Overview of access control

You control who has access to your Cloud Storage buckets and objects and what level of access they have.

Choose between uniform and fine-grained access

When you create a bucket, you should decide whether you want to apply permissions using uniform or fine-grained access.

  • Uniform (recommended): Uniform bucket-level access allows you to use Identity and Access Management (IAM) alone to manage permissions. IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes. IAM also allows you to use features that are not available when working with ACLs, such as managed folders, IAM Conditions, domain restricted sharing, and workforce identity federation.

  • Fine-grained: The fine-grained option enables you to use IAM and Access Control Lists (ACLs) together to manage permissions. ACLs are a legacy access control system for Cloud Storage designed for interoperability with Amazon S3. ACLs also allow you to specify access on a per-object basis.

    Because fine-grained access requires you to coordinate between two different access control systems, there is an increased chance of unintentional data exposure, and auditing who has access to resources is more complicated. Particularly if you have objects that contain sensitive data, such as personally identifiable information, we recommend storing that data in a bucket with uniform bucket-level access enabled.

Using IAM permissions with ACLs

Cloud Storage offers two systems for granting users access your buckets and objects: IAM and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant that user permission. For example, if your bucket's IAM policy only allows a few users to read object data in the bucket, but one of the objects in the bucket has an ACL that makes it publicly readable, then that specific object is exposed to the public.

In most cases, IAM is the recommended method for controlling access to your resources. IAM controls permissioning throughout Google Cloud and allows you to grant permissions at the bucket and project levels. You should use IAM for any permissions that apply to multiple objects in a bucket to reduce the risks of unintended exposure. To use IAM exclusively, enable uniform bucket-level access to disallow ACLs for all Cloud Storage resources.

ACLs control permissioning only for Cloud Storage resources and have limited permission options, but allow you to grant permissions per individual objects. You most likely want to use ACLs for the following use cases:

  • Customize access to individual objects within a bucket.
  • Migrate data from Amazon S3.

Additional access control options

In addition to IAM and ACLs, the following tools are available to help you control access to your resources:

Signed URLs (query string authentication)

Use signed URLs to give time-limited read or write access to an object through a URL you generate. Anyone with whom you share the URL can access the object for the duration of time you specify, regardless of whether or not they have a user account.

You can use signed URLs in addition to IAM and ACLs. For example, you can use IAM to grant access to a bucket for only a few people, then create a signed URL that allows others to access a specific resource within the bucket.

Learn how to create signed URLs:

Signed Policy Documents

Use signed policy documents to specify what can be uploaded to a bucket. Policy documents allow greater control over size, content type, and other upload characteristics than signed URLs, and can be used by website owners to allow visitors to upload files to Cloud Storage.

You can use signed policy documents in addition to IAM and ACLs. For example, you can use IAM to allow people in your organization to upload any object, then create a signed policy document that allows website visitors to upload only objects that meet specific criteria.

Firebase Security Rules

Use Firebase Security Rules to provide granular, attribute-based access control to mobile and web apps using the Firebase SDKs for Cloud Storage. For example, you can specify who can upload or download objects, how large an object can be, or when an object can be downloaded.

Public access prevention

Use public access prevention to restrict public access to your buckets and objects. When you enable public access prevention, users who gain access through allUsers and allAuthenticatedUsers are disallowed access to data.

Credential Access Boundaries

Use Credential Access Boundaries to downscope the permissions that are available to an OAuth 2.0 access token. First, you define a Credential Access Boundary that specifies which buckets the token can access, as well as an upper bound on the permissions that are available on that bucket. You can then create an OAuth 2.0 access token and exchange it for a new access token that respects the Credential Access Boundary.

What's next