Access Control Options

You can control who has access to your Cloud Storage buckets and objects as well as what level of access they have. Below is a summary of the access control options available to you, along with links to learning more about each:

  • Identity and Access Management (IAM) permissions: Control user's ability to access all of a project's buckets and objects. IAM permissions give you broad control over your projects, but not fine-grained control over individual buckets or objects.

  • Access Control Lists (ACLs): Grant read or write access to users for individual buckets or objects. In many cases, you can use IAM permissions instead of ACLs. Use ACLs only when you need fine-grained control over individual resources. To learn how to use ACLs, see Create and Manage Access Control Lists.

  • Signed URLs (query string authentication): Give time-limited read or write access to an object through a URL you generate. Anyone with whom you share the URL can access the object for the duration of time you specify, regardless of whether or not they have a Google account. Learn how to create signed URLs:

  • Signed Policy Documents: Specify what can be uploaded to a bucket. Policy documents allow greater control over size, content type, and other upload characteristics than signed URLs, and can be used by website owners to allow visitors to upload files to Google Cloud Storage.

These options are not mutually exclusive. For example, you can use ACLs to generally give private access to a bucket, but then create a signed URL or policy document that allows anyone you choose to access a resource within the bucket, bypassing the ACL mechanism.

For examples of sharing and collaboration scenarios that involve setting bucket and object ACLs, see Sharing and Collaboration.

Send feedback about...

Cloud Storage