This page describes how to use the public access prevention bucket setting and the public access prevention organization policy constraint. Public access prevention lets you restrict public access to your buckets and objects.
Before you begin
Before using public access prevention in Cloud Storage, make sure you have the required IAM role and review the considerations for enforcing public access prevention.
Get required roles
To manage the public access prevention organization policy at the project,
folder, or organization level, ask your administrator to grant you the
Organization Policy Administrator (roles/orgpolicy.policyAdmin
)
role on the organization. This predefined role contains the
permissions required to manage public access prevention at the project, folder,
or organization level. For information about the permissions that are included
in this role, refer to
details about the Organization Administrator role.
To manage the public access prevention setting on a bucket, ask your
administrator to grant you the Storage Admin (roles/storage.admin
) role
on the bucket. This role contains the permissions required to manage public
access prevention on a bucket. To see the exact permissions that are required,
expand the Required permissions section:
Required permissions
storage.buckets.update
storage.buckets.setIamPolicy
For information about the other permissions that are included in the Storage Admin role, refer to details about the Storage Admin role.
Review considerations
Before you begin, it's recommended that you ensure no workflows break as a result of blocking public access. See Considerations when enforcing on existing resources for more details.
Use the bucket setting
This section shows how to enforce and remove public access prevention for individual buckets, as well as how to check the status of individual buckets.
Set public access prevention
To change the public access prevention setting for an individual bucket:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket for which you want to enforce or remove public access prevention.
In the Bucket details page, click the Permissions tab.
In the Public access card, click Prevent public access to enforce public access prevention, or click Allow public access to remove public access prevention.
Click Confirm.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the gcloud storage buckets update
command with the
appropriate flag:
gcloud storage buckets update gs://BUCKET_NAME FLAG
Where:
BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.FLAG
is either--public-access-prevention
to enable public access prevention or--no-public-access-prevention
to disable it.
If successful, the response looks similar to the following example:
Updating gs://my-bucket/... Completed 1
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enforces public access prevention on a bucket: The following sample sets public access prevention to C++
inherited
for a bucket:C#
inherited
for a bucket:Go
inherited
for a bucket:Java
inherited
for a bucket:Node.js
inherited
for a bucket:PHP
inherited
for a bucket:Python
inherited
for a bucket:Ruby
inherited
for a bucket:
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Create a JSON file that contains the following information:
{ "iamConfiguration": { "publicAccessPrevention": "STATE", } }
Where
<var>STATE</var>
is eitherenforced
orinherited
.Use
cURL
to call the JSON API with aPATCH
Bucket request that includes the desiredfields
:curl -X PATCH --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where:
JSON_FILE_NAME
is the path for the JSON file that you created in the previous step.BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.
XML API
The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
View public access prevention status
To view the public access prevention status for an individual bucket:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the name of the bucket for which you want to view the public access prevention status.
Click the Permissions tab.
The Public access card shows the status for your bucket.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the gcloud storage buckets describe
command with the
--format
flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(public_access_prevention)"
Where BUCKET_NAME
is the name of the bucket
whose status you want to view. For example, my-bucket
.
If successful, the response looks similar to the following example:
public_access_prevention:inherited
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Use
cURL
to call the JSON API with aGET
Bucket request that includes the desiredfields
:curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where
BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.The response looks like the following example:
{ "iamConfiguration": { ... "publicAccessPrevention": "FLAG" } }
Where
FLAG
is eitherinherited
orenforced
.
XML API
The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.
Use the organization policy
This section shows how to enforce and remove the public access prevention organization policy, as well as how to check the status of the policy.
Set public access prevention
To set public access prevention at the project, folder, or organization level:
Console
Follow the instructions at Creating and managing organization policies
using the storage.publicAccessPrevention
constraint.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the gcloud beta resource-manager org-policies
command:
gcloud beta resource-manager org-policies STATE \ constraints/storage.publicAccessPrevention \ --RESOURCE RESOURCE_ID
Where:
STATE
can have the following values:enable-enforce
: Enforce public access prevention for the resource.disable-enforce
: Disable public access prevention for the resource.delete
: Remove the organization policy constraint from the resource, so that the resource inherits the value of its parent resource.
RESOURCE
is the resource for which you want to set public access prevention. For example,organization
,project
, orfolder
.RESOURCE_ID
is the ID for resource. For example,123456789012
for an organization ID,245321
for a folder ID, ormy-pet-project
for a project ID.
See Using constraints for more instructions.
The following is an example of the output when you use disable-enforce
:
etag: BwVJi0OOESU= booleanPolicy: {} constraint: constraints/storage.publicAccessPrevention
View public access prevention status
To view the public access prevention status at the project, folder, organization level:
Console
Follow the instructions at Creating and managing organization policies
using the storage.publicAccessPrevention
constraint.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the describe --effective
command:
gcloud beta resource-manager org-policies describe \ constraints/storage.publicAccessPrevention --effective \ --RESOURCE RESOURCE_ID
Where:
RESOURCE
is the resource for which you want to view the public access prevention status. For example,organization
,project
, orfolder
.RESOURCE_ID
is the ID for the resource. For example,123456789012
for an organization ID,245321
for a folder ID, andmy-pet-project
for a project ID.
See Using constraints for more instructions.