Get a bucket's ACL that's filtered by user

Stay organized with collections Save and categorize content based on your preferences.

View the access control list (ACL) for a Cloud Storage bucket that's filtered by user.

Code sample


For more information, see the Cloud Storage C++ API reference documentation.

namespace gcs = ::google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
   std::string const& entity) {
  StatusOr<gcs::BucketAccessControl> acl =
      client.GetBucketAcl(bucket_name, entity);

  if (!acl) throw std::move(acl).status();
  std::cout << "ACL entry for " << acl->entity() << " in bucket "
            << acl->bucket() << " is " << *acl << "\n";


For more information, see the Cloud Storage C# API reference documentation.

using Google.Apis.Storage.v1.Data;
using Google.Cloud.Storage.V1;
using System;
using System.Collections.Generic;
using System.Linq;

public class PrintBucketAclForUserSample
    public IEnumerable<BucketAccessControl> PrintBucketAclForUser(
        string bucketName = "your-unique-bucket-name",
        string userEmail = "")
        var storage = StorageClient.Create();
        var bucket = storage.GetBucket(bucketName, new GetBucketOptions { Projection = Projection.Full });

        var bucketAclForUser = bucket.Acl.Where((acl) => acl.Entity == $"user-{userEmail}");
        foreach (var acl in bucketAclForUser)

        return bucketAclForUser;


For more information, see the Cloud Storage Go API reference documentation.

import (


// printBucketACLForUser lists bucket ACL using a filter.
func printBucketACLForUser(w io.Writer, bucket string, entity storage.ACLEntity) error {
	// bucket := "bucket-name"
	// entity := storage.AllUsers
	ctx := context.Background()
	client, err := storage.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("storage.NewClient: %v", err)
	defer client.Close()

	rules, err := client.Bucket(bucket).ACL().List(ctx)
	if err != nil {
		return fmt.Errorf("ACLHandle.List: %v", err)
	for _, r := range rules {
		if r.Entity == entity {
			fmt.Fprintf(w, "ACL rule role: %v\n", r.Role)
	return nil


For more information, see the Cloud Storage Java API reference documentation.


public class PrintBucketAclFilterByUser {

  public static void printBucketAclFilterByUser(String bucketName, String userEmail) {

    // The ID to give your GCS bucket
    // String bucketName = "your-unique-bucket-name";

    // The email of the user whose acl is being retrieved.
    // String userEmail = ""

    Storage storage = StorageOptions.newBuilder().build().getService();
    Bucket bucket = storage.get(bucketName);

    Acl userAcl = bucket.getAcl(new User(userEmail));
    String userRole = userAcl.getRole().name();
    System.out.println("User " + userEmail + " has role " + userRole);


For more information, see the Cloud Storage Node.js API reference documentation.

 * TODO(developer): Uncomment the following lines before running the sample.
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';

// The email address of the user to check
// const userEmail = 'user-email-to-check';

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

async function printBucketAclForUser() {
  const options = {
    // Specify the user
    entity: `user-${userEmail}`,

  // Gets the user's ACL for the bucket
  const [aclObject] = await storage.bucket(bucketName).acl.get(options);

  console.log(`${aclObject.role}: ${aclObject.entity}`);



For more information, see the Cloud Storage PHP API reference documentation.

use Google\Cloud\Storage\StorageClient;

 * Print an entity role for a bucket ACL.
 * @param string $bucketName The name of your Cloud Storage bucket.
 *        (e.g. 'my-bucket')
 * @param string $entity The entity for which to query access controls.
 *        (e.g. '')
function print_bucket_acl_for_user(
    string $bucketName,
    string $entity
): void {
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $acl = $bucket->acl();

    $item = $acl->get(['entity' => $entity]);
    printf('%s: %s' . PHP_EOL, $item['entity'], $item['role']);


For more information, see the Cloud Storage Python API reference documentation.

from import storage

def print_bucket_acl_for_user(bucket_name, user_email):
    """Prints out a bucket's access control list for a given user."""
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    # Reload fetches the current ACL from Cloud Storage.

    # You can also use `group`, `domain`, `all_authenticated` and `all` to
    # get the roles for different types of entities.
    roles = bucket.acl.user(user_email).get_roles()



For more information, see the Cloud Storage Ruby API reference documentation.

# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# email       = "Google Cloud Storage ACL Entity email"

require "google/cloud/storage"

storage =
bucket  = storage.bucket bucket_name

puts "Permissions for #{email}:"
puts "OWNER"  if bucket.acl.owners.include?  email
puts "WRITER" if bucket.acl.writers.include? email
puts "READER" if bucket.acl.readers.include? email

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.