This page shows you how to make objects you own readable to everyone on the public internet. To learn how to access data that has been made public, see Accessing Public Data.
When an object is shared publicly, any user with knowledge of the object URI can access the object for as long as the object is public.
Required roles
In order to get the required permissions for making objects publicly readable, ask your administrator to grant you the following roles for the bucket that contains the data you want to make public:
To make all objects in a bucket publicly readable: Storage Admin (
roles/storage.admin
)To make individual objects publicly readable: Storage Object Admin (
roles/storage.objectAdmin
)- If you plan on using the Google Cloud console, you'll need the
Storage Admin (
roles/storage.admin
) role instead of the Storage Object Admin role.
- If you plan on using the Google Cloud console, you'll need the
Storage Admin (
These roles contain the permissions required to make objects public. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
The following permissions are only required for using the Google Cloud console to perform the tasks on this page:
storage.buckets.list
storage.objects.list
You might also be able to get these permissions with other predefined roles or custom roles.
For instructions on granting roles on buckets, see Use IAM with buckets.
Make all objects in a bucket publicly readable
To make all objects in a bucket readable to everyone on the public internet,
grant the principal allUsers
the Storage Object Viewer
(roles/storage.objectViewer
) role:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket that you want to make public.
Select the Permissions tab near the top of the page.
In the Permissions section, click the
Grant access button.The Grant access dialog appears.
In the New principals field, enter
allUsers
.In the Select a role drop down, enter
Storage Object Viewer
in the filter box and select the Storage Object Viewer from the filtered results.Click Save.
Click Allow public access.
Once public access has been granted, Copy URL appears for each object in the public access column. You can click this button to get the public URL for the object.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
To learn how to resolve organization policy error and permission error, see Troubleshoot making data public.Command line
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
In your development environment, run the
buckets add-iam-policy-binding
command:gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
Where
BUCKET_NAME
is the name of the bucket whose objects you want to make public. For example,my-bucket
.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
Terraform
You can use a Terraform resource to make all objects in a bucket public.
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Create a JSON file that contains the following information:
{ "bindings":[ { "role": "roles/storage.objectViewer", "members":["allUsers"] } ] }
Use
cURL
to call the JSON API with aPUT
Bucket request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.BUCKET_NAME
is the name of the bucket whose objects you want to make public. For example,my-bucket
.
XML API
Making all objects in a bucket publicly readable is not supported by
the XML API. Use the Google Cloud console or gcloud storage
.
Make a portion of a bucket publicly readable
Use a managed folder to control access to objects whose name prefix match
the name of the managed folder. For example, a managed folder named my-folder
can be used to control access to objects named my-folder/cats.jpg
and
my-folder/dogs.jpg
.
To make such objects publicly accessible, first create the managed folder, and
then set an IAM policy on the folder that grants allUsers
the
Storage Object Viewer (roles/storage.objectViewer
) role:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the name of the bucket that contains the objects you want to make public.
Create a folder, using the following steps:
Click the Create folder button.
Enter the Name for the folder. Once the folder is converted to a managed folder, objects whose name start with this name will be subject to IAM roles set on the folder.
Click Create.
Convert the folder to a managed folder, using the following steps:
In the pane that shows the bucket's contents, find the name of the folder you created, and click the More options icon
.Click Edit access.
In the window that appears, click Enable.
Add an IAM policy to the folder that grants
allUsers
the Storage Object Viewer (roles/storage.objectViewer
) role, using the following steps:If the Permissions pane for your managed folder isn't already open, click the More options icon
for the managed folder, and then click Edit access.In the Permissions pane, click the
Add principal button.In the New principals field, enter
allUsers
.In the Select a role drop down, enter
Storage Object Viewer
in the filter box, and select Storage Object Viewer from the filtered results.Click Save.
Click Allow public access.
Once public access has been granted, Copy URL appears for each applicable object in the public access column. You can click this button to get the public URL for the object.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
To learn how to resolve organization policy error and permission error, see Troubleshoot making data public.Command line
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
In your development environment, create a managed folder using the
gcloud storage managed-folders create
command:gcloud storage managed-folders create gs://BUCKET_NAME/MANAGED_FOLDER_NAME/
Where:
BUCKET_NAME
is the name of the bucket in which you want to create a managed folder. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder you want to create. For example,my-managed-folder
.
In your development environment, add
allUsers
to the managed folder's IAM policy using thegcloud storage managed-folders add-iam-policy-binding
command:gcloud storage managed-folders add-iam-policy-binding gs://BUCKET_NAME/MANAGED_FOLDER_NAME --member=allUsers --role=roles/storage.objectViewer
Where:
BUCKET_NAME
is the name of the bucket containing the managed folder you're adding the IAM policy to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder that you want to add public access to. For example,my-managed-folder
.
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Create a JSON file that contains the following information:
{ "name": "MANAGED_FOLDER_NAME" }
Where
MANAGED_FOLDER_NAME
is the name of the managed folder you want to create. For example,my-managed-folder
.Use
cURL
to call the JSON API with aInsert ManagedFolder
request:curl -X POST --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders"
Where:
JSON_FILE_NAME
is the path for the file that you created in the previous step.BUCKET_NAME
is the name of the bucket in which you want to create a managed folder. For example,my-bucket
.
Create a JSON file that contains the following information:
{ "bindings":[ { "role": "roles/storage.objectViewer", "members":["allUsers"] } ] }
Use
cURL
to call the JSON API with asetIamPolicy
ManagedFolder request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in the previous step.BUCKET_NAME
is the name of the bucket containing the managed folder you're adding the IAM policy to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder you're adding the IAM policy to. For example,my-managed-folder
.
XML API
The XML API does not support working with managed folders. Use a
different tool, such as the Google Cloud console, or set ACLs on
individual objects using Set Object ACL
requests. The following
is an example ACL file the would grant allUsers
access to an object:
<AccessControlList> <Entries> <Entry> <Scope type="AllUsers"/> <Permission>READ</Permission> </Entry> </Entries> </AccessControlList>
What's next
- Access data that has been made public.
- Learn about more access control options for your buckets and objects.