Update bucket IP filtering rules

This page describes how to update bucket IP filtering rules.

Required roles

To get the required permissions for updating the IP filtering rules on a bucket, ask your administrator to grant you the Storage Admin (roles/storage.admin) role on the bucket. This role contains the permissions required to update bucket IP filtering rules.

To see the exact permissions that are required, expand the Required permissions section:

Required permissions

storage.buckets.update
storage.buckets.setIpFilter

You can also get these permissions with custom roles. You might be able to get these permissions with other predefined roles as well. To see which roles are associated with which permissions, refer to IAM roles for Cloud Storage.

For instructions on granting roles for projects, see Manage access to projects.

Update bucket IP filtering rules

Command line

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Create a JSON file that defines rules for incoming requests. For examples and information about how to structure the bucket IP filtering rules, see Bucket IP filtering configurations.
```
{
  "mode": "Enabled",
  "publicNetworkSource":
    {
    "allowedIpCidrRanges":
      [RANGE_CIDR,
      ...
      ]
    },
  "vpcNetworkSources":
      [
       {"network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
        "allowedIpCidrRanges":
          [RANGE_CIDR,
          ...
          ]
       },
      ...
      ]
   }
```
Where:
- mode is the mode of the IP filter configuration. Valid values are Enabled and Disabled. When set to Enabled, IP filtering rules are applied to a bucket. Any incoming request to the bucket is evaluated against these rules. When set to Disabled, all incoming requests are allowed to access the bucket.
- RANGE_CIDR is a public network IPv4 or IPv6 address range that's allowed to access the bucket. You can enter one or multiple address ranges as a list.
- PROJECT_ID is the project ID where the Virtual Private Cloud (VPC) network exists. To configure multiple VPC networks, you need to specify the project where each network is located.
- NETWORK_NAME is the name of the VPC network that is allowed to access the bucket. To configure multiple VPC networks, you need to specify a name for each network.
To update bucket IP filtering rules, run the gcloud alpha storage buckets update command in your development environment:
```
gcloud alpha storage buckets update gs://BUCKET_NAME --ip-filter-file=IP_FILTER_CONFIG_FILE
```
Where:
- BUCKET_NAME is the name of your bucket. For example, my-bucket.
- IP_FILTER_CONFIG_FILE is the JSON file created in the preceding step.

REST APIs

JSON API

Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

Create a JSON file that contains the settings for the bucket, which must include the name and the ipFilter configuration fields for the bucket. For examples and information about how to structure the bucket IP filtering rules, see Bucket IP filtering configurations.
```
{
  "name": "BUCKET_NAME"
  "ipFilter": {
    "mode": "Enabled",
    "publicNetworkSource":
      {
        "allowedipCidrRanges":
          [RANGE_CIDR,
            ...
          ]
          },
          "vpcNetworkSources":
          [
          {"network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
            "allowedipCidrRanges":
            [RANGE_CIDR,
              ...
            ]
          },
          ...
          ]
        }
       }
      
```
Where:
- mode is the state of the IP filter configuration. Valid values are Enabled and Disabled. When set to Enabled, IP filtering rules are applied to a bucket and all incoming requests to the bucket are evaluated against these rules. When set to Disabled, all incoming requests can access the bucket and its data without any evaluation.
- RANGE_CIDR is a public network IPv4 or IPv6 address range that's allowed to access the bucket. You can enter one or multiple address ranges as a list.
- PROJECT_ID is the project ID where the VPC network exists. To configure multiple VPC networks, you need to specify the project where each network is located.
- NETWORK_NAME is the name of the VPC network that is allowed to access the bucket. To configure multiple VPC networks, you need to specify a name for each network.
Use cURL to call the JSON API with a PATCH bucket request:
```
curl -X PATCH --data-binary @JSON_FILE_NAME \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Content-Type: application/json" \
 "https://storage.googleapis.com/storage/v1/b?project=PROJECT_IDENTIFIER&projection=full"
```
Where:
- JSON_FILE_NAME is name of the JSON file you created in the preceding step.
- PROJECT_IDENTIFIER is the ID or number of the project with which your bucket is associated. For example, my-project.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how Cloud Storage performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try Cloud Storage free