Overview of access control

You control who has access to your Cloud Storage buckets and objects and what level of access they have.

Choose between uniform and fine-grained access

When you create a bucket, you should decide whether you want to apply permissions using uniform or fine-grained access.

  • Uniform (recommended): Uniform bucket-level access allows you to use Identity and Access Management (IAM) alone to manage permissions. IAM applies permissions to all the objects contained inside the bucket or groups of objects with common name prefixes. IAM also allows you to use features that are not available when working with ACLs, such as IAM Conditions and Cloud Audit Logs.

  • Fine-grained: The fine-grained option enables you to use IAM and Access Control Lists (ACLs) together to manage permissions. ACLs are a legacy access control system for Cloud Storage designed for interoperability with Amazon S3. You can specify access and apply permissions at both the bucket level and per individual object.

If you have objects that contain sensitive data, such as personally identifiable information, we recommend storing that data in a bucket with uniform access enabled to streamline permissions. For example:

Recommended Not recommended
Access control: uniform Access control: fine-grained
Uniform Fine-grained
This setup has a lower chance of data exposure. Adding permissions at the bucket level ensures that Max and Bella cannot see each other's data, even if new files are added to the buckets. This setup has a higher chance of data exposure. If you do not set object permissions correctly, Max and Bella may be able to see each other's photos, as well as new files added to the bucket.

Using IAM permissions with ACLs

Cloud Storage offers two systems for granting users permission to access your buckets and objects: IAM and Access Control Lists (ACLs). These systems act in parallel - in order for a user to access a Cloud Storage resource, only one of the systems needs to grant the user permission.

In most cases, IAM is the recommended method for controlling access to your resources. IAM controls permissioning throughout Google Cloud and allows you to grant permissions at the bucket and project levels. You should use IAM for any permissions that apply to multiple objects in a bucket to reduce the risks of unintended exposure. To use IAM exclusively, enable uniform bucket-level access to disallow ACLs for all Cloud Storage resources.

ACLs control permissioning only for Cloud Storage resources and have limited permission options, but allow you to grant permissions per individual objects. You most likely want to use ACLs for the following use cases:

  • Customize access to individual objects within a bucket.
  • Migrate data from Amazon S3.

Additional access control options

In addition to IAM and ACLs, the following tools are available to help you control access to your resources:

Signed URLs (query string authentication)

Use signed URLs to give time-limited read or write access to an object through a URL you generate. Anyone with whom you share the URL can access the object for the duration of time you specify, regardless of whether or not they have a Google account.

You can use signed URLs in addition to IAM and ACLs. For example, you can use IAM to grant access to a bucket for only a few people, then create a signed URL that allows others to access a specific resource within the bucket.

Learn how to create signed URLs:

Signed Policy Documents

Use signed policy documents to specify what can be uploaded to a bucket. Policy documents allow greater control over size, content type, and other upload characteristics than signed URLs, and can be used by website owners to allow visitors to upload files to Cloud Storage.

You can use signed policy documents in addition to IAM and ACLs. For example, you can use IAM to allow people in your organization to upload any object, then create a signed policy document that allows website visitors to upload only objects that meet specific criteria.

Firebase Security Rules

Use Firebase Security Rules to provide granular, attribute-based access control to mobile and web apps using the Firebase SDKs for Cloud Storage. For example, you can specify who can upload or download objects, how large an object can be, or when an object can be downloaded.

Credential Access Boundaries

Use Credential Access Boundaries to downscope the permissions that are available to an OAuth 2.0 access token. First, you define a Credential Access Boundary that specifies which buckets the token can access, as well as an upper bound on the permissions that are available on that bucket. You can then create an OAuth 2.0 access token and exchange it for a new access token that respects the Credential Access Boundary.

What's next