Sliick Files + Google Cloud Storage: storage setup

Backing Sliick Files with Google Cloud Storage (GCS) means your file bytes travel browser to your bucket directly over short-lived signed URLs. Salesforce stays the access-control gatekeeper - it decides who can upload, download, or delete - but the bytes themselves never pass through Sliick-operated infrastructure. You own the bucket, you own the data, and you pay GCS storage rates instead of Salesforce file-storage rates.

Google Cloud Storage exposes an S3-compatible HMAC key mode, and that is what Sliick uses: you generate an HMAC key in GCP (section 1) and paste it into Sliick Settings. When you click Connect, Sliick sets up the Salesforce side for you - nothing to edit in Setup, and the same endpoint works for every bucket worldwide. The only manual step is granting one permission set so your users can use the storage (section 2).

The whole process takes about 20 minutes. New Google Cloud accounts get a $300 free credit for 90 days, and Cloud Storage standard pricing runs around $0.020 per GB-month with no upfront cost, so you can stand the whole thing up and validate it before spending a cent. (Pricing and free-credit terms are current as of June 2026; check Google Cloud’s pricing page for the latest.)

What you will end up with

By the end you will have four values to paste into Sliick Settings:

• HMAC Access Key
• HMAC Secret
• Bucket Name
• Region code

Keep a password manager or a scratch note open as you go. The HMAC secret in particular is shown exactly once.

1. GCP account setup

These steps all happen in the Google Cloud Console. If you have never used GCP before, follow each subsection in order.

1a. Create a Google Cloud account and project

Skip this if you already have a project you want to use.

1. Go to https://console.cloud.google.com/ and sign in with a Google account (personal Gmail or Workspace).
2. First-time users get a $300 free credit for 90 days. Accept the billing terms and add a credit card - you will not be charged unless you exceed the credit or actively upgrade.
3. Once signed in, click the project dropdown at the very top of the console (next to “Google Cloud”) and click New Project.
   • Project name - sliick-files (or similar). The name is human-readable.
   • Project ID - autogenerated, e.g. sliick-files-481203. This is the globally unique ID GCP uses internally. Write it down.
   • Organization - leave at default (or pick your Workspace org).
4. Click Create. Wait ~30 seconds, then make sure the project dropdown shows the new project. Everything below assumes you are inside it.

1b. Enable the Cloud Storage API and link billing

1. In the console search bar at the top, type Cloud Storage and open the service.
2. If you see a prompt to Enable the Cloud Storage API, click it.
3. If GCP prompts you to link a billing account, do so. Cloud Storage is a paid service even though usage may fall entirely under the $300 free credit.

1c. Pick a region

Every GCS bucket lives in a single location. Pick the one closest to your Salesforce org and users. Common choices:

Write down the exact region code - you will enter it in the Sliick Settings LWC. The region in Sliick Settings must match the bucket’s location exactly or every signed request will fail.

1d. Create a Cloud Storage bucket

1. In Cloud Storage → Buckets, click Create.
2. Name your bucket - must be globally unique across all of GCP. Use something like sliick-files-acme-prod (lowercase, hyphens, no underscores). Write the exact name down.
3. Choose where to store your data - Region, then pick the region code from step 1c. (Multi-region and dual-region cost more and are not required.)
4. Choose a default storage class - Standard. Other classes (Nearline, Coldline, Archive) have per-access fees that do not fit an active file workload.
5. Choose how to control access to objects:
   • Prevent public access - leave On (recommended). Sliick uses presigned URLs; the bucket should never be publicly listed.
   • Access control - Uniform (recommended). Fine-grained ACLs add complexity Sliick does not need.
6. Choose how to protect object data - leave defaults (no versioning, no retention policy). Sliick manages version history at the application layer; enabling Object Versioning will silently double your storage costs.
7. Click Create.
8. If a popup warns about public access prevention, confirm Enforce public access prevention on this bucket.

1e. Configure CORS on the bucket (critical for browser uploads)

This is the step people skip and then spend an afternoon debugging. Without it, browser-direct uploads from the Sliick LWC will fail with a CORS error in the browser console. Apex-side GCS callouts will still work, so the symptom is “uploads from the UI fail but admin diagnostics pass” - easy to misdiagnose.

The same GET rule also powers the photo editor: large images (over the 4 MB Apex limit) load directly into the canvas via a cross-origin request. Without GET in the CORS rule - or if your Salesforce origin is not listed - large external images open in view-only mode instead of being editable (editing is capped at 50 MB).

GCS CORS cannot be set in the console UI. You set it via the gcloud CLI or the JSON API. The gcloud flow is easiest:

1. Install the Google Cloud CLI (one-time, per machine): https://cloud.google.com/sdk/docs/install. Then:

   gcloud auth login
   gcloud config set project YOUR-PROJECT-ID

2. Save the following to cors.json on your machine. Replace the entries in origin with your actual Salesforce org domains - list every domain users will upload from (production org, sandboxes, Experience Cloud sites):

   [
     {
       "origin": [
         "https://your-org.lightning.force.com",
         "https://your-org.my.salesforce.com",
         "https://your-org.sandbox.my.salesforce.com",
         "https://your-experience-site.my.site.com"
       ],
       "method": ["GET", "PUT", "HEAD"],
       "responseHeader": ["*", "Content-Type", "ETag", "x-goog-resumable"],
       "maxAgeSeconds": 3000
     }
   ]

   The "*" in responseHeader is required. When File Metadata sync is enabled, Sliick signs x-goog-meta-* headers into the browser upload, and those header names are configurable per org. GCS only lets the browser send request headers the CORS preflight allows, so without the "*" wildcard the upload fails with Failed to fetch / “Could not reach storage” even though the origin is allowed. The wildcard makes GCS accept whatever headers the signed PUT carries.

3. Apply it to your bucket:

   gcloud storage buckets update gs://YOUR-BUCKET-NAME --cors-file=cors.json

4. Verify:

   gcloud storage buckets describe gs://YOUR-BUCKET-NAME --format="default(cors_config)"

Finding your Salesforce domains: in Salesforce Setup → My Domain, the Current My Domain URL and Lightning URL are the two you need for the production org. Sandboxes have their own equivalents. Experience Cloud sites appear in Setup → Digital Experiences → All Sites.

1f. Create a service account

Service accounts are GCP’s equivalent of an “application identity” - non-human, used by integrations like Sliick. The HMAC key in the next step is tied to a service account, not a person.

1. In the console search bar, type Service Accounts and open the page (under IAM & Admin).
2. Click Create service account.
3. Service account name - sliick-files-app (or similar). Service account ID auto-fills from the name.
4. Description - optional, e.g. “Sliick Files HMAC identity for bucket YOUR-BUCKET-NAME”.
5. Click Create and continue.
6. Grant this service account access to project - leave blank for now. We will grant bucket-level access in the next step (more restrictive than project-level).
7. Click Continue, then Done.

1g. Grant the service account access to the bucket

1. Go back to Cloud Storage → Buckets and click your bucket name.
2. Open the Permissions tab and click Grant access.
3. New principals - paste the service account’s email address (it looks like sliick-files-app@your-project-id.iam.gserviceaccount.com, shown on the service accounts list).
4. Select a role - search for and pick Storage Object User (roles/storage.objectUser). This grants read, create, and delete on objects in this bucket only - no project-level or cross-bucket access.
5. Click Save.

1h. Generate the HMAC key

GCS supports two auth modes: native OAuth (Bearer tokens) and HMAC (AWS-S3-style signed requests). Sliick uses HMAC because it lets the same signing code work across S3, R2, and GCS.

1. In the console search bar, type Interoperability and open Cloud Storage → Settings → Interoperability. (Alternatively: Cloud Storage → Settings, then the Interoperability tab.)
2. If you see a prompt Select a default project, set it to the current project. HMAC key creation requires this even though it does not change anything you care about.
3. Scroll to Access keys for service accounts and click Create a key for a service account.
4. Pick the sliick-files-app service account from step 1f.
5. Click Create key.
6. You will see the Access key and Secret.

Copy both now. The secret is shown exactly once. If you close this page without copying it, you must delete the key and create a new one. Paste them into a password manager or keep the tab open until you have finished step 3 below.

1i. (Optional) Quick sanity check with gcloud

gcloud storage ls gs://YOUR-BUCKET-NAME

This should return without error (empty output is fine - the bucket is empty). It uses your gcloud auth login identity, not the HMAC key, but it confirms the bucket name and project link are right.

At this point you have the four values you need for Salesforce:

• HMAC Access Key (from step 1h)
• HMAC Secret (from step 1h)
• Bucket Name (from step 1d)
• Region code (from step 1c)

2. Salesforce setup - one-time per org

The GCP Storage credential is set up automatically when you click Connect (section 3) - there is nothing to edit in Setup. The Salesforce-side work is assigning permission sets.

2a. Assign the Sliick Files permission sets

Sliick Files ships packaged permission sets. Assign them in Setup → Permission Sets, then Manage Assignments → Add Assignment:

• Sliick Files Admin - to admins who configure storage and open Sliick Settings.
• Sliick Files User - to anyone who uploads, views, tags, or shares files.

Without one of these, a user can’t open Sliick Settings or upload files.

2b. Grant the GCP Storage principal on a permission set

1. Setup → Permission Sets - open (or create) a permission set you control for storage users.
2. Add External Credential Principal Access for the GCP Storage principal (sliick__GCP_Storage-Default), and assign that permission set to anyone who will upload, download, or delete GCP-backed files (admins included).

The credential Sliick creates at connect isn’t covered by a packaged permission set, so the grant lives on a permission set you manage. Without it, the Connection Test and file downloads fail with a “couldn’t access the credential” error.

3. Connect in Sliick Settings

1. Open Sliick Settings.
2. Provider = Google Cloud Storage.
3. Paste HMAC Access Key, HMAC Secret, Bucket Name, and Region from step 1 of the GCP setup.
4. Click Connect.

Sliick saves the four values and validates the connection, then sets the status to Active.

To rotate keys, regenerate the HMAC pair in the GCP console and re-enter them in Sliick Settings.

Data residency (read before enabling the pipeline)

By default your file bytes travel browser to your GCS bucket directly over signed URLs. Salesforce is the access-control gatekeeper, but the bytes themselves never pass through Sliick-operated infrastructure.

There is one opt-in exception: the Image Processing Pipeline toggle in Sliick Settings. When enabled, newly uploaded image files are routed through Sliick’s processing service (Google Cloud Run) to perform HEIC to JPEG conversion, resizing, and thumbnail generation, and the processed image is then written back to your bucket. While processing:

• Only image content types are routed; non-image files (PDFs, docs, video) and all downloads never transit Sliick.
• The pipeline is off by default and gated per tenant - it does nothing until an admin turns it on here.
• The hop is authenticated (per-tenant HMAC) and the service holds bytes only transiently for the duration of processing; it is not a durable store.

If your data-handling policy requires that image bytes never leave your own infrastructure, leave the pipeline disabled. Uploads still work - images are stored as-is without server-side conversion or thumbnails.

Enabling the image pipeline (optional)

If you do want server-side HEIC to JPEG conversion, resizing, and thumbnails, enable the packaged Sliick Pipeline Integration External Client App once:

1. Setup → App Manager (or External Client App Manager) - find Sliick Pipeline Integration - Edit Policies.
2. Under OAuth Policies, enable Client Credentials Flow.
3. Set Run As User to a dedicated integration user that has the Sliick Pipeline Integration permission set assigned.
4. In Sliick Settings, toggle the Image Processing Pipeline on and click Verify.

Pipeline access is gated per tenant. If Verify fails with a “not authorised” message, contact Sliick to enable it for your org.

Troubleshooting