This page describes how to control access to buckets and objects
using Access Control Lists (ACLs). ACLs are a mechanism you can use to define
who has access to your buckets and objects, as well as what level of access they
have.
See theACL overviewto learn more about whether you should use ACLs for
controlling access to your resources.
Required roles
To get the permissions that you need to create and manage ACLs, ask your
administrator to grant you the Storage Admin
(roles/storage.admin) IAM role on the bucket that
contains the objects for which you want to create and manage ACLs.
This predefined role contains the permissions required to create and manage
ACLs. To see the exact permissions that are required, expand theRequired permissionssection:
Required permissions
storage.buckets.get
storage.buckets.list
This permission is only required for using the Google Cloud console
to perform the tasks on this page.
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
You can also get these permissions withcustom roles.
From the list of buckets, click the name of the bucket that contains
the object whose ACL you want to modify.
Click the name of the object for which you want to set or modify ACLs.
ClickEdit access.
A permission dialog with the object's current ACL opens.
Click+ Add entry.
Choose the type ofEntityto give permission to.
Entityspecifies the type of thing that's getting the permission
(for example a user or a group). Refer toAccess Control Scopesfor a list of supported values forEntity.
Enter a value inName.
Nameidentifies a specific user, group, or other entity type. Refer
toAccess Control Scopesfor a list of supported values forName.
Together,EntityandNamedefine who the permission applies to.
Choose a value inAccess.
Accessdefines the permission that you want to set on the object.
Refer toAccess Control Permissionsfor a list of supported values
forAccess.
ClickSave.
To learn how to get detailed error information about failed Cloud Storage
operations in the Google Cloud console, seeTroubleshooting.
Command line
To add, modify, or remove an individual grant on an object, use theobjects updatecommand with the relevant flag:
BUCKET_NAMEis the name of the bucket that
contains the object that the modification applies to. For example,example-travel-maps.
OBJECT_NAMEis the name of the object that
the modification applies to. For example,paris.jpg.
FLAGis one of the following:
--add-acl-grant, along with the grant you want to add or
modify. For example,--add-acl-grant=entity=user-jeffersonloveshiking@gmail.com,role=READER.
--remove-acl-grant, along with the entity whose access you
want to remove. For example,--remove-acl-grant=user-jeffersonloveshiking@gmail.com.
To replace all ACLs for an object:
Define the ACLs in a JSON- or YAML-formatted file.
For example, the following ACLs grant theOWNERpermission for the
objectparis.jpgto the owners of project867489160491and the userjeffersonloveshiking@gmail.com, as well as theREADERpermission forparis.jpgto the
members of thegs-announcegroup:
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name,std::stringconst&entity){StatusOr<gcs::ObjectAccessControl>patched_acl=client.CreateObjectAcl(bucket_name,object_name,entity,gcs::ObjectAccessControl::ROLE_OWNER());if(!patched_acl)throwstd::move(patched_acl).status();std::cout<<"ACL entry for "<<patched_acl->entity()<<" in object "<<patched_acl->object()<<" in bucket "<<patched_acl->bucket()<<" is now "<<*patched_acl<<"\n";}
The following sample removes an ACL from an object:
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name,std::stringconst&entity){StatusOr<gcs::ObjectMetadata>original_metadata=client.GetObjectMetadata(bucket_name,object_name,gcs::Projection::Full());if(!original_metadata)throwstd::move(original_metadata).status();std::vector<gcs::ObjectAccessControl>original_acl=original_metadata->acl();autoit=std::find_if(original_acl.begin(),original_acl.end(),[entity](gcs::ObjectAccessControlconst&entry){returnentry.entity()==entity&&entry.role()==gcs::ObjectAccessControl::ROLE_OWNER();});if(it==original_acl.end()){std::cout<<"Could not find entity "<<entity<<" for file "<<object_name<<" with role OWNER in bucket "<<bucket_name<<"\n";return;}gcs::ObjectAccessControlowner=*it;google::cloud::Statusstatus=client.DeleteObjectAcl(bucket_name,object_name,owner.entity());if(!status.ok())throwstd::runtime_error(status.message());std::cout<<"Deleted ACL entry for "<<owner.entity()<<" for file "<<object_name<<" in bucket "<<bucket_name<<"\n";}
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassAddFileOwnerSample{publicGoogle.Apis.Storage.v1.Data.ObjectAddFileOwner(stringbucketName="your-unique-bucket-name",stringobjectName="my-file-name",stringuserEmail="dev@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varstorageObject=storage.GetObject(bucketName,objectName,newGetObjectOptions{Projection=Projection.Full});storageObject.Acl.Add(newObjectAccessControl{Bucket=bucketName,Entity=$"user-{userEmail}",Role="OWNER",});varupdatedObject=storage.UpdateObject(storageObject);Console.WriteLine($"Added user { userEmail} as an owner on file { objectName}.");returnupdatedObject;}}
The following sample removes an ACL from an object:
usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Linq;publicclassRemoveFileOwnerSample{publicvoidRemoveFileOwner(stringbucketName="your-unique-bucket-name",stringobjectName="your-object-name",stringuserEmail="dev@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varstorageObject=storage.GetObject(bucketName,objectName,newGetObjectOptions{Projection=Projection.Full});if(storageObject.Acl==null){Console.WriteLine("No owner to remove");}else{storageObject.Acl=storageObject.Acl.Where((acl)=>!(acl.Entity==$"user-{userEmail}"&&acl.Role=="OWNER")).ToList();varupdatedObject=storage.UpdateObject(storageObject);Console.WriteLine($"Removed user {userEmail} from file {objectName}.");}}}
importcom.google.cloud.storage.Acl;importcom.google.cloud.storage.Acl.Role;importcom.google.cloud.storage.Acl.User;importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.BlobId;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassAddBlobOwner{publicstaticvoidaddBlobOwner(StringprojectId,StringbucketName,StringuserEmail,StringblobName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// Email of the user you wish to add as a file owner// String userEmail = "someuser@domain.com"// The name of the blob/file that you wish to modify permissions on// String blobName = "your-blob-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Blobblob=storage.get(BlobId.of(bucketName,blobName));AclnewOwner=Acl.of(newUser(userEmail),Role.OWNER);blob.createAcl(newOwner);System.out.println("Added user "+userEmail+" as an owner on blob "+blobName+" in bucket "+bucketName);}}
The following sample removes an ACL from an object:
importcom.google.cloud.storage.Acl.User;importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.BlobId;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassRemoveBlobOwner{publicstaticvoidremoveBlobOwner(StringprojectId,StringbucketName,StringuserEmail,StringblobName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// Email of the user you wish to remove as a file owner// String userEmail = "someuser@domain.com"// The name of the blob/file that you wish to modify permissions on// String blobName = "your-blob-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Blobblob=storage.get(BlobId.of(bucketName,blobName));UserownerToRemove=newUser(userEmail);booleansuccess=blob.deleteAcl(ownerToRemove);if(success){System.out.println("Removed user "+userEmail+" as an owner on file "+blobName+" in bucket "+bucketName);}else{System.out.println("User "+userEmail+" was not found");}}}
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The name of the file to access// const fileName = 'file.txt';// The email address of the user to add// const userEmail = 'user-email-to-add';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionaddFileOwner(){awaitstorage.bucket(bucketName).file(fileName).acl.owners.addUser(userEmail);console.log(`Added user${userEmail}as an owner on file${fileName}.`);}addFileOwner().catch(console.error);
The following sample removes an ACL from an object:
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The ID of your GCS file// const fileName = 'your-file-name';// The email address of the user to remove// const userEmail = 'user-email-to-remove';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionremoveFileOwner(){// Removes the user from the access control list of the file. You can use// deleteAllUsers(), deleteDomain(), deleteProject(), deleteGroup(), and// deleteAllAuthenticatedUsers() to remove access for different types of entities.awaitstorage.bucket(bucketName).file(fileName).acl.owners.deleteUser(userEmail);console.log(`Removed user${userEmail}from file${fileName}.`);}removeFileOwner().catch(console.error);
use Google\Cloud\Storage\StorageClient;/*** Add an entity and role to an object's ACL.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')* @param string $objectName The name of your Cloud Storage object.* (e.g. 'my-object')* @param string $entity The entity for which to update access controls.* (e.g. 'user-example@domain.com')* @param string $role The permissions to add for the specified entity.* (e.g. 'OWNER')*/function add_object_acl(string $bucketName, string $objectName, string $entity, string $role): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$object = $bucket->object($objectName);$acl = $object->acl();$acl->add($entity, $role);printf('Added %s (%s) to gs://%s/%s ACL' . PHP_EOL, $entity, $role, $bucketName, $objectName);}
The following sample removes an ACL from an object:
use Google\Cloud\Storage\StorageClient;/*** Delete an entity from an object's ACL.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')* @param string $objectName The name of your Cloud Storage object.* (e.g. 'my-object')* @param string $entity The entity for which to update access controls.* (e.g. 'user-example@domain.com')*/function delete_object_acl(string $bucketName, string $objectName, string $entity): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$object = $bucket->object($objectName);$acl = $object->acl();$acl->delete($entity);printf('Deleted %s from gs://%s/%s ACL' . PHP_EOL, $entity, $bucketName, $objectName);}
fromgoogle.cloudimportstoragedefadd_blob_owner(bucket_name,blob_name,user_email):"""Adds a user as an owner on the given blob."""# bucket_name = "your-bucket-name"# blob_name = "your-object-name"# user_email = "name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)blob=bucket.blob(blob_name)# Reload fetches the current ACL from Cloud Storage.blob.acl.reload()# You can also use `group`, `domain`, `all_authenticated` and `all` to# grant access to different types of entities. You can also use# `grant_read` or `grant_write` to grant different roles.blob.acl.user(user_email).grant_owner()blob.acl.save()print("Added user{}as an owner on blob{}in bucket{}.".format(user_email,blob_name,bucket_name))
The following sample removes an ACL from an object:
fromgoogle.cloudimportstoragedefremove_blob_owner(bucket_name,blob_name,user_email):"""Removes a user from the access control list of the given blob in thegiven bucket."""# bucket_name = "your-bucket-name"# blob_name = "your-object-name"# user_email = "name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)blob=bucket.blob(blob_name)# You can also use `group`, `domain`, `all_authenticated` and `all` to# remove access for different types of entities.blob.acl.user(user_email).revoke_read()blob.acl.user(user_email).revoke_write()blob.acl.user(user_email).revoke_owner()blob.acl.save()print(f"Removed user{user_email}from blob{blob_name}in bucket{bucket_name}.")
# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# file_name = "Name of a file in the Storage bucket"# email = "Google Cloud Storage ACL Entity email"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namefile=bucket.filefile_namefile.acl.add_owneremailputs"Added OWNER permission for#{email}to#{file_name}"
The following sample removes an ACL from an object:
# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# file_name = "Name of a file in the Storage bucket"# email = "Google Cloud Storage ACL Entity email"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namefile=bucket.filefile_namefile.acl.deleteemailputs"Removed ACL permissions for#{email}from#{file_name}"
REST APIs
JSON API
When creating an object, you can specify theacl[]property in
the request body or thepredefinedAclquery parameter in aninsertrequest. For an existing object, specify theacl[]property or thepredefinedAclquery parameter in apatchorupdaterequest.
For the definition of the object ACL property, see theObjectAccessControlsresource.
Define the ACLs in a JSON file.
For example, if the ACL grants the owners of project867489160491and the userjeffersonloveshiking@gmail.comOWNERpermission, along with
granting the members of thegs-announcegroupREADERpermission,
then you could have a file namedacls.jsonwith the following
content:
In theXML API, you work with ACLs in XML format. You must attach an
XML document to the body of requests to change bucket and object ACLs.
An XML document is returned when you get bucket and object ACLs. The XML
document contains the individual bucket or object ACL entries.
After creating a bucket with aPUTBucketrequest, use a second
PUT Bucket request with the?aclparameter to change the bucket ACL.
After uploading an object with aPUTObjectrequest, change the ACL
with another PUT request using the?aclparameter or thex-googl-aclrequest header.
For example, the followingcurlcommand applies an XML payload from
the documentacls.xmlto an object namedparis.jpgin the bucketexample-travel-maps:
Use the following ACL syntax for the XML document:
Element
Description
AccessControlList
Container forEntriesandOwnerelements.
Owner
Container forDisplayNameandIDelements. This element is not required for objects since an object is always owned by the user who uploaded it. This element is used when you are using Amazon S3 ACL syntax in amigrationscenario.
Amazon Simple Storage Serviceand Amazon S3are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
ID
Cloud Storage ID of the bucket owner.
DisplayName
Not implemented. The value is always an empty string.
Entries
Container for zero or moreEntryelements.
Entry
Container forScopeandPermissionelements. AnEntrymust contain only oneScopeand onePermissionelement.
Scope
Container for anID,EmailAddress, orDomainelement that defines the ACL scope. This element must have atypeattribute that contains one of the following values:UserByID,UserByEmail,GroupByID,GroupByEmail,GroupByDomain,AllUsers, orAllAuthenticatedUsers.
ID
An identifier for the grantee when the permission entry is specified by ID.
EmailAddress
The email identifier for the grantee when the permission entry is specified by email.
Domain
The domain identifier for the grantee when the permission entry is specified by domain.
Name
Optional element that can be specified or that can be automatically added if the scope isUserByEmailorGroupByEmail.
Permission
The permission grantedREAD,WRITE, orFULL_CONTROL.
When working with ACLs using the XML API:
You can only use the XML format described above.
You cannot set duplicate scopes.
You can have many entries in your ACL XML, but you cannot have entries
with duplicate scopes. For example, you cannot have two entries with
the same scope element ofjane@example.com.
The following example shows different bucket ACL entries:
When you retrieve an ACL from a bucket or object, you might notice an
additional<Name>element appended to some of your entries. For
example, you might see an entry that looks like the following:
These optional<Name>elements are populated in two circumstances:
When the bucket or object's ACLs include<Name>as an element.
When you set ACLs, you can choose to include the<Name>element with
your ACL entries. You can provide any value in the<Name>element, and
Cloud Storage remembers these values until the ACL is removed
or replaced. This approach can be useful if you are using identifiers
that aren't easily identifiable.
When aUserByEmailorGroupByEmailscope contains a public Google profile.
If you use either of these scopes but do not provide a<Name>element, Cloud Storage checks if the user or Google Group associated with the email
address has a public Google profile with a public name. If so,
Cloud Storage automatically populates the<Name>element with
the public name.
Apply a predefined ACL
Rather than specifying the entire ACL one entry at a time as shown above, you
can use apredefined ACL, which will automatically apply a number of entries
customized to a specific scenario. You can apply a predefined ACL to either a
bucket or an object by using the Google Cloud CLI, the JSON API, or the XML API.
On new objects
To apply apredefined ACLto an object during object upload:
Console
You cannot apply a predefined ACL using the Google Cloud console. Usegcloud storageinstead.
You can also apply a predefined ACL to an existing bucket or object, which is
useful if you want to change from one predefined ACL to another, or you want
to update custom ACLs to a predefined ACL.
Console
You cannot apply a predefined ACL using the Google Cloud console. Usegcloud storageinstead.
Command line
Use theobjects updatecommand with the--predefined-aclflag:
To avoid setting ACLs every time you create a new object, you can set a default
object ACL on a bucket. After you do this, every new object that is added to
that bucket that does not explicitly have an ACL applied to it will have the
default applied to it. For example, you might want to specify that only a
certain group of users have access to most objects in a particular bucket. You
can change the default object ACL, and then add objects to the bucket. These
added objects have the default object ACL you specified automatically applied to
them; however, you can give specific objects different ACLs, in which case those
objects do not have the default ACL applied to them.
To view and change the default object ACL for a bucket:
Console
You cannot set default object ACLs using the Google Cloud console. Usegcloud storageinstead.
Command line
Use thebuckets describecommand with the--formatflag to
retrieve the default object ACL for the bucket:
The following sample adds a default object ACL to a bucket:
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&entity,std::stringconst&role){StatusOr<gcs::ObjectAccessControl>default_object_acl=client.CreateDefaultObjectAcl(bucket_name,entity,role);if(!default_object_acl)throwstd::move(default_object_acl).status();std::cout<<"Role "<<default_object_acl->role()<<" will be granted default to "<<default_object_acl->entity()<<" on any new object created on bucket "<<default_object_acl->bucket()<<"\n"<<"Full attributes: "<<*default_object_acl<<"\n";}
The following sample deletes a default object ACL from a bucket:
namespacegcs=::google::cloud::storage;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&entity){google::cloud::Statusstatus=client.DeleteDefaultObjectAcl(bucket_name,entity);if(!status.ok())throwstd::runtime_error(status.message());std::cout<<"Deleted ACL entry for "<<entity<<" in bucket "<<bucket_name<<"\n";}
The following sample adds a default object ACL to a bucket:
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassAddBucketDefaultOwnerSample{publicBucketAddBucketDefaultOwner(stringbucketName="your-unique-bucket-name",stringuserEmail="dev@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName,newGetBucketOptions{Projection=Projection.Full});bucket.DefaultObjectAcl.Add(newObjectAccessControl{Bucket=bucketName,Entity=$"user-{userEmail}",Role="OWNER",});varupdatedBucket=storage.UpdateBucket(bucket);Console.WriteLine($"Added user {userEmail} as a default owner on bucket {bucketName}.");returnupdatedBucket;}}
The following sample deletes a default object ACL from a bucket:
usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Linq;publicclassRemoveBucketDefaultOwnerSample{publicvoidRemoveBucketDefaultOwner(stringbucketName="your-unique-bucket-name",stringuserEmail="user@iam.gserviceaccount.com"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName,newGetBucketOptions{Projection=Projection.Full});if(bucket.DefaultObjectAcl==null){Console.WriteLine("No default owner to remove");}else{bucket.DefaultObjectAcl=bucket.DefaultObjectAcl.Where(acl=>!(acl.Entity==$"user-{userEmail}"&&acl.Role=="OWNER")).ToList();varupdatedBucket=storage.UpdateBucket(bucket);Console.WriteLine($"Removed user {userEmail} from bucket {bucketName}.");}}}
The following sample adds a default object ACL to a bucket:
importcom.google.cloud.storage.Acl;importcom.google.cloud.storage.Acl.Role;importcom.google.cloud.storage.Acl.User;importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassAddBucketDefaultOwner{publicstaticvoidaddBucketDefaultOwner(StringbucketName,StringuserEmail){// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// The email of the user you wish to add as a default owner// String userEmail = "someuser@domain.com"Storagestorage=StorageOptions.newBuilder().build().getService();Bucketbucket=storage.get(bucketName);AclnewDefaultOwner=Acl.of(newUser(userEmail),Role.OWNER);bucket.createDefaultAcl(newDefaultOwner);System.out.println("Added user "+userEmail+" as an owner on "+bucketName);}}
The following sample deletes a default object ACL from a bucket:
importcom.google.cloud.storage.Acl.User;importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassRemoveBucketDefaultOwner{publicstaticvoidremoveBucketDefaultOwner(StringbucketName,StringuserEmail){// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";// The email of the user you wish to remove as a default owner// String userEmail = "someuser@domain.com"Storagestorage=StorageOptions.newBuilder().build().getService();Bucketbucket=storage.get(bucketName);UseruserToRemove=newUser(userEmail);booleansuccess=bucket.deleteDefaultAcl(userToRemove);if(success){System.out.println("Removed user "+userEmail+" as an owner on "+bucketName);}else{System.out.println("User "+userEmail+" was not found");}}}
The following sample adds a default object ACL to a bucket:
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The email address of the user to add// const userEmail = 'user-email-to-add';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionaddBucketDefaultOwner(){// Makes the user an owner in the default ACL of the bucket. You can use// addAllUsers(), addDomain(), addProject(), addGroup(), and// addAllAuthenticatedUsers() to grant access to different types of entities.// You can also use "readers" and "writers" to grant different roles.awaitstorage.bucket(bucketName).acl.default.owners.addUser(userEmail);console.log(`Added user${userEmail}as an owner on bucket${bucketName}.`);}addBucketDefaultOwner().catch(console.error);
The following sample deletes a default object ACL from a bucket:
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The email address of the user to remove// const userEmail = 'user-email-to-remove';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionremoveBucketDefaultOwner(){// Removes the user from the access control list of the bucket. You can use// deleteAllUsers(), deleteDomain(), deleteProject(), deleteGroup(), and// deleteAllAuthenticatedUsers() to remove access for different types of entities.awaitstorage.bucket(bucketName).acl.default.owners.deleteUser(userEmail);console.log(`Removed user${userEmail}from bucket${bucketName}.`);}removeBucketDefaultOwner().catch(console.error);
The following sample adds a default object ACL to a bucket:
use Google\Cloud\Storage\StorageClient;/*** Add an entity and role to a bucket's default ACL.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')* @param string $entity The entity for which to update access controls.* (e.g. 'user-example@domain.com')* @param string $role The permissions to add for the specified entity.* (e.g. 'OWNER')*/function add_bucket_default_acl(string $bucketName, string $entity, string $role): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$acl = $bucket->defaultAcl();$acl->add($entity, $role);printf('Added %s (%s) to gs://%s default ACL' . PHP_EOL, $entity, $role, $bucketName);}
The following sample deletes a default object ACL from a bucket:
use Google\Cloud\Storage\StorageClient;/*** Delete an entity from a bucket's default ACL.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')* @param string $entity The entity for which to update access controls.* (e.g. 'user-example@domain.com')*/function delete_bucket_default_acl(string $bucketName, string $entity): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$acl = $bucket->defaultAcl();$acl->delete($entity);printf('Deleted %s from gs://%s default ACL' . PHP_EOL, $entity, $bucketName);}
The following sample adds a default object ACL to a bucket:
fromgoogle.cloudimportstoragedefadd_bucket_default_owner(bucket_name,user_email):"""Adds a user as an owner in the given bucket's default object accesscontrol list."""# bucket_name = "your-bucket-name"# user_email = "name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)# Reload fetches the current ACL from Cloud Storage.bucket.acl.reload()# You can also use `group`, `domain`, `all_authenticated` and `all` to# grant access to different types of entities. You can also use# `grant_read` or `grant_write` to grant different roles.bucket.default_object_acl.user(user_email).grant_owner()bucket.default_object_acl.save()print("Added user{}as an owner in the default acl on bucket{}.".format(user_email,bucket_name))
The following sample deletes a default object ACL from a bucket:
fromgoogle.cloudimportstoragedefremove_bucket_default_owner(bucket_name,user_email):"""Removes a user from the access control list of the given bucket'sdefault object access control list."""# bucket_name = "your-bucket-name"# user_email = "name@example.com"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)# Reload fetches the current ACL from Cloud Storage.bucket.acl.reload()# You can also use `group`, `domain`, `all_authenticated` and `all` to# remove access for different types of entities.bucket.default_object_acl.user(user_email).revoke_read()bucket.default_object_acl.user(user_email).revoke_write()bucket.default_object_acl.user(user_email).revoke_owner()bucket.default_object_acl.save()print(f"Removed user{user_email}from the default acl of bucket{bucket_name}.")
Use apatchrequest to replace the default object ACL. For
example, the following request replaces the default object ACL with
the ACL specified indefacls.jsonfor a bucketexample-travel-maps:
Use aPUTrequest scoped to your bucket with the?defaultObjectAclparameter to replace the default object ACL with
the ACL specified inacls.xml. For example:
The following examples show the default object ACLs that automatically apply to
newly created buckets when you don't specify your own default object ACLs as
part of the request. To see if your bucket's default object ACLs have been
changed, compare your bucket's current default object ACLs to the examples
below.
Console
You cannot work with default object ACLs using the Google Cloud console.
Usegcloud storageinstead.
Command line
In the example below, the project ID is "123412341234"; your project ID
will be different.
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name,std::stringconst&object_name){StatusOr<std::vector<gcs::ObjectAccessControl>>items=client.ListObjectAcl(bucket_name,object_name);if(!items)throwstd::move(items).status();std::cout<<"ACLs for object="<<object_name<<" in bucket "<<bucket_name<<"\n";for(gcs::ObjectAccessControlconst&acl:*items){std::cout<<acl.role()<<":"<<acl.entity()<<"\n";}}
importcom.google.cloud.storage.Acl;importcom.google.cloud.storage.Blob;importcom.google.cloud.storage.BlobId;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importjava.util.List;publicclassPrintBlobAcl{publicstaticvoidprintBlobAcl(StringbucketName,StringblobName){// The ID to give your GCS bucket// String bucketName = "your-unique-bucket-name";// The name of the blob/file that you wish to view Acls of// String blobName = "your-blob-name";Storagestorage=StorageOptions.newBuilder().build().getService();Blobblob=storage.get(BlobId.of(bucketName,blobName));List<Acl>blobAcls=blob.getAcl();for(Aclacl:blobAcls){// This will give you the role.// See https://cloud.google.com/storage/docs/access-control/lists#permissionsStringrole=acl.getRole().name();// This will give you the Entity type (i.e. User, Group, Project etc.)// See https://cloud.google.com/storage/docs/access-control/lists#scopesStringentityType=acl.getEntity().getType().name();System.out.printf("%s: %s %n",role,entityType);}}}
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// The ID of your GCS file// const fileName = 'your-file-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionprintFileAcl(){// Gets the ACL for the fileconst[acls]=awaitstorage.bucket(bucketName).file(fileName).acl.get();acls.forEach(acl=>{console.log(`${acl.role}:${acl.entity}`);});}printFileAcl().catch(console.error);
use Google\Cloud\Storage\StorageClient;/*** Print all entities and roles for an object's ACL.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')* @param string $objectName The name of your Cloud Storage object.* (e.g. 'my-object')*/function get_object_acl(string $bucketName, string $objectName): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$object = $bucket->object($objectName);$acl = $object->acl();foreach ($acl->get() as $item) {printf('%s: %s' . PHP_EOL, $item['entity'], $item['role']);}}
fromgoogle.cloudimportstoragedefprint_blob_acl(bucket_name,blob_name):"""Prints out a blob's access control list."""storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)blob=bucket.blob(blob_name)forentryinblob.acl:print(f"{entry['role']}:{entry['entity']}")
# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"# file_name = "Name of a file in the Storage bucket"# email = "Google Cloud Storage ACL Entity email"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namefile=bucket.filefile_nameputs"ACL for#{file_name}in#{bucket_name}:"file.acl.owners.eachdo|owner|puts"OWNER#{owner}"endfile.acl.readers.eachdo|reader|puts"READER#{reader}"end
REST APIs
JSON API
Make sure that you haveOWNERpermission on the object.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,[]]
