This page shows you how to enable, disable, and check the status of uniform bucket-level access on a bucket in Cloud Storage.
Required roles
To get the permissions that you need to set and manage uniform bucket-level access on a
bucket, ask your administrator to grant you the Storage Admin
(roles/storage.admin
) role on the bucket. This
predefined role contains the permissions required to set and manage
uniform bucket-level access. To see the exact permissions that are required, expand the
Required permissions section:
Required permissions
storage.buckets.get
storage.buckets.list
- This permission is only required if you plan on using the Google Cloud console to perform the instructions on this page.
storage.buckets.update
You might also be able to get these permissions with custom roles.
For information about granting roles on buckets, see Use IAM with buckets.
Check for ACL usage
Before you enable uniform bucket-level access, use Cloud Monitoring to ensure your bucket is not using ACLs for any workflows. For more information, see Check object ACL usage.
Console
To view the metrics for a monitored resource by using the Metrics Explorer, do the following:
-
In the Google Cloud console, go to the leaderboard Metrics explorer page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- In the Metric element, expand the Select a metric menu,
enter
ACLs usage
in the filter bar, and then use the submenus to select a specific resource type and metric:- In the Active resources menu, select GCS Bucket.
- In the Active metric categories menu, select Authz.
- In the Active metrics menu, select ACLs usage.
- Click Apply.
- Configure how the data is viewed. For example, to view your data by the ACL
operation, for the Aggregation element, set the first menu to Sum
and the second menu to acl_operation.
For more information about configuring a chart, see Select metrics when using Metrics Explorer.
See storage
for a complete list of metrics available for
Cloud Storage. For information about time series, see
Metrics, time series, and resources.
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Use
cURL
to call the Monitoring JSON API:curl \ 'https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%20%3D%20%22storage.googleapis.com%2Fauthz%2Facl_operations_count%22&interval.endTime=END_TIME&interval.startTime=START_TIME' \ --header 'Authorization: Bearer $(gcloud auth print-access-token)' \ --header 'Accept: application/json'
Where:
PROJECT_ID
is the project ID or number for which you want to view ACL usage. For example,my-project
.END_TIME
is the end of the time range for which you want to view ACL usage. For example,2019-11-02T15:01:23.045123456Z
.START_TIME
is the start of the time range for which you want to view ACL usage. For example,2016-10-02T15:01:23.045123456Z
.
If the request returns an empty object {}
, there is no recent ACL usage for your project.
Set uniform bucket-level access
To enable or disable uniform bucket-level access on your bucket, complete the following instructions:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket for which you want to enable or disable uniform bucket-level access.
Select the Permissions tab near the top of the page.
In the field named Access Control, click the Switch to link.
In the menu that appears, select Uniform or Fine-grained.
Click Save.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the gcloud storage buckets update
command:
gcloud storage buckets update gs://BUCKET_NAME --STATE
Where:
BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.STATE
is eitheruniform-bucket-level-access
to enable uniform bucket-level access orno-uniform-bucket-level-access
to disable it.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Create a JSON file that contains the following information:
{ "iamConfiguration": { "uniformBucketLevelAccess": { "enabled": STATE } } }
Where STATE is either
true
orfalse
.Use
cURL
to call the JSON API with aPATCH
Bucket request:curl -X PATCH --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.
XML API
The XML API cannot be used to work with uniform bucket-level access. Use one of the other Cloud Storage tools, such as the gcloud CLI, instead.
View uniform bucket-level access status
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the name of the bucket whose status you want to view.
Click the Configuration tab.
The uniform bucket-level access status for the bucket is found in the Access control field.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the gcloud storage buckets describe
command with the
--format
flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(uniform_bucket_level_access)"
Where BUCKET_NAME
is the name of the relevant
bucket. For example, my-bucket
.
If successful, the response looks like:
uniform_bucket_level_access: true
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for client libraries.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets you generate an access token for the
Authorization
header.Use
cURL
to call the JSON API with aGET
Bucket request that includes the desiredfields
:curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where
BUCKET_NAME
is the name of the relevant bucket. For example,my-bucket
.If the bucket has uniform bucket-level access enabled, the response looks like the following example:
{ "iamConfiguration": { "uniformBucketLevelAccess": { "enabled": true, "lockedTime": "LOCK_DATE" } } }
XML API
The XML API cannot be used to work with uniform bucket-level access. Use one of the other Cloud Storage tools, such as the gcloud CLI, instead.