
+        ##
+        # Whether the value for Public Access Prevention in the bucket's IAM configuration is `inherited`. The default
+        # is `false`. This value can be modified by calling {Bucket#public_access_prevention=}.
+        #
+        # @return [Boolean] Returns `false` if the bucket has no IAM configuration or if Public Access Prevention is
+        #   not `inherited` in the IAM configuration. Returns `true` if Public Access Prevention is `inherited` in
+        #   the IAM configuration.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.public_access_prevention = :inherited
+        #   bucket.public_access_prevention_inherited? # true
+        #
+        def public_access_prevention_inherited?
+          return false unless @gapi.iam_configuration&.public_access_prevention
+          ["inherited", "unspecified"].include? @gapi.iam_configuration.public_access_prevention.to_s
+        end
+
+        alias public_access_prevention_unspecified? public_access_prevention_inherited?
+
+        ##
+        # Recovery Point Objective (RPO) is another attribute of a bucket, it measures how long it takes for a set of
+        # updates to be asynchronously copied to the other region.
+        # Currently, `DEFAULT` and `ASYNC_TURBO` are supported. When set to `ASYNC_TURBO`, Turbo Replication is enabled
+        # for a bucket. `DEFAULT` is used to reset rpo on an existing bucket with rpo set to `ASYNC_TURBO`.
+        # This value can be modified by calling {#rpo=}.
+        #
+        # @return [String, nil] Currently, `DEFAULT` and `ASYNC_TURBO` are supported. Returns `nil` if the bucket has
+        #    no RPO.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.rpo = :DEFAULT
+        #   bucket.rpo #=> "DEFAULT"
+        #
+        def rpo
+          @gapi.rpo
+        end
+
+        ##
+        # Sets the value for Recovery Point Objective (RPO) in the bucket. This value can be queried by calling {#rpo}.
+        #
+        # @param [Symbol, String] new_rpo The bucket's new Recovery Point Objective metadata.
+        #   Currently, `DEFAULT` and `ASYNC_TURBO` are supported. When set to `ASYNC_TURBO`, Turbo Replication
+        #   is enabled for a bucket.
+        #
+        # @example Set RPO to DEFAULT:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.rpo = :DEFAULT
+        #   bucket.rpo #=> "DEFAULT"
+        #
+        # @example Set RPO to ASYNC_TURBO:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.rpo = :ASYNC_TURBO
+        #   bucket.rpo #=> "ASYNC_TURBO"
+        #
+        def rpo= new_rpo
+          @gapi.rpo = new_rpo&.to_s
+          patch_gapi! :rpo
         end
 
         ##
@@ -869,6 +1161,12 @@ module Google
         # completely mutable and will be included in the request. (See
         # {Bucket::Cors})
         #
+        # @param [Integer] if_metageneration_match Makes the operation conditional
+        #   on whether the bucket's current metageneration matches the given value.
+        # @param [Integer] if_metageneration_not_match Makes the operation
+        #   conditional on whether the bucket's current metageneration does not
+        #   match the given value.
+        #
         # @yield [bucket] a block yielding a delegate object for updating the
         #   file
         #
@@ -900,14 +1198,27 @@ module Google
         #     end
         #   end
         #
-        def update
+        # @example With a `if_metageneration_match` precondition:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   bucket.update if_metageneration_match: 6 do |b|
+        #     b.website_main = "index.html"
+        #   end
+        #
+        def update if_metageneration_match: nil, if_metageneration_not_match: nil
           updater = Updater.new @gapi
           yield updater
           # Add check for mutable cors
           updater.check_for_changed_labels!
           updater.check_for_mutable_cors!
           updater.check_for_mutable_lifecycle!
-          patch_gapi! updater.updates unless updater.updates.empty?
+          return if updater.updates.empty?
+          update_gapi! updater.updates,
+                       if_metageneration_match: if_metageneration_match,
+                       if_metageneration_not_match: if_metageneration_not_match
         end
 
         ##
@@ -917,6 +1228,12 @@ module Google
         # The API call to delete the bucket may be retried under certain
         # conditions. See {Google::Cloud#storage} to control this behavior.
         #
+        # @param [Integer] if_metageneration_match Makes the operation conditional
+        #   on whether the bucket's current metageneration matches the given value.
+        # @param [Integer] if_metageneration_not_match Makes the operation
+        #   conditional on whether the bucket's current metageneration does not
+        #   match the given value.
+        #
         # @return [Boolean] Returns `true` if the bucket was deleted.
         #
         # @example
@@ -927,10 +1244,12 @@ module Google
         #   bucket = storage.bucket "my-bucket"
         #   bucket.delete
         #
-        def delete
+        def delete if_metageneration_match: nil, if_metageneration_not_match: nil
           ensure_service!
-          service.delete_bucket name, user_project: user_project
-          true
+          service.delete_bucket name,
+                                if_metageneration_match: if_metageneration_match,
+                                if_metageneration_not_match: if_metageneration_not_match,
+                                user_project: user_project
         end
 
         ##
@@ -1004,6 +1323,19 @@ module Google
         # @param [String] path Name (path) of the file.
         # @param [Integer] generation When present, selects a specific revision
         #   of this object. Default is the latest version.
+        # @param [Integer] if_generation_match Makes the operation conditional
+        #   on whether the file's current generation matches the given value.
+        #   Setting to 0 makes the operation succeed only if there are no live
+        #   versions of the file.
+        # @param [Integer] if_generation_not_match Makes the operation conditional
+        #   on whether the file's current generation does not match the given
+        #   value. If no live file exists, the precondition fails. Setting to 0
+        #   makes the operation succeed only if there is a live version of the file.
+        # @param [Integer] if_metageneration_match Makes the operation conditional
+        #   on whether the file's current metageneration matches the given value.
+        # @param [Integer] if_metageneration_not_match Makes the operation
+        #   conditional on whether the file's current metageneration does not
+        #   match the given value.
         # @param [Boolean] skip_lookup Optionally create a Bucket object
         #   without verifying the bucket resource exists on the Storage service.
         #   Calls made on this object will raise errors if the bucket resource
@@ -1025,7 +1357,14 @@ module Google
         #   file = bucket.file "path/to/my-file.ext"
         #   puts file.name
         #
-        def file path, generation: nil, skip_lookup: nil, encryption_key: nil
+        def file path,
+                 generation: nil,
+                 if_generation_match: nil,
+                 if_generation_not_match: nil,
+                 if_metageneration_match: nil,
+                 if_metageneration_not_match: nil,
+                 skip_lookup: nil,
+                 encryption_key: nil
           ensure_service!
           if skip_lookup
             return File.new_lazy name, path, service,
@@ -1033,6 +1372,10 @@ module Google
                                  user_project: user_project
           end
           gapi = service.get_file name, path, generation: generation,
+                                              if_generation_match: if_generation_match,
+                                              if_generation_not_match: if_generation_not_match,
+                                              if_metageneration_match: if_metageneration_match,
+                                              if_metageneration_not_match: if_metageneration_not_match,
                                               key: encryption_key,
                                               user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
@@ -1102,16 +1445,39 @@ module Google
         # @param [String] content_type The
         #   [Content-Type](https://tools.ietf.org/html/rfc2616#section-14.17)
         #   response header to be returned when the file is downloaded.
+        # @param [DateTime] custom_time A custom time specified by the user for
+        #   the file. Once set, custom_time can't be unset, and it can only be
+        #   changed to a time in the future. If custom_time must be unset, you
+        #   must either perform a rewrite operation, or upload the data again
+        #   and create a new file.
+        # @param [Symbol, nil] checksum The type of checksum for the client to
+        #   automatically calculate and send with the create request to verify
+        #   the integrity of the object. If provided, Cloud Storage will only
+        #   create the file if the value calculated by the client matches the
+        #   value calculated by the service.
+        #
+        #   Acceptable values are:
+        #
+        #   * `md5` - Calculate and provide a checksum using the MD5 hash.
+        #   * `crc32c` - Calculate and provide a checksum using the CRC32c hash.
+        #   * `all` - Calculate and provide checksums for all available verifications.
+        #
+        #   Optional. The default is `nil`. Do not provide if also providing a
+        #   corresponding `crc32c` or `md5` argument. See
+        #   [Validation](https://cloud.google.com/storage/docs/hashes-etags)
+        #   for more information.
         # @param [String] crc32c The CRC32c checksum of the file data, as
         #   described in [RFC 4960, Appendix
         #   B](http://tools.ietf.org/html/rfc4960#appendix-B).
         #   If provided, Cloud Storage will only create the file if the value
-        #   matches the value calculated by the service. See
+        #   matches the value calculated by the service. Do not provide if also
+        #   providing a `checksum: :crc32c` or `checksum: :all` argument. See
         #   [Validation](https://cloud.google.com/storage/docs/hashes-etags)
         #   for more information.
         # @param [String] md5 The MD5 hash of the file data. If provided, Cloud
         #   Storage will only create the file if the value matches the value
-        #   calculated by the service. See
+        #   calculated by the service. Do not provide if also providing a
+        #   `checksum: :md5` or `checksum: :all` argument. See
         #   [Validation](https://cloud.google.com/storage/docs/hashes-etags) for
         #   more information.
         # @param [Hash] metadata A hash of custom, user-provided web-safe keys
@@ -1119,10 +1485,12 @@ module Google
         #   file as "x-goog-meta-" response headers.
         # @param [Symbol, String] storage_class Storage class of the file.
         #   Determines how the file is stored and determines the SLA and the
-        #   cost of storage. Accepted values include `:multi_regional`,
-        #   `:regional`, `:nearline`, and `:coldline`, as well as the equivalent
-        #   strings returned by {#storage_class}. For more information, see
-        #   [Storage Classes](https://cloud.google.com/storage/docs/storage-classes)
+        #   cost of storage. Accepted values include `:standard`, `:nearline`,
+        #   `:coldline`, and `:archive`, as well as the equivalent strings
+        #   returned by {#storage_class}. `:multi_regional`, `:regional`, and
+        #   `durable_reduced_availability` are accepted legacy storage classes.
+        #   For more information, see [Storage
+        #   Classes](https://cloud.google.com/storage/docs/storage-classes)
         #   and [Per-Object Storage
         #   Class](https://cloud.google.com/storage/docs/per-object-storage-class).
         #   The default value is the default storage class for the bucket.
@@ -1136,6 +1504,19 @@ module Google
         #   the same location as the bucket.The Service Account associated with
         #   your project requires access to this encryption key. Do not provide
         #   if `encryption_key` is used.
+        # @param [Integer] if_generation_match Makes the operation conditional
+        #   on whether the file's current generation matches the given value.
+        #   Setting to 0 makes the operation succeed only if there are no live
+        #   versions of the file.
+        # @param [Integer] if_generation_not_match Makes the operation conditional
+        #   on whether the file's current generation does not match the given
+        #   value. If no live file exists, the precondition fails. Setting to 0
+        #   makes the operation succeed only if there is a live version of the file.
+        # @param [Integer] if_metageneration_match Makes the operation conditional
+        #   on whether the file's current metageneration matches the given value.
+        # @param [Integer] if_metageneration_not_match Makes the operation
+        #   conditional on whether the file's current metageneration does not
+        #   match the given value.
         #
         # @return [Google::Cloud::Storage::File]
         #
@@ -1219,29 +1600,59 @@ module Google
         #   file.download "path/to/downloaded/gzipped.txt",
         #                 skip_decompress: true
         #
-        def create_file file, path = nil, acl: nil, cache_control: nil,
-                        content_disposition: nil, content_encoding: nil,
-                        content_language: nil, content_type: nil,
-                        crc32c: nil, md5: nil, metadata: nil,
-                        storage_class: nil, encryption_key: nil, kms_key: nil,
-                        temporary_hold: nil, event_based_hold: nil
+        def create_file file,
+                        path = nil,
+                        acl: nil,
+                        cache_control: nil,
+                        content_disposition: nil,
+                        content_encoding: nil,
+                        content_language: nil,
+                        content_type: nil,
+                        custom_time: nil,
+                        checksum: nil,
+                        crc32c: nil,
+                        md5: nil,
+                        metadata: nil,
+                        storage_class: nil,
+                        encryption_key: nil,
+                        kms_key: nil,
+                        temporary_hold: nil,
+                        event_based_hold: nil,
+                        if_generation_match: nil,
+                        if_generation_not_match: nil,
+                        if_metageneration_match: nil,
+                        if_metageneration_not_match: nil
           ensure_service!
-          options = { acl: File::Acl.predefined_rule_for(acl), md5: md5,
-                      cache_control: cache_control, content_type: content_type,
-                      content_disposition: content_disposition, crc32c: crc32c,
-                      content_encoding: content_encoding, metadata: metadata,
-                      content_language: content_language, key: encryption_key,
-                      kms_key: kms_key,
-                      storage_class: storage_class_for(storage_class),
-                      temporary_hold: temporary_hold,
-                      event_based_hold: event_based_hold,
-                      user_project: user_project }
           ensure_io_or_file_exists! file
           path ||= file.path if file.respond_to? :path
           path ||= file if file.is_a? String
           raise ArgumentError, "must provide path" if path.nil?
-
-          gapi = service.insert_file name, file, path, options
+          crc32c = crc32c_for file, checksum, crc32c
+          md5 = md5_for file, checksum, md5
+
+          gapi = service.insert_file name,
+                                     file,
+                                     path,
+                                     acl: File::Acl.predefined_rule_for(acl),
+                                     md5: md5,
+                                     cache_control: cache_control,
+                                     content_type: content_type,
+                                     custom_time: custom_time,
+                                     content_disposition: content_disposition,
+                                     crc32c: crc32c,
+                                     content_encoding: content_encoding,
+                                     metadata: metadata,
+                                     content_language: content_language,
+                                     key: encryption_key,
+                                     kms_key: kms_key,
+                                     storage_class: storage_class_for(storage_class),
+                                     temporary_hold: temporary_hold,
+                                     event_based_hold: event_based_hold,
+                                     if_generation_match: if_generation_match,
+                                     if_generation_not_match: if_generation_not_match,
+                                     if_metageneration_match: if_metageneration_match,
+                                     if_metageneration_not_match: if_metageneration_not_match,
+                                     user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias upload_file create_file
@@ -1285,6 +1696,16 @@ module Google
         #   used. All source files must have been encrypted with the same key,
         #   and the resulting destination file will also be encrypted with the
         #   key.
+        # @param [Array<Integer>] if_source_generation_match Makes the operation
+        #   conditional on whether the source files' current generations match the
+        #   given values. The list must match `sources` item-to-item.
+        # @param [Integer] if_generation_match Makes the operation conditional
+        #   on whether the destination file's current generation matches the
+        #   given value. Setting to 0 makes the operation succeed only if there
+        #   are no live versions of the file.
+        # @param [Integer] if_metageneration_match Makes the operation conditional
+        #   on whether the destination file's current metageneration matches the
+        #   given value.
         #
         # @yield [file] A block yielding a delegate file object for setting the
         #   properties of the destination file.
@@ -1333,16 +1754,19 @@ module Google
         #
         #   new_file = bucket.compose [file_1, file_2], "path/to/new-file.ext"
         #
-        def compose sources, destination, acl: nil, encryption_key: nil
+        def compose sources,
+                    destination,
+                    acl: nil,
+                    encryption_key: nil,
+                    if_source_generation_match: nil,
+                    if_generation_match: nil,
+                    if_metageneration_match: nil
           ensure_service!
           sources = Array sources
           if sources.size < 2
             raise ArgumentError, "must provide at least two source files"
           end
 
-          options = { acl: File::Acl.predefined_rule_for(acl),
-                      key: encryption_key,
-                      user_project: user_project }
           destination_gapi = nil
           if block_given?
             destination_gapi = API::Object.new
@@ -1350,8 +1774,18 @@ module Google
             yield updater
             updater.check_for_changed_metadata!
           end
-          gapi = service.compose_file name, sources, destination,
-                                      destination_gapi, options
+
+          acl_rule = File::Acl.predefined_rule_for acl
+          gapi = service.compose_file name,
+                                      sources,
+                                      destination,
+                                      destination_gapi,
+                                      acl: acl_rule,
+                                      key: encryption_key,
+                                      if_source_generation_match: if_source_generation_match,
+                                      if_generation_match: if_generation_match,
+                                      if_metageneration_match: if_metageneration_match,
+                                      user_project: user_project
           File.from_gapi gapi, service, user_project: user_project
         end
         alias compose_file compose
@@ -1373,7 +1807,7 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/access-control/signed-urls
         #   Signed URLs guide
@@ -1400,10 +1834,22 @@ module Google
         #   use the signed URL.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
         # @param [Hash] query Query string parameters to include in the signed
         #   URL. The given parameters are not verified by the signature.
         #
@@ -1412,11 +1858,29 @@ module Google
         #   using the URL, but only when the file resource is missing the
         #   corresponding values. (These values can be permanently set using
         #   {File#content_disposition=} and {File#content_type=}.)
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   For V4 signing, this also sets the `host` header in the canonicalized
+        #   extension headers to the virtual hosted-style host, unless that header is
+        #   supplied via the `headers` param. The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
         # @param [Symbol, String] version The version of the signed credential
         #   to create. Must be one of `:v2` or `:v4`. The default value is
         #   `:v2`.
         #
-        # @return [String]
+        # @return [String] The signed URL.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1447,6 +1911,40 @@ module Google
         #                                  issuer: "service-account@gcloud.com",
         #                                  signing_key: key
         #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
+        #       payload: string_to_sign
+        #     )
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket_name = "my-todo-app"
+        #   file_path = "avatars/heidi/400x400.png"
+        #   url = storage.signed_url bucket_name, file_path,
+        #                            method: "GET", issuer: issuer,
+        #                            signer: signer
         # @example Using the `headers` option:
         #   require "google/cloud/storage"
         #
@@ -1482,36 +1980,60 @@ module Google
         #   bucket = storage.bucket "my-todo-app"
         #   list_files_url = bucket.signed_url version: :v4
         #
-        def signed_url path = nil, method: nil, expires: nil, content_type: nil,
-                       content_md5: nil, headers: nil, issuer: nil,
-                       client_email: nil, signing_key: nil, private_key: nil,
-                       query: nil, version: nil
+        def signed_url path = nil,
+                       method: "GET",
+                       expires: nil,
+                       content_type: nil,
+                       content_md5: nil,
+                       headers: nil,
+                       issuer: nil,
+                       client_email: nil,
+                       signing_key: nil,
+                       private_key: nil,
+                       signer: nil,
+                       query: nil,
+                       scheme: "HTTPS",
+                       virtual_hosted_style: nil,
+                       bucket_bound_hostname: nil,
+                       version: nil
           ensure_service!
           version ||= :v2
           case version.to_sym
           when :v2
-            signer = File::SignerV2.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, content_type: content_type,
-                              content_md5: content_md5, issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key, query: query
+            sign = File::SignerV2.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            content_type: content_type,
+                            content_md5: content_md5,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query
           when :v4
-            signer = File::SignerV4.from_bucket self, path
-            signer.signed_url method: method, expires: expires,
-                              headers: headers, issuer: issuer,
-                              client_email: client_email,
-                              signing_key: signing_key,
-                              private_key: private_key, query: query
+            sign = File::SignerV4.from_bucket self, path
+            sign.signed_url method: method,
+                            expires: expires,
+                            headers: headers,
+                            issuer: issuer,
+                            client_email: client_email,
+                            signing_key: signing_key,
+                            private_key: private_key,
+                            signer: signer,
+                            query: query,
+                            scheme: scheme,
+                            virtual_hosted_style: virtual_hosted_style,
+                            bucket_bound_hostname: bucket_bound_hostname
           else
             raise ArgumentError, "version '#{version}' not supported"
           end
         end
 
         ##
-        # Generate a PostObject that includes the fields and url to
-        # upload objects via html forms.
+        # Generate a PostObject that includes the fields and URL to
+        # upload objects via HTML forms.
         #
         # Generating a PostObject requires service account credentials,
         # either by connecting with a service account when calling
@@ -1524,28 +2046,45 @@ module Google
         # A {SignedUrlUnavailable} is raised if the service account credentials
         # are missing. Service account credentials are acquired by following the
         # steps in [Service Account Authentication](
-        # https://cloud.google.com/storage/docs/authentication#service_accounts).
+        # https://cloud.google.com/iam/docs/service-accounts).
         #
         # @see https://cloud.google.com/storage/docs/xml-api/post-object
         #
         # @param [String] path Path to the file in Google Cloud Storage.
         # @param [Hash] policy The security policy that describes what
-        #   can and cannot be uploaded in the form. When provided,
-        #   the PostObject fields will include a Signature based on the JSON
-        #   representation of this Hash and the same policy in Base64 format.
+        #   can and cannot be uploaded in the form. When provided, the PostObject
+        #   fields will include a signature based on the JSON representation of
+        #   this hash and the same policy in Base64 format.
+        #
         #   If you do not provide a security policy, requests are considered
         #   to be anonymous and will only work with buckets that have granted
-        #   WRITE or FULL_CONTROL permission to anonymous users.
+        #   `WRITE` or `FULL_CONTROL` permission to anonymous users.
         #   See [Policy Document](https://cloud.google.com/storage/docs/xml-api/post-object#policydocument)
         #   for more information.
         # @param [String] issuer Service Account's Client Email.
         # @param [String] client_email Service Account's Client Email.
-        # @param [OpenSSL::PKey::RSA, String] signing_key Service Account's
-        #   Private Key.
-        # @param [OpenSSL::PKey::RSA, String] private_key Service Account's
-        #   Private Key.
-        #
-        # @return [PostObject]
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
+        # @return [PostObject] An object containing the URL, fields, and values needed to upload files via HTML forms.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials
+        #   are missing. Service account credentials are acquired by following the
+        #   steps in [Service Account Authentication](
+        #   https://cloud.google.com/iam/docs/service-accounts).
         #
         # @example
         #   require "google/cloud/storage"
@@ -1605,15 +2144,226 @@ module Google
         #   post.fields[:signature] #=> "ABC...XYZ="
         #   post.fields[:policy] #=> "ABC...XYZ="
         #
-        def post_object path, policy: nil, issuer: nil,
-                        client_email: nil, signing_key: nil,
-                        private_key: nil
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
+        #       payload: string_to_sign
+        #     )
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   post = bucket.post_object "avatars/heidi/400x400.png",
+        #                             issuer: issuer,
+        #                             signer: signer
+        #
+        #   post.url #=> "https://storage.googleapis.com"
+        #   post.fields[:key] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields[:GoogleAccessId] #=> "0123456789@gserviceaccount.com"
+        #   post.fields[:signature] #=> "ABC...XYZ="
+        #   post.fields[:policy] #=> "ABC...XYZ="
+        #
+        def post_object path,
+                        policy: nil,
+                        issuer: nil,
+                        client_email: nil,
+                        signing_key: nil,
+                        private_key: nil,
+                        signer: nil
           ensure_service!
+          sign = File::SignerV2.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           policy: policy
+        end
 
-          signer = File::SignerV2.from_bucket self, path
-          signer.post_object issuer: issuer, client_email: client_email,
-                             signing_key: signing_key, private_key: private_key,
-                             policy: policy
+        ##
+        # Generate a `PostObject` that includes the fields and URL to
+        # upload objects via HTML forms. The resulting `PostObject` is
+        # based on a policy document created from the method arguments.
+        # This policy provides authorization to ensure that the HTML
+        # form can upload files into the bucket. See [Signatures -
+        # Policy document](https://cloud.google.com/storage/docs/authentication/signatures#policy-document).
+        #
+        # Generating a `PostObject` requires service account credentials,
+        # either by connecting with a service account when calling
+        # {Google::Cloud.storage}, or by passing in the service account
+        # `issuer` and `signing_key` values. Although the private key can
+        # be passed as a string for convenience, creating and storing
+        # an instance of `OpenSSL::PKey::RSA` is more efficient
+        # when making multiple calls to `generate_signed_post_policy_v4`.
+        #
+        # A {SignedUrlUnavailable} is raised if the service account credentials
+        # are missing. Service account credentials are acquired by following the
+        # steps in [Service Account Authentication](
+        # https://cloud.google.com/iam/docs/service-accounts).
+        #
+        # @see https://cloud.google.com/storage/docs/authentication/signatures#policy-document Signatures -
+        #   Policy document
+        # @see https://cloud.google.com/storage/docs/xml-api/post-object
+        #
+        # @param [String] path Path to the file in Google Cloud Storage.
+        # @param [String] issuer Service Account's Client Email.
+        # @param [String] client_email Service Account's Client Email.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signing_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] private_key Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        # @param [OpenSSL::PKey::RSA, String, Proc] signer Service Account's
+        #   Private Key or a Proc that accepts a single String parameter and returns a
+        #   RSA SHA256 signature using a valid Google Service Account Private Key.
+        #
+        #   When using this method in environments such as GAE Flexible Environment,
+        #   GKE, or Cloud Functions where the private key is unavailable, it may be
+        #   necessary to provide a Proc (or lambda) via the signer parameter. This
+        #   Proc should return a signature created using a RPC call to the
+        #   [Service Account Credentials signBlob](https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob)
+        #   method as shown in the example below.
+        # @param [Integer] expires The number of seconds until the URL expires.
+        #   The default is 604800 (7 days).
+        # @param [Hash{String => String}] fields User-supplied form fields such as `acl`,
+        #   `cache-control`, `success_action_status`, and `success_action_redirect`.
+        #   Optional. See [Upload an object with HTML forms - Form
+        #   fields](https://cloud.google.com/storage/docs/xml-api/post-object-forms#form_fields).
+        # @param [Array<Hash{String => String}|Array<String>>] conditions An array of
+        #   policy conditions that every upload must satisfy. For example:
+        #   `[["eq", "$Content-Type", "image/jpeg"]]`. Optional. See [Signatures - Policy
+        #   document](https://cloud.google.com/storage/docs/authentication/signatures#policy-document).
+        # @param [String] scheme The URL scheme. The default value is `HTTPS`.
+        # @param [Boolean] virtual_hosted_style Whether to use a virtual hosted-style
+        #   hostname, which adds the bucket into the host portion of the URI rather
+        #   than the path, e.g. `https://mybucket.storage.googleapis.com/...`.
+        #   The default value of `false` uses the
+        #   form of `https://storage.googleapis.com/mybucket`.
+        # @param [String] bucket_bound_hostname Use a bucket-bound hostname, which
+        #   replaces the `storage.googleapis.com` host with the name of a `CNAME`
+        #   bucket, e.g. a bucket named `gcs-subdomain.my.domain.tld`, or a Google
+        #   Cloud Load Balancer which routes to a bucket you own, e.g.
+        #   `my-load-balancer-domain.tld`.
+        #
+        # @return [PostObject] An object containing the URL, fields, and values needed to
+        #   upload files via HTML forms.
+        #
+        # @raise [SignedUrlUnavailable] If the service account credentials are missing.
+        #   Service account credentials are acquired by following the steps in [Service
+        #   Account Authentication](https://cloud.google.com/iam/docs/service-accounts).
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4 "avatars/heidi/400x400.png",
+        #                                                expires:    10,
+        #                                                conditions: conditions
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
+        # @example Using Cloud IAMCredentials signBlob to create the signature:
+        #   require "google/cloud/storage"
+        #   require "google/apis/iamcredentials_v1"
+        #   require "googleauth"
+        #
+        #   # Issuer is the service account email that the Signed URL will be signed with
+        #   # and any permission granted in the Signed URL must be granted to the
+        #   # Google Service Account.
+        #   issuer = "service-account@project-id.iam.gserviceaccount.com"
+        #
+        #   # Create a lambda that accepts the string_to_sign
+        #   signer = lambda do |string_to_sign|
+        #     IAMCredentials = Google::Apis::IamcredentialsV1
+        #     iam_client = IAMCredentials::IAMCredentialsService.new
+        #
+        #     # Get the environment configured authorization
+        #     scopes = ["https://www.googleapis.com/auth/iam"]
+        #     iam_client.authorization = Google::Auth.get_application_default scopes
+        #
+        #     request = Google::Apis::IamcredentialsV1::SignBlobRequest.new(
+        #       payload: string_to_sign
+        #     )
+        #     resource = "projects/-/serviceAccounts/#{issuer}"
+        #     response = iam_client.sign_service_account_blob resource, request
+        #     response.signed_blob
+        #   end
+        #
+        #   storage = Google::Cloud::Storage.new
+        #
+        #   bucket = storage.bucket "my-todo-app"
+        #   conditions = [["starts-with", "$acl","public"]]
+        #   post = bucket.generate_signed_post_policy_v4 "avatars/heidi/400x400.png",
+        #                                                expires:    10,
+        #                                                conditions: conditions,
+        #                                                issuer:     issuer,
+        #                                                signer:     signer
+        #
+        #   post.url #=> "https://storage.googleapis.com/my-todo-app/"
+        #   post.fields["key"] #=> "my-todo-app/avatars/heidi/400x400.png"
+        #   post.fields["policy"] #=> "ABC...XYZ"
+        #   post.fields["x-goog-algorithm"] #=> "GOOG4-RSA-SHA256"
+        #   post.fields["x-goog-credential"] #=> "cred@pid.iam.gserviceaccount.com/20200123/auto/storage/goog4_request"
+        #   post.fields["x-goog-date"] #=> "20200128T000000Z"
+        #   post.fields["x-goog-signature"] #=> "4893a0e...cd82"
+        #
+        def generate_signed_post_policy_v4 path,
+                                           issuer: nil,
+                                           client_email: nil,
+                                           signing_key: nil,
+                                           private_key: nil,
+                                           signer: nil,
+                                           expires: nil,
+                                           fields: nil,
+                                           conditions: nil,
+                                           scheme: "https",
+                                           virtual_hosted_style: nil,
+                                           bucket_bound_hostname: nil
+          ensure_service!
+          sign = File::SignerV4.from_bucket self, path
+          sign.post_object issuer: issuer,
+                           client_email: client_email,
+                           signing_key: signing_key,
+                           private_key: private_key,
+                           signer: signer,
+                           expires: expires,
+                           fields: fields,
+                           conditions: conditions,
+                           scheme: scheme,
+                           virtual_hosted_style: virtual_hosted_style,
+                           bucket_bound_hostname: bucket_bound_hostname
         end
 
         ##
@@ -1719,6 +2469,26 @@ module Google
         # @param [Boolean] force [Deprecated] Force the latest policy to be
         #   retrieved from the Storage service when `true`. Deprecated because
         #   the latest policy is now always retrieved. The default is `nil`.
+        # @param [Integer] requested_policy_version The requested syntax schema
+        #   version of the policy. Optional. If `1`, `nil`, or not provided, a
+        #   {Google::Cloud::Storage::PolicyV1} object is returned, which
+        #   provides {Google::Cloud::Storage::PolicyV1#roles} and related
+        #   helpers but does not provide a `bindings` method. If `3` is
+        #   provided, a {Google::Cloud::Storage::PolicyV3} object is returned,
+        #   which provides {Google::Cloud::Storage::PolicyV3#bindings} but does
+        #   not provide a `roles` method or related helpers. A higher version
+        #   indicates that the policy contains role bindings with the newer
+        #   syntax schema that is unsupported by earlier versions.
+        #
+        #   The following requested policy versions are valid:
+        #
+        #   * 1 - The first version of Cloud IAM policy schema. Supports binding one
+        #     role to one or more members. Does not support conditional bindings.
+        #   * 3 - Introduces the condition field in the role binding, which further
+        #     constrains the role binding via context-based and attribute-based rules.
+        #     See [Understanding policies](https://cloud.google.com/iam/docs/policies)
+        #     and [Overview of Cloud IAM Conditions](https://cloud.google.com/iam/docs/conditions-overview)
+        #     for more information.
         #
         # @yield [policy] A block for updating the policy. The latest policy
         #   will be read from the service and passed to the block. After the
@@ -1728,31 +2498,98 @@ module Google
         #
         # @return [Policy] the current Cloud IAM Policy for this bucket
         #
-        # @example
+        # @example Retrieving a Policy that is implicitly version 1:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
-        #
-        #   bucket = storage.bucket "my-todo-app"
+        #   bucket = storage.bucket "my-bucket"
         #
         #   policy = bucket.policy
+        #   policy.version # 1
+        #   puts policy.roles["roles/storage.objectViewer"]
         #
-        # @example Retrieve the latest policy and update it in a block:
+        # @example Retrieving a version 3 Policy using `requested_policy_version`:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
         #
-        #   bucket = storage.bucket "my-todo-app"
+        #   policy = bucket.policy requested_policy_version: 3
+        #   policy.version # 3
+        #   puts policy.bindings.find do |b|
+        #     b[:role] == "roles/storage.objectViewer"
+        #   end
+        #
+        # @example Updating a Policy that is implicitly version 1:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
         #
         #   bucket.policy do |p|
-        #     p.add "roles/owner", "user:owner@example.com"
+        #     p.version # the value is 1
+        #     p.remove "roles/storage.admin", "user:owner@example.com"
+        #     p.add "roles/storage.admin", "user:newowner@example.com"
+        #     p.roles["roles/storage.objectViewer"] = ["allUsers"]
+        #   end
+        #
+        # @example Updating a Policy from version 1 to version 3 by adding a condition:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.uniform_bucket_level_access = true
+        #
+        #   bucket.policy requested_policy_version: 3 do |p|
+        #     p.version # the value is 1
+        #     p.version = 3 # Must be explicitly set to opt-in to support for conditions.
+        #
+        #     expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
+        #     p.bindings.insert({
+        #                         role: "roles/storage.admin",
+        #                         members: ["user:owner@example.com"],
+        #                         condition: {
+        #                           title: "my-condition",
+        #                           description: "description of condition",
+        #                           expression: expr
+        #                         }
+        #                       })
+        #   end
+        #
+        # @example Updating a version 3 Policy:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   bucket.uniform_bucket_level_access? # true
+        #
+        #   bucket.policy requested_policy_version: 3 do |p|
+        #     p.version = 3 # Must be explicitly set to opt-in to support for conditions.
+        #
+        #     expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
+        #     p.bindings.insert({
+        #                         role: "roles/storage.admin",
+        #                         members: ["user:owner@example.com"],
+        #                         condition: {
+        #                           title: "my-condition",
+        #                           description: "description of condition",
+        #                           expression: expr
+        #                         }
+        #                       })
         #   end
         #
-        def policy force: nil
+        def policy force: nil, requested_policy_version: nil
           warn "DEPRECATED: 'force' in Bucket#policy" unless force.nil?
           ensure_service!
-          gapi = service.get_bucket_policy name, user_project: user_project
-          policy = Policy.from_gapi gapi
+          gapi = service.get_bucket_policy name, requested_policy_version: requested_policy_version,
+                                                 user_project: user_project
+          policy = if requested_policy_version.nil? || requested_policy_version == 1
+                     PolicyV1.from_gapi gapi
+                   else
+                     PolicyV3.from_gapi gapi
+                   end
           return policy unless block_given?
           yield policy
           update_policy policy
@@ -1777,24 +2614,70 @@ module Google
         #
         # @return [Policy] The policy returned by the API update operation.
         #
-        # @example
+        # @example Updating a Policy that is implicitly version 1:
         #   require "google/cloud/storage"
         #
         #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
         #
-        #   bucket = storage.bucket "my-todo-app"
+        #   policy = bucket.policy
+        #   policy.version # 1
+        #   policy.remove "roles/storage.admin", "user:owner@example.com"
+        #   policy.add "roles/storage.admin", "user:newowner@example.com"
+        #   policy.roles["roles/storage.objectViewer"] = ["allUsers"]
+        #
+        #   policy = bucket.update_policy policy
+        #
+        # @example Updating a Policy from version 1 to version 3 by adding a condition:
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   policy = bucket.policy requested_policy_version: 3
+        #   policy.version # 1
+        #   policy.version = 3
+        #
+        #   expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
+        #   policy.bindings.insert({
+        #                           role: "roles/storage.admin",
+        #                           members: ["user:owner@example.com"],
+        #                           condition: {
+        #                             title: "my-condition",
+        #                             description: "description of condition",
+        #                             expression: expr
+        #                           }
+        #                         })
+        #
+        #   policy = bucket.update_policy policy
+        #
+        # @example Updating a version 3 Policy:
+        #   require "google/cloud/storage"
         #
-        #   policy = bucket.policy # API call
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
         #
-        #   policy.add "roles/owner", "user:owner@example.com"
+        #   policy = bucket.policy requested_policy_version: 3
+        #   policy.version # 3 indicates an existing binding with a condition.
+        #
+        #   expr = "resource.name.startsWith(\"projects/_/buckets/bucket-name/objects/prefix-a-\")"
+        #   policy.bindings.insert({
+        #                           role: "roles/storage.admin",
+        #                           members: ["user:owner@example.com"],
+        #                           condition: {
+        #                             title: "my-condition",
+        #                             description: "description of condition",
+        #                             expression: expr
+        #                           }
+        #                         })
         #
-        #   bucket.update_policy policy # API call
+        #   policy = bucket.update_policy policy
         #
         def update_policy new_policy
           ensure_service!
           gapi = service.set_bucket_policy name, new_policy.to_gapi,
                                            user_project: user_project
-          Policy.from_gapi gapi
+          new_policy.class.from_gapi gapi
         end
         alias policy= update_policy
 
@@ -1817,7 +2700,7 @@ module Google
         #
         #   storage = Google::Cloud::Storage.new
         #
-        #   bucket = storage.bucket "my-todo-app"
+        #   bucket = storage.bucket "my-bucket"
         #
         #   permissions = bucket.test_permissions "storage.buckets.get",
         #                                         "storage.buckets.delete"
@@ -1964,11 +2847,12 @@ module Google
         def create_notification topic, custom_attrs: nil, event_types: nil,
                                 prefix: nil, payload: nil
           ensure_service!
-          options = { custom_attrs: custom_attrs, event_types: event_types,
-                      prefix: prefix, payload: payload,
-                      user_project: user_project }
 
-          gapi = service.insert_notification name, topic, options
+          gapi = service.insert_notification name, topic, custom_attrs: custom_attrs,
+                                                          event_types: event_types,
+                                                          prefix: prefix,
+                                                          payload: payload,
+                                                          user_project: user_project
           Notification.from_gapi name, gapi, service, user_project: user_project
         end
         alias new_notification create_notification
@@ -2047,20 +2931,46 @@ module Google
           reload!
         end
 
-        def patch_gapi! *attributes
+        def patch_gapi! attributes,
+                        if_metageneration_match: nil,
+                        if_metageneration_not_match: nil
+          attributes = Array(attributes)
           attributes.flatten!
           return if attributes.empty?
           ensure_service!
           patch_args = Hash[attributes.map do |attr|
             [attr, @gapi.send(attr)]
           end]
-          patch_gapi = API::Bucket.new patch_args
-          @gapi = service.patch_bucket name, patch_gapi,
+          patch_gapi = API::Bucket.new(**patch_args)
+          @gapi = service.patch_bucket name,
+                                       patch_gapi,
+                                       if_metageneration_match: if_metageneration_match,
+                                       if_metageneration_not_match: if_metageneration_not_match,
                                        user_project: user_project
           @lazy = nil
           self
         end
 
+        def update_gapi! attributes,
+                         if_metageneration_match: nil,
+                         if_metageneration_not_match: nil
+          attributes = Array(attributes)
+          attributes.flatten!
+          return if attributes.empty?
+          ensure_service!
+          update_args = Hash[attributes.map do |attr|
+            [attr, @gapi.send(attr)]
+          end]
+          update_gapi = API::Bucket.new(**update_args)
+          @gapi = service.update_bucket name,
+                                        update_gapi,
+                                        if_metageneration_match: if_metageneration_match,
+                                        if_metageneration_not_match: if_metageneration_not_match,
+                                        user_project: user_project
+          @lazy = nil
+          self
+        end
+
         ##
         # Raise an error if the file is not found.
         def ensure_io_or_file_exists! file
@@ -2069,13 +2979,27 @@ module Google
           raise ArgumentError, "cannot find file #{file}"
         end
 
+        def crc32c_for source, checksum, crc32c
+          return crc32c unless [:crc32c, :all].include? checksum
+          raise ArgumentError, "'checksum: :crc32c' or 'checksum: :all' is present with 'crc32c' arg" if crc32c
+          File::Verifier.crc32c_for source
+        end
+
+        def md5_for source, checksum, md5
+          return md5 unless [:md5, :all].include? checksum
+          raise ArgumentError, "'checksum: :md5' or 'checksum: :all' is present with 'md5' arg" if md5
+          File::Verifier.md5_for source
+        end
+
         ##
         # Yielded to a block to accumulate changes for a patch request.
         class Updater < Bucket
           attr_reader :updates
+
           ##
           # Create an Updater object.
           def initialize gapi
+            super()
             @updates = []
             @gapi = gapi
             @labels = @gapi.labels.to_h.dup