Stay organized with collectionsSave and categorize content based on your preferences.
This page shows you how to make objects you own readable to everyone on
the public internet and how to remove public access from your bucket. To learn
how to access data that has been made public, seeAccessing Public Data.
When an object is shared publicly, any user with knowledge of the
object URI can access the object for as long as the object is public.
Required roles
In order to get the required permissions for making objects publicly readable,
ask your administrator to grant you the following roles for the bucket that
contains the data you want to make public:
To make all objects in a bucket publicly readable: Storage Admin
(roles/storage.admin)
To make individual objects publicly readable: Storage Object Admin
(roles/storage.objectAdmin)
If you plan on using the Google Cloud console, you'll need the
Storage Admin (roles/storage.admin) role instead of the Storage Object
Admin role.
To remove public access from all objects in a bucket: Storage Admin
(roles/storage.admin)
These roles contain the permissions required to make objects public. To see the
exact permissions that are required, expand theRequired permissionssection:
Required permissions
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
The following permissions are only required for using the
Google Cloud console to perform the tasks on this page:
To make all objects in a bucket readable to everyone on the public internet,
grant the principalallUsersthe Storage Object Viewer
(roles/storage.objectViewer) role:
Console
In the Google Cloud console, go to the Cloud StorageBucketspage.
In the list of buckets, click the name of the bucket that you want to
make public.
Select thePermissionstab near the top of the page.
In thePermissionssection, click theperson_addGrant accessbutton.
TheGrant accessdialog appears.
In theNew principalsfield, enterallUsers.
In theSelect a roledrop down, enterStorage Object Viewerin
the filter box and select theStorage Object Viewerfrom the
filtered results.
ClickSave.
ClickAllow public access.
Once public access has been granted, aCopy URLbutton appears for each
object in thepublic accesscolumn. You can click this button to get the
public URL for the object. The public URL is different from the link
you get from directly right-clicking an object. Both links provide
access to an object, but the public URL works without the user having to
sign into a user account. SeeRequest endpointsfor more information.
To learn how to get detailed error information about failed Cloud Storage
operations in the Google Cloud console, seeTroubleshooting.
At the bottom of the Google Cloud console, aCloud Shellsession starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Collections.Generic;publicclassMakeBucketPublicSample{publicvoidMakeBucketPublic(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();Policypolicy=storage.GetBucketIamPolicy(bucketName);policy.Bindings.Add(newPolicy.BindingsData{Role="roles/storage.objectViewer",Members=newList<string>{"allUsers"}});storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine(bucketName+" is now public ");}}
import("context""fmt""io""cloud.google.com/go/iam""cloud.google.com/go/iam/apiv1/iampb""cloud.google.com/go/storage")// setBucketPublicIAM makes all objects in a bucket publicly readable.funcsetBucketPublicIAM(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()policy,err:=client.Bucket(bucketName).IAM().V3().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().Policy: %w",bucketName,err)}role:="roles/storage.objectViewer"policy.Bindings=append(policy.Bindings,&iampb.Binding{Role:role,Members:[]string{iam.AllUsers},})iferr:=client.Bucket(bucketName).IAM().V3().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().SetPolicy: %w",bucketName,err)}fmt.Fprintf(w,"Bucket %v is now publicly readable\n",bucketName)returnnil}
importcom.google.cloud.Identity;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importcom.google.cloud.storage.StorageRoles;publicclassMakeBucketPublic{publicstaticvoidmakeBucketPublic(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName);storage.setIamPolicy(bucketName,originalPolicy.toBuilder().addIdentity(StorageRoles.objectViewer(),Identity.allUsers())// All users can view.build());System.out.println("Bucket "+bucketName+" is now publicly readable");}}
/*** TODO(developer): Uncomment the following lines before running the sample.*/// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionmakeBucketPublic(){awaitstorage.bucket(bucketName).makePublic();console.log(`Bucket${bucketName}is now publicly readable`);}makeBucketPublic().catch(console.error);
use Google\Cloud\Storage\StorageClient;/*** Update the specified bucket's IAM configuration to make it publicly accessible.** @param string $bucketName The name of your Cloud Storage bucket.* (e.g. 'my-bucket')*/function set_bucket_public_iam(string $bucketName): void{$storage = new StorageClient();$bucket = $storage->bucket($bucketName);$policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);$policy['version'] = 3;$role = 'roles/storage.objectViewer';$members = ['allUsers'];$policy['bindings'][] = ['role' => $role,'members' => $members];$bucket->iam()->setPolicy($policy);printf('Bucket %s is now public', $bucketName);}
fromtypingimportListfromgoogle.cloudimportstoragedefset_bucket_public_iam(bucket_name:str="your-bucket-name",members:List[str]=["allUsers"],):"""Set a public IAM Policy to bucket"""# bucket_name = "your-bucket-name"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)policy.bindings.append({"role":"roles/storage.objectViewer","members":members})bucket.set_iam_policy(policy)print(f"Bucket{bucket.name}is now publicly readable")
defset_bucket_public_iambucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.policydo|p|p.add"roles/storage.objectViewer","allUsers"endputs"Bucket#{bucket_name}is now publicly readable"end
# Make bucket public
resource "google_storage_bucket_iam_member" "member" {
provider = google
bucket = google_storage_bucket.default.name
role = "roles/storage.objectViewer"
member = "allUsers"
}
JSON_FILE_NAMEis the path for the file
that you created in Step 2.
BUCKET_NAMEis the name of the bucket
whose objects you want to make public. For example,my-bucket.
XML API
Making all objects in a bucket publicly readable is not supported by
the XML API. Use the Google Cloud console orgcloud storage.
Make a portion of a bucket publicly readable
Use amanaged folderto control access to objects whose name prefix match
the name of the managed folder. For example, a managed folder namedmy-foldercan be used to control access to objects namedmy-folder/cats.jpgandmy-folder/dogs.jpg.
To make such objects publicly accessible, first create the managed folder, and
then set an IAM policy on the folder that grantsallUsersthe
Storage Object Viewer (roles/storage.objectViewer) role:
Console
In the Google Cloud console, go to the Cloud StorageBucketspage.
Click the name of the bucket that contains the objects you want to
make public.
Create a folder, using the following steps:
Click theCreate folderbutton.
Enter theNamefor the folder. Once the folder is converted to a
managed folder, objects whose name start with this name will be
subject to IAM roles set on the folder.
ClickCreate.
Convert the folder to a managed folder, using the following steps:
In the pane that shows the bucket's contents, find the name of the
folder you created, and click theMore optionsiconmore_vert.
ClickEdit access.
In the window that appears, clickEnable.
Add an IAM policy to the folder that grantsallUsersthe
Storage Object Viewer (roles/storage.objectViewer) role, using the
following steps:
If thePermissionspane for your managed folder isn't already
open, click theMore optionsiconmore_vertfor the managed
folder, and then clickEdit access.
In thePermissionspane, click theperson_addAdd principalbutton.
In theNew principalsfield, enterallUsers.
In theSelect a roledrop down, enterStorage Object Viewerin the filter box, and selectStorage Object Viewerfrom the
filtered results.
ClickSave.
ClickAllow public access.
Once public access has been granted, aCopy URLbutton appears for each
applicable object in thepublic accesscolumn. You can click this button
to get the public URL for the object. The public URL is different from the
link you get from directly right-clicking an object. Both links provide
access to an object, but the public URL works without the user having to
sign into a user account. SeeRequest endpointsfor more information.
To learn how to get detailed error information about failed Cloud Storage
operations in the Google Cloud console, seeTroubleshooting.
At the bottom of the Google Cloud console, aCloud Shellsession starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
JSON_FILE_NAMEis the path for the file
that you created in the previous step.
BUCKET_NAMEis the name of the bucket
containing the managed folder you're adding the IAM
policy to. For example,my-bucket.
MANAGED_FOLDER_NAMEis the name of the
managed folder you're adding the IAM policy to.
For example,my-managed-folder.
XML API
The XML API does not support working with managed folders. Use a
different tool, such as the Google Cloud console, or set ACLs on
individual objects usingSet Object ACLrequests. The following
is an example ACL file the would grantallUsersaccess to an object:
Remove public access for all objects within a bucket
To remove public access for all objects within a bucket, remove the
IAM policy that grantsallUsersthe Storage Object Viewer
(roles/storage.objectViewer) role:
Console
In the Google Cloud console, go to the Cloud StorageBucketspage.
At the bottom of the Google Cloud console, aCloud Shellsession starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
WhereBUCKET_NAMEis the name of the bucket
whose IAM policy you want to view. For example,my-bucket.
Create a JSON file that contains the policy you retrieved in the
previous step and edit the file to remove the binding of theallUsersprincipal from the policy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,[]]
