Bypass bucket IP filtering rules

You can allow users or service accounts to perform certain operations on buckets without any IP filtering restrictions, while still enforcing restrictions for other operations. To do this, you bypass IP filtering rules.

It's crucial to have a way to regain access to your bucket if you inadvertently block your own IP address. This can happen due to the following reasons:

• Bucket lockout: When you accidentally add a rule that blocks your own IP address or the IP range of your entire network.

• Unexpected IP change: In some cases, your IP address might change unexpectedly due to network changes, and you might find yourself locked out.

For background information about bucket IP filtering, see Bucket IP filtering.

Supported operations

When you bypass IP filtering, the following operations are exempt from IP filtering restrictions:

• Getting a bucket's metadata (GET Bucket)
• Updating a bucket (PATCH Bucket)
• Deleting a bucket (DELETE Bucket)

Bypass bucket IP filtering rules

To enable specific users or service accounts to bypass IP filtering restrictions on a bucket, grant them the storage.buckets.exemptFromIpFilter permission using a custom role. This permission exempts the user or service account from IP filtering rules for supported bucket-level operations. To do so, complete the following steps:

1. Identify the user or service account that needs to bypass the IP filtering restrictions on specific buckets.

2. Create a custom role.

3. Add the storage.buckets.exemptFromIpFilter permission to the role.

4. Grant the custom role to the identified user or service account at the project level. For information about granting roles, see Grant a single role.

After you grant the users or service accounts these permissions, they can perform supported operations without any IP filtering restrictions. Requiring explicit permissions ensures that bypassing IP filtering rules is a deliberate and authorized action by providing granular control over the exceptions to the rules.

Bypass IP filtering rules for Google Cloud service agents

Besides the IAM-based bypass, you can also allow all Google Cloud service agents to bypass the IP filtering rules for your bucket.

When enabled, services like Compute Engine, Cloud Run functions, or Cloud Composer can access the bucket using their service agents, even if their originating IP addresses are not explicitly listed in your allowed IP ranges. Bypassing the IP filtering rules is often necessary for the services to function correctly and interact with your bucket. For information about how to allow Google Cloud service agents to access your bucket, see Manage service agent access.

Bypass IP filtering rules for cross-organization VPC networks

You can let resources from a different organization's VPC network access the bucket without restrictions from your existing IP filtering configuration. For information about how to allow cross-organization VPC networks to access your bucket, see Manage cross-organization VPC access.

What's next

• Disable IP filtering rules on a bucket.
• Get IP filtering rules on a bucket.
• List bucket IP filtering rules.