defacl - Get, set, or change default ACL on buckets

defacl - Get, set, or change default ACL on buckets

Synopsis

gsutil defacl set file-or-canned_acl_name url...
gsutil defacl get url
gsutil defacl ch [-f] -u|-g|-d|-p <grant>... url...

Description

The defacl command has three sub-commands:

Set

The "defacl set" command sets default object ACLs for the specified buckets. If you specify a default object ACL for a certain bucket, Google Cloud Storage applies the default object ACL to all new objects uploaded to that bucket, unless an ACL for that object is separately specified during upload.

Similar to the "acl set" command, the file-or-canned_acl_name names either a canned ACL or the path to a file that contains ACL text. (See gsutil help acl for examples of editing and setting ACLs via the acl command.)

Setting a default object ACL on a bucket provides a convenient way to ensure newly uploaded objects have a specific ACL. If you don't set the bucket's default object ACL, it will default to project-private. If you then upload objects that need a different ACL, you will need to perform a separate ACL update operation for each object. Depending on how many objects require updates, this could be very time-consuming.

Get

Gets the default ACL text for a bucket, which you can save and edit for use with the "defacl set" command.

Ch

The "defacl ch" (or "defacl change") command updates the default object access control list for a bucket. The syntax is shared with the "acl ch" command, so see the "CH" section of gsutil help acl for the full help description.

Ch Examples

Grant anyone on the internet READ access by default to any object created in the bucket example-bucket:

gsutil defacl ch -u AllUsers:R gs://example-bucket

NOTE: By default, publicly readable objects are served with a Cache-Control header allowing such objects to be cached for 3600 seconds. If you need to ensure that updates become visible immediately, you should set a Cache-Control header of "Cache-Control:private, max-age=0, no-transform" on such objects. For help doing this, see gsutil help setmeta.

Add the user john.doe@example.com to the default object ACL on bucket example-bucket with READ access:

gsutil defacl ch -u john.doe@example.com:READ gs://example-bucket

Add the group admins@example.com to the default object ACL on bucket example-bucket with OWNER access:

gsutil defacl ch -g admins@example.com:O gs://example-bucket

Remove the group admins@example.com from the default object ACL on bucket example-bucket:

gsutil defacl ch -d admins@example.com gs://example-bucket

Add the owners of project example-project-123 to the default object ACL on bucket example-bucket with READ access:

gsutil defacl ch -p owners-example-project-123:R gs://example-bucket

NOTE: You can replace 'owners' with 'viewers' or 'editors' to grant access to a project's viewers/editors respectively.

Ch Options

The "ch" sub-command has the following options

-d Remove all roles associated with the matching entity.
-f Normally gsutil stops at the first error. The -f option causes it to continue when it encounters errors. With this option the gsutil exit status will be 0 even if some ACLs couldn't be changed.
-g Add or modify a group entity's role.
-p Add or modify a project viewers/editors/owners role.
-u Add or modify a user entity's role.

Send feedback about...

Cloud Storage Documentation