Issue: Requests to a public bucket directly, or via Cloud CDN, are failing
HTTP 401: Unauthorized and an
Authentication Required response.
Solution: Check that your client, or any intermediate proxy, is not adding an
Authorization header to requests to Cloud Storage. Any request with
Authorization header, even if empty, is validated as if it were an
403: Account Disabled
Issue: I tried to create a bucket but got a
403 Account Disabled error.
Solution: This error indicates that you have not yet turned on billing for the associated project. For steps for enabling billing, see Enable billing for a project.
403: Access Denied
Issue: I tried to list the objects in my bucket but got a
403 Access Denied error and/or a message similar to
Anonymous caller does not have storage.objects.list access.
Solution: Check that your credentials are correct. For example, if you are
using gsutil, check that the credentials stored in your
.boto file are
accurate. Also, confirm that gsutil is using the
.boto file you expect by
using the command
gsutil version -l and checking the
config path(s) entry.
Assuming you are using the correct credentials, are your requests being routed
through a proxy, using HTTP (instead of HTTPS)? If so, check whether your proxy
is configured to remove the
Authorization header from such requests. If so,
make sure you are using HTTPS instead of HTTP for your requests.
Issue: I tried to create a bucket but received the following error:
409 Conflict. Sorry, that name is not available. Please try a different one.
Solution: The bucket name you tried to use (e.g.
is already taken. Cloud Storage has a global namespace so you may not name a
bucket with the same name as an existing bucket. Choose a name that is not being
Issue: I'm connecting through a proxy server, what do I need to do?
Solution: To access Cloud Storage through a proxy server, you must allow access to these domains:
accounts.google.comfor creating OAuth2 authentication tokens via
oauth2.googleapis.comfor performing OAuth2 token exchanges
*.googleapis.comfor storage requests
If your proxy server or security policy doesn't support whitelisting by domain and instead requires whitelisting by IP network block, we strongly recommend that you configure your proxy server for all Google IP address ranges. You can find the address ranges by querying WHOIS data at ARIN. As a best practice, you should periodically review your proxy settings to ensure they match Google's IP addresses.
We do not recommend configuring your proxy with individual IP addresses you
obtain from one-time lookups of
storage.googleapis.com. Because Google services are exposed via DNS names that
map to a large number of IP addresses that can change over time, configuring
your proxy based on a one-time lookup may lead to failures to connect to
If your requests are being routed through a proxy server, you may need to
check with your network administrator to ensure that the
header containing your credentials is not stripped out by the proxy. Without
Authorization header, your requests are rejected and you receive a
Issue: I tried to use the
gsutil stat command to display object
status for a subdirectory and got an error.
Solution: Cloud Storage uses a flat namespace to store objects in buckets.
While you can use slashes ("/") in object names to make it appear as if objects
are in a hierarchical structure, the
gsutil stat command treats a trailing
slash as part of the object name.
For example, if you run the command
gsutil -q stat gs://my-bucket/my-object/,
gsutil looks up information about the object
my-object/ (with a trailing
slash), as opposed to operating on objects nested under
Unless you actually have an object with that name, the operation fails.
For subdirectory listing, use the
gsutil ls instead.
Issue: I tried to authenticate gsutil using the
gcloud auth command, but
I still cannot access my buckets or objects.
Solution: Your system may have both the stand-alone and Cloud SDK
versions of gsutil installed on it. Run the command
gsutil version -l and
check the value for
using cloud sdk. If
False, your system is using the
stand-alone version of gsutil when you run commands. You can either remove
this version of gsutil from your system, or you can authenticate using the
gsutil config command.
Bucket configured as a website
The following are common issues that you may encounter when setting up a bucket to host a static website.
Issue: I want to serve my content over HTTPS without using a load balancer.
Solution: You can serve static content through HTTPS using direct URIs
https://storage.googleapis.com/my-bucket/my-object. For other options
to serve your content through a custom domain over SSL, you can:
- Use a third-party Content Delivery Network with Cloud Storage.
- Serve your static website content from Firebase Hosting instead of Cloud Storage.
Issue: I can't verify my domain.
Solution: Normally, the verification process in Search Console directs you to upload a file to your domain, but you may not have a way to do this without first having an associated bucket, which you can only create after you have performed domain verification.
In this case, verify ownership using the Domain name provider verification method. See Ownership verification for steps to accomplish this. This verification can be done before the bucket is created.
Issue: I get an
Access denied error message for a web page served by my
Solution: Check that the object is shared publicly. If it is not, see Making Data Public for instructions on how to do this.
If you previously uploaded and shared an object, but then upload a new version of it, then you must reshare the object publicly. This is because the public permission is overwritten with the new upload.
Issue: I am prompted to download my page's content, instead of being able to view it in my browser.
Solution: If you specify a
MainPageSuffix as an object that does not have
a web content type, then instead of serving the page, site visitors are prompted
to download the content. To resolve this issue, update the content-type
metadata entry to a suitable value, such as
Editing object metadata for instructions on how to do this.
Content download using
Issue: I am downloading my public content from
and I receive a
403 - Forbidden error when I navigate to the public object
https://storage.cloud.google.com/[BUCKET_NAME]/[OBJECT_NAME]in the browser.
storage.cloud.google.com to download objects is known as
authenticated browser downloads; it always uses cookie-based
authentication, even when objects are made publicly accessible to
you have enabled audit logs for Cloud Storage, one of the
restrictions of that feature is the disablement of authenticated browser
downloads; such downloads result in a
403 response when audit logs are
To avoid this issue, either audit logs, or switch to direct API calls which support unauthenticated downloads.
301: Moved Permanently
Issue: Accessing a directory path returns an empty object and a
Solution: If your browser downloads a zero byte object and you get a
HTTP response code when accessing a directory, such as
http://www.example.com/dir/, your bucket most likely contains an empty object
of that name. To check that this is the case and fix the issue:
- Open the Cloud Storage browser in the Google Cloud Console.
Open the Cloud Storage browser
- Click the Activate Cloud Shell button at the top of the Google Cloud Console.
gsutil ls -R gs://www.example.com/dir/. If the output includes
http://www.example.com/dir/, you have an empty object at that location.
- Remove the empty object with the command:
gsutil rm gs://www.example.com/dir/
You can now access
http://www.example.com/dir/ and have it return that
index.html file instead of the empty object.
Understanding errors in the Cloud Storage browser
Issue: When using the Cloud Storage browser to perform an operation, I get a generic error message. For example, I see an error message when trying to delete a bucket, but I don't see details for why the operation failed.
Solution: Use the Google Cloud Console's notifications to see detailed information about the failed operation:
Click the Notifications button in the Google Cloud Console header.
A dropdown displays the most recent operations performed by the Google Cloud Console.
Click the item you want to find out more about.
A page opens up and displays detailed information about the operation.
Click on each row to expand the detailed error information.
Below is an example of error information for a failed bucket deletion operation, which explains that a bucket retention policy prevented the deletion of the bucket.