Console
    Start free

    Make data public

    This page shows you how to make objects you own readable to everyone on the public internet and how to remove public access from your bucket. To learn how to access data that has been made public, see Accessing Public Data .

    When an object is shared publicly, any user with knowledge of the object URI can access the object for as long as the object is public.

    Required roles

    In order to get the required permissions for making objects publicly readable, ask your administrator to grant you the following roles for the bucket that contains the data you want to make public:

    • To make all objects in a bucket publicly readable: Storage Admin ( roles/storage.admin )

    • To make individual objects publicly readable: Storage Object Admin ( roles/storage.objectAdmin )

      • If you plan on using the Google Cloud console, you'll need the Storage Admin ( roles/storage.admin ) role instead of the Storage Object Admin role.

    • To remove public access from all objects in a bucket: Storage Admin ( roles/storage.admin )

    These roles contain the permissions required to make objects public. To see the exact permissions that are required, expand the Required permissionssection:

    Required permissions

    • storage.buckets.get
    • storage.buckets.getIamPolicy
    • storage.buckets.setIamPolicy
    • storage.buckets.update
    • storage.objects.get
    • storage.objects.getIamPolicy
    • storage.objects.setIamPolicy
    • storage.objects.update

    The following permissions are only required for using the Google Cloud console to perform the tasks on this page:

    • storage.buckets.list
    • storage.objects.list

    You might also be able to get these permissions with other predefined roles or custom roles .

    For instructions on granting roles on buckets, see Set and manage IAM policies on buckets .

    Make all objects in a bucket publicly readable

    To make all objects in a bucket readable to everyone on the public internet, grant the principal allUsers the Storage Object Viewer ( roles/storage.objectViewer ) role:

    Console

    1. In the Google Cloud console, go to the Cloud Storage Buckets page.

      Go to Buckets

    2. In the list of buckets, click the name of the bucket that you want to make public.

    3. Select the Permissionstab near the top of the page.

    4. In the Permissionssection, click the Grant accessbutton.

      The Grant access dialog appears.

    5. In the New principalsfield, enter allUsers .

    6. In the Select a roledrop down, enter Storage Object Viewer in the filter box and select the Storage Object Viewerfrom the filtered results.

    7. Click Save.

    8. Click Allow public access.

    Once public access has been granted, a Copy URLbutton appears for each object in the public access column. You can click this button to get the public URL for the object. The public URL is different from the link you get from directly right-clicking an object. Both links provide access to an object, but the public URL works without the user having to sign into a user account. See Request endpoints for more information.

    To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting .

    To learn how to resolve organization policy error and permission error, see Troubleshoot making data public .

    Command line

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. In your development environment, run the buckets add-iam-policy-binding command:

      gcloud storage buckets add-iam-policy-binding gs:// BUCKET_NAME 
--member=allUsers --role=roles/storage.objectViewer

      Where BUCKET_NAME is the name of the bucket whose objects you want to make public. For example, my-bucket .

    Client libraries

    C++

    For more information, see the Cloud Storage C++ API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 ) 
  
 { 
  
 auto 
  
 current_policy 
  
 = 
  
 client 
 . 
 GetNativeBucketIamPolicy 
 ( 
  
 bucket_name 
 , 
  
 gcs 
 :: 
 RequestedPolicyVersion 
 ( 
 3 
 )); 
  
 if 
  
 ( 
 ! 
 current_policy 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 current_policy 
 ). 
 status 
 (); 
  
 current_policy 
 - 
> set_version 
 ( 
 3 
 ); 
  
 current_policy 
 - 
> bindings 
 (). 
 emplace_back 
 ( 
  
 gcs 
 :: 
 NativeIamBinding 
 ( 
 "roles/storage.objectViewer" 
 , 
  
 { 
 "allUsers" 
 })); 
  
 auto 
  
 updated 
  
 = 
  
 client 
 . 
 SetNativeBucketIamPolicy 
 ( 
 bucket_name 
 , 
  
 * 
 current_policy 
 ); 
  
 if 
  
 ( 
 ! 
 updated 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 updated 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "Policy successfully updated: " 
 << 
 * 
 updated 
 << 
 " 
 \n 
 " 
 ; 
 }

    C#

    For more information, see the Cloud Storage C# API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      using 
  
 Google.Apis.Storage.v1.Data 
 ; 
 using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 using 
  
 System.Collections.Generic 
 ; 
 public 
  
 class 
  
 MakeBucketPublicSample 
 { 
  
 public 
  
 void 
  
 MakeBucketPublic 
 ( 
 string 
  
 bucketName 
  
 = 
  
 "your-unique-bucket-name" 
 ) 
  
 { 
  
 var 
  
 storage 
  
 = 
  
  StorageClient 
 
 . 
  Create 
 
 (); 
  
 Policy 
  
 policy 
  
 = 
  
 storage 
 . 
 GetBucketIamPolicy 
 ( 
 bucketName 
 ); 
  
 policy 
 . 
 Bindings 
 . 
 Add 
 ( 
 new 
  
 Policy 
 . 
 BindingsData 
  
 { 
  
 Role 
  
 = 
  
 "roles/storage.objectViewer" 
 , 
  
 Members 
  
 = 
  
 new 
  
 List<string> 
  
 { 
  
 "allUsers" 
  
 } 
  
 }); 
  
 storage 
 . 
 SetBucketIamPolicy 
 ( 
 bucketName 
 , 
  
 policy 
 ); 
  
 Console 
 . 
 WriteLine 
 ( 
 bucketName 
  
 + 
  
 " is now public " 
 ); 
  
 } 
 }

    Go

    For more information, see the Cloud Storage Go API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "cloud.google.com/go/iam" 
  
 "cloud.google.com/go/iam/apiv1/iampb" 
  
 "cloud.google.com/go/storage" 
 ) 
 // setBucketPublicIAM makes all objects in a bucket publicly readable. 
 func 
  
 setBucketPublicIAM 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucketName 
  
 string 
 ) 
  
 error 
  
 { 
  
 // bucketName := "bucket-name" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 policy 
 , 
  
 err 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucketName 
 ). 
  IAM 
 
 (). 
  V3 
 
 (). 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Bucket(%q).IAM().V3().Policy: %w" 
 , 
  
 bucketName 
 , 
  
 err 
 ) 
  
 } 
  
 role 
  
 := 
  
 "roles/storage.objectViewer" 
  
 policy 
 . 
 Bindings 
  
 = 
  
 append 
 ( 
 policy 
 . 
 Bindings 
 , 
  
& iampb 
 . 
 Binding 
 { 
  
 Role 
 : 
  
 role 
 , 
  
 Members 
 : 
  
 [] 
 string 
 { 
 iam 
 . 
  AllUsers 
 
 }, 
  
 }) 
  
 if 
  
 err 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucketName 
 ). 
  IAM 
 
 (). 
  V3 
 
 (). 
 SetPolicy 
 ( 
 ctx 
 , 
  
 policy 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Bucket(%q).IAM().SetPolicy: %w" 
 , 
  
 bucketName 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Bucket %v is now publicly readable\n" 
 , 
  
 bucketName 
 ) 
  
 return 
  
 nil 
 }

    Java

    For more information, see the Cloud Storage Java API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      import 
  
 com.google.cloud. Identity 
 
 ; 
 import 
  
 com.google.cloud. Policy 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageRoles 
 
 ; 
 public 
  
 class 
 MakeBucketPublic 
  
 { 
  
 public 
  
 static 
  
 void 
  
 makeBucketPublic 
 ( 
  String 
 
  
 projectId 
 , 
  
  String 
 
  
 bucketName 
 ) 
  
 { 
  
 // The ID of your GCP project 
  
 // String projectId = "your-project-id"; 
  
 // The ID of your GCS bucket 
  
 // String bucketName = "your-unique-bucket-name"; 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
 getService 
 (); 
  
  Policy 
 
  
 originalPolicy 
  
 = 
  
 storage 
 . 
  getIamPolicy 
 
 ( 
 bucketName 
 ); 
  
 storage 
 . 
  setIamPolicy 
 
 ( 
  
 bucketName 
 , 
  
 originalPolicy 
 . 
 toBuilder 
 () 
  
 . 
 addIdentity 
 ( 
 StorageRoles 
 . 
 objectViewer 
 (), 
  
 Identity 
 . 
 allUsers 
 ()) 
  
 // All users can view 
  
 . 
 build 
 ()); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
 "Bucket " 
  
 + 
  
 bucketName 
  
 + 
  
 " is now publicly readable" 
 ); 
  
 } 
 }

    Node.js

    For more information, see the Cloud Storage Node.js API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
  Storage 
 
 (); 
 async 
  
 function 
  
 makeBucketPublic 
 () 
  
 { 
  
 await 
  
 storage 
 . 
 bucket 
 ( 
 bucketName 
 ). 
 makePublic 
 (); 
  
 console 
 . 
 log 
 ( 
 `Bucket 
 ${ 
 bucketName 
 } 
 is now publicly readable` 
 ); 
 } 
 makeBucketPublic 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 );

    PHP

    For more information, see the Cloud Storage PHP API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      use Google\Cloud\Storage\StorageClient; 
 /** 
 * Update the specified bucket's IAM configuration to make it publicly accessible. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 */ 
 function set_bucket_public_iam(string $bucketName): void 
 { 
 $storage = new StorageClient(); 
 $bucket = $storage->bucket($bucketName); 
 $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]); 
 $policy['version'] = 3; 
 $role = 'roles/storage.objectViewer'; 
 $members = ['allUsers']; 
 $policy['bindings'][] = [ 
 'role' => $role, 
 'members' => $members 
 ]; 
 $bucket->iam()->setPolicy($policy); 
 printf('Bucket %s is now public', $bucketName); 
 }

    Python

    For more information, see the Cloud Storage Python API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      from 
  
 typing 
  
 import 
 List 
 from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 set_bucket_public_iam 
 ( 
 bucket_name 
 : 
 str 
 = 
 "your-bucket-name" 
 , 
 members 
 : 
 List 
 [ 
 str 
 ] 
 = 
 [ 
 "allUsers" 
 ], 
 ): 
  
 """Set a public IAM Policy to bucket""" 
 # bucket_name = "your-bucket-name" 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 bucket_name 
 ) 
 policy 
 = 
 bucket 
 . 
 get_iam_policy 
 ( 
 requested_policy_version 
 = 
 3 
 ) 
 policy 
 . 
 bindings 
 . 
 append 
 ( 
 { 
 "role" 
 : 
 "roles/storage.objectViewer" 
 , 
 "members" 
 : 
 members 
 } 
 ) 
 bucket 
 . 
 set_iam_policy 
 ( 
 policy 
 ) 
 print 
 ( 
 f 
 "Bucket 
 { 
 bucket 
 . 
 name 
 } 
 is now publicly readable" 
 )

    Ruby

    For more information, see the Cloud Storage Ruby API reference documentation .

    To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries .

      def 
  
 set_bucket_public_iam 
  
 bucket_name 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 bucket 
  
 = 
  
 storage 
 . 
 bucket 
  
 bucket_name 
  
 bucket 
 . 
  policy 
 
  
 do 
  
 | 
 p 
 | 
  
 p 
 . 
  add 
 
  
 "roles/storage.objectViewer" 
 , 
  
 "allUsers" 
  
 end 
  
 puts 
  
 "Bucket 
 #{ 
 bucket_name 
 } 
 is now publicly readable" 
 end

    Rust 

      use 
  
 google_cloud_iam_v1 
 :: 
 model 
 :: 
 Binding 
 ; 
 use 
  
 google_cloud_storage 
 :: 
 client 
 :: 
 StorageControl 
 ; 
 pub 
  
 async 
  
 fn 
  
 sample 
 ( 
 client 
 : 
  
& StorageControl 
 , 
  
 bucket_id 
 : 
  
& str 
 ) 
  
 - 
>  
 anyhow 
 :: 
 Result 
< () 
>  
 { 
  
 let 
  
 mut 
  
 policy 
  
 = 
  
 client 
  
 . 
 get_iam_policy 
 () 
  
 . 
 set_resource 
 ( 
 format! 
 ( 
 "projects/_/buckets/{bucket_id}" 
 )) 
  
 . 
 send 
 () 
  
 . 
 await 
 ? 
 ; 
  
 policy 
 . 
 bindings 
 . 
 push 
 ( 
  
 Binding 
 :: 
 new 
 () 
  
 . 
 set_role 
 ( 
 "roles/storage.objectViewer" 
 ) 
  
 . 
 set_members 
 ( 
 vec! 
 [ 
 "allUsers" 
 . 
 to_string 
 ()]), 
  
 ); 
  
 let 
  
 updated_policy 
  
 = 
  
 client 
  
 . 
 set_iam_policy 
 () 
  
 . 
 set_resource 
 ( 
 format! 
 ( 
 "projects/_/buckets/{bucket_id}" 
 )) 
  
 . 
 set_policy 
 ( 
 policy 
 ) 
  
 . 
 send 
 () 
  
 . 
 await 
 ? 
 ; 
  
 println! 
 ( 
  
 "Successfully set public IAM policy for bucket {}" 
 , 
  
 bucket_id 
  
 ); 
  
 println! 
 ( 
 "The updated policy is: {:?}" 
 , 
  
 updated_policy 
 ); 
  
 Ok 
 (()) 
 }

    Terraform

    You can use a Terraform resource to make all objects in a bucket public.

     # Make bucket public
resource "google_storage_bucket_iam_member" "member" {
  provider = google
  bucket   = google_storage_bucket.default.name
  role     = "roles/storage.objectViewer"
  member   = "allUsers"
}

    REST APIs

    JSON API

    1. Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

    2. Create a JSON file that contains the following information:

       { 
  
 "bindings" 
 :[ 
  
 { 
  
 "role" 
 : 
  
 "roles/storage.objectViewer" 
 , 
  
 "members" 
 :[ 
 "allUsers" 
 ] 
  
 } 
  
 ] 
 }

    3. Use cURL to call the JSON API with a PUT Bucket request:

      curl -X PUT --data-binary @ JSON_FILE_NAME 
\
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/b/ BUCKET_NAME 
/iam"

      Where:

      • JSON_FILE_NAME is the path for the file that you created in Step 2.
      • BUCKET_NAME is the name of the bucket whose objects you want to make public. For example, my-bucket .

    XML API

    Making all objects in a bucket publicly readable is not supported by the XML API. Use the Google Cloud console or gcloud storage .

    Make a portion of a bucket publicly readable

    Use a managed folder to control access to objects whose name prefix match the name of the managed folder. For example, a managed folder named my-folder can be used to control access to objects named my-folder/cats.jpg and my-folder/dogs.jpg .

    To make such objects publicly accessible, first create the managed folder, and then set an IAM policy on the folder that grants allUsers the Storage Object Viewer ( roles/storage.objectViewer ) role:

    Console

    1. In the Google Cloud console, go to the Cloud Storage Buckets page.

      Go to Buckets

    2. Click the name of the bucket that contains the objects you want to make public.

    3. Create a folder, using the following steps:

      1. Click the Create folderbutton.

      2. Enter the Namefor the folder. Once the folder is converted to a managed folder, objects whose name start with this name will be subject to IAM roles set on the folder.

      3. Click Create.

    4. Convert the folder to a managed folder, using the following steps:

      1. In the pane that shows the bucket's contents, find the name of the folder you created, and click the More optionsicon .

      2. Click Edit access.

      3. In the window that appears, click Enable.

    5. Add an IAM policy to the folder that grants allUsers the Storage Object Viewer ( roles/storage.objectViewer ) role, using the following steps:

      1. If the Permissionspane for your managed folder isn't already open, click the More optionsicon for the managed folder, and then click Edit access.

      2. In the Permissionspane, click the Add principalbutton.

      3. In the New principalsfield, enter allUsers .

      4. In the Select a roledrop down, enter Storage Object Viewer in the filter box, and select Storage Object Viewerfrom the filtered results.

      5. Click Save.

      6. Click Allow public access.

    Once public access has been granted, a Copy URLbutton appears for each applicable object in the public access column. You can click this button to get the public URL for the object. The public URL is different from the link you get from directly right-clicking an object. Both links provide access to an object, but the public URL works without the user having to sign into a user account. See Request endpoints for more information.

    To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting .

    To learn how to resolve organization policy error and permission error, see Troubleshoot making data public .

    Command line

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. In your development environment, create a managed folder using the gcloud storage managed-folders create command :

      gcloud storage managed-folders create gs:// BUCKET_NAME 
/ MANAGED_FOLDER_NAME 
/

      Where:

      • BUCKET_NAME is the name of the bucket in which you want to create a managed folder. For example, my-bucket .

      • MANAGED_FOLDER_NAME is the name of the managed folder you want to create. For example, my-managed-folder .

    3. In your development environment, add allUsers to the managed folder's IAM policy using the gcloud storage managed-folders add-iam-policy-binding command :

      gcloud storage managed-folders add-iam-policy-binding gs:// BUCKET_NAME 
/ MANAGED_FOLDER_NAME 
--member=allUsers --role=roles/storage.objectViewer

      Where:

      • BUCKET_NAME is the name of the bucket containing the managed folder you're adding the IAM policy to. For example, my-bucket .
      • MANAGED_FOLDER_NAME is the name of the managed folder that you want to add public access to. For example, my-managed-folder .

    REST APIs

    JSON API

    1. Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

    2. Create a JSON file that contains the following information:

       { 
  
 "name" 
 : 
  
 " MANAGED_FOLDER_NAME 
" 
 }

      Where MANAGED_FOLDER_NAME is the name of the managed folder you want to create. For example, my-managed-folder .

    3. Use cURL to call the JSON API with a Insert ManagedFolder request:

      curl -X POST --data-binary @ JSON_FILE_NAME 
\
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/b/ BUCKET_NAME 
/managedFolders"

      Where:

      • JSON_FILE_NAME is the path for the file that you created in the previous step.
      • BUCKET_NAME is the name of the bucket in which you want to create a managed folder. For example, my-bucket .

    4. Create a JSON file that contains the following information:

       { 
  
 "bindings" 
 :[ 
  
 { 
  
 "role" 
 : 
  
 "roles/storage.objectViewer" 
 , 
  
 "members" 
 :[ 
 "allUsers" 
 ] 
  
 } 
  
 ] 
 }

    5. Use cURL to call the JSON API with a setIamPolicy ManagedFolder request:

      curl -X PUT --data-binary @ JSON_FILE_NAME 
\
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/b/ BUCKET_NAME 
/managedFolders/ MANAGED_FOLDER_NAME 
/iam"

      Where:

      • JSON_FILE_NAME is the path for the file that you created in the previous step.
      • BUCKET_NAME is the name of the bucket containing the managed folder you're adding the IAM policy to. For example, my-bucket .
      • MANAGED_FOLDER_NAME is the name of the managed folder you're adding the IAM policy to. For example, my-managed-folder .

    XML API

    The XML API does not support working with managed folders. Use a different tool, such as the Google Cloud console, or set ACLs on individual objects using Set Object ACL requests. The following is an example ACL file the would grant allUsers access to an object:

    <AccessControlList>
  <Entries>
    <Entry>
      <Scope type="AllUsers"/>
      <Permission>READ</Permission>
    </Entry>
  </Entries>
</AccessControlList>

    Remove public access for all objects within a bucket

    To remove public access for all objects within a bucket, remove the IAM policy that grants allUsers the Storage Object Viewer ( roles/storage.objectViewer ) role:

    Console

    1. In the Google Cloud console, go to the Cloud Storage Buckets page.

      Go to Buckets

    2. In the list of buckets, click the name of the bucket you want to remove public access from.

    3. Select the Permissionstab.

      The IAM policy that applies to the bucket appears in the Permissionssection.

    4. In the View by principalstab, select the checkbox for the allUsers principal you're removing.

    5. Click the - Remove accessbutton.

    6. In the overlay window that appears, click Confirm.

    To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting .

    Command line

    1. In the Google Cloud console, activate Cloud Shell.

      Activate Cloud Shell

      At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    2. In your development environment, run the buckets remove-iam-policy-binding command :

    gcloud storage buckets remove-iam-policy-binding  gs:// BUCKET_NAME 
--member=allUsers --role=roles/storage.objectViewer

    Where BUCKET_NAME is the name of the bucket you are revoking access to. For example, my-bucket .

    REST APIs

    JSON

    1. Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

    2. Get the existing policy applied to your bucket. To do so, use cURL to call the JSON API with a GET getIamPolicy request:

      curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://storage.googleapis.com/storage/v1/b/ BUCKET_NAME 
/iam"

      Where BUCKET_NAME is the name of the bucket whose IAM policy you want to view. For example, my-bucket .

    3. Create a JSON file that contains the policy you retrieved in the previous step and edit the file to remove the binding of the allUsers principal from the policy.

    4. Use cURL to call the JSON API with a PUT setIamPolicy request:

      curl -X PUT --data-binary @ JSON_FILE_NAME 
\
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://storage.googleapis.com/storage/v1/b/ BUCKET_NAME 
/iam"

      Where:

      • JSON_FILE_NAME is the path for the file that you created in Step 3.

      • BUCKET_NAME is the name of the bucket from which you want to remove access. For example, my-bucket .

    What's next

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: