This page describes how to use the public access prevention bucket setting and the public access prevention organization policy constraint. Public access prevention allows you to restrict public access to your buckets and objects.
Before you begin
Before using public access prevention in Cloud Storage, you must have the correct permissions for the hierarchy level at which you want to set public access prevention.
Before you begin, it's also recommended that you ensure no workflows break as a result of blocking public access. See Considerations when enforcing on existing resources for more details.
Use the bucket setting
This section shows how to enforce and remove public access prevention for individual buckets, as well as how to check the status of individual buckets.
Set public access prevention
To change the public access prevention setting for an individual bucket:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
For the bucket for which you want to enforce or remove public access prevention, click the more actions menu (
).Select Edit access from the drop-down menu.
In the Public access card, click Prevent public access to enforce public access prevention, or click Allow public access to remove public access prevention.
Click Confirm.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
gcloud
Use the gcloud storage buckets update command with the
appropriate flag:
gcloud storage buckets update gs://BUCKET_NAME FLAG
Where:
BUCKET_NAMEis the name of the relevant bucket. For example,my-bucket.FLAGis either--public-access-preventionto enable public access prevention or--no-public-access-preventionto disable it.
If successful, the response looks similar to the following example:
Updating gs://my-bucket/... Completed 1
gsutil
Use the pap set command:
gsutil pap set STATE gs://BUCKET_NAME
Where:
STATEis eitherenforcedorinherited.BUCKET_NAMEis the name of the relevant bucket. For example,my-bucket.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to C++
inherited for a bucket:C#
inherited for a bucket:Go
inherited for a bucket:Java
inherited for a bucket:Node.js
inherited for a bucket:PHP
inherited for a bucket:Python
inherited for a bucket:Ruby
inherited for a bucket:
REST APIs
JSON API
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Create a JSON file that contains the following information:
{ "iamConfiguration": { "publicAccessPrevention": "STATE", } }Where
<var>STATE</var>is eitherenforcedorinherited.Use
cURLto call the JSON API with aPATCHBucket request that includes the desiredfields:curl -X PATCH --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"Where:
JSON_FILE_NAMEis the path for the JSON file that you created in the previous step.OAUTH2_TOKENis the access token you generated in a previous step.BUCKET_NAMEis the name of the relevant bucket. For example,my-bucket.
XML API
The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
View public access prevention status
To view the public access prevention status for an individual bucket:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click on the name of the bucket for which you want to view the public access prevention status.
Click on the Permissions tab.
The Public access card shows the status for your bucket.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
gcloud
Use the gcloud storage buckets describe command with the
--format flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(public_access_prevention)"
Where BUCKET_NAME is the name of the bucket
whose status you want to view. For example, my-bucket.
If successful, the response looks similar to the following example:
public_access_prevention:inherited
gsutil
Use the pap get command:
gsutil pap get gs://BUCKET_NAME
where BUCKET_NAME is the name of the relevant
bucket. For example, my-bucket.
If successful, the response looks similar to the following example:
Public Access Prevention setting for gs://BUCKET_NAME/: FLAG
Where FLAG is either inherited or enforced.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use
cURLto call the JSON API with aGETBucket request that includes the desiredfields:curl -X GET -H "Authorization: Bearer OAUTH2_TOKEN" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where:
OAUTH2_TOKENis the access token you generated in a previous step.BUCKET_NAMEis the name of the relevant bucket. For example,my-bucket.
The response looks like the following example:
{ "iamConfiguration": { ... "publicAccessPrevention": "FLAG" } }Where
FLAGis eitherinheritedorenforced.
XML API
The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
Use the organization policy
This section shows how to enforce and remove the public access prevention organization policy, as well as how to check the status of the policy.
Set public access prevention
To set public access prevention at the project, folder, or organization level:
Console
Follow the instructions at Creating and managing organization policies
using the storage.publicAccessPrevention constraint.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
gcloud
Use the gcloud beta resource-manager org-policies command:
gcloud beta resource-manager org-policies STATE \ constraints/storage.publicAccessPrevention \ --RESOURCE RESOURCE_ID
Where:
STATEcan have the following values:enable-enforce: Enforce public access prevention for the resource.disable-enforce: Disable public access prevention for the resource.delete: Remove the organization policy constraint from the resource, so that the resource inherits the value of its parent resource.
RESOURCEis the resource for which you want to set public access prevention. For example,organization,project, orfolder.RESOURCE_IDis the ID for resource. For example,123456789012for an organization ID,245321for a folder ID, ormy-pet-projectfor a project ID.
See Using constraints for more instructions.
The following is an example of the output when you use disable-enforce:
etag: BwVJi0OOESU=
booleanPolicy: {}
constraint: constraints/storage.publicAccessPreventionView public access prevention status
To view the public access prevention status at the project, folder, organization level:
Console
Follow the instructions at Creating and managing organization policies
using the storage.publicAccessPrevention constraint.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
gcloud
Use the describe --effective command:
gcloud beta resource-manager org-policies describe \ constraints/storage.publicAccessPrevention --effective \ --RESOURCE RESOURCE_ID
Where:
RESOURCEis the resource for which you want to view the public access prevention status. For example,organization,project, orfolder.RESOURCE_IDis the ID for the resource. For example,123456789012for an organization ID,245321for a folder ID, andmy-pet-projectfor a project ID.
See Using constraints for more instructions.