Access Control (IAM & ACLs)

Securing your Cloud Storage data is critical. Google Cloud provides two access control models — IAM (Identity and Access Management) and Access Control Lists (ACLs) — along with additional features like public access prevention and VPC Service Controls.

Two Access Control Models

Uniform Bucket-Level Access (Recommended)

Uniform access uses IAM only to control access to the bucket and its objects. ACLs are disabled, providing a simpler, more consistent security model.

# Enable uniform bucket-level access
gsutil uniformbucketlevelaccess set on gs://my-bucket

Important: After enabling uniform access, there is a 90-day grace period during which you can revert. After 90 days, it becomes permanent.

Fine-Grained Access (ACLs)

Fine-grained access allows per-object ACLs in addition to IAM. This is the legacy model and is generally not recommended for new buckets because:

It adds complexity
ACLs and IAM interact in ways that are hard to audit
IAM alone is sufficient for most use cases

IAM Roles for Cloud Storage

Predefined Roles

Role	Permissions
roles/storage.objectViewer	Read objects and their metadata
roles/storage.objectCreator	Upload (create) objects
roles/storage.objectAdmin	Full control over objects (read, write, delete)
roles/storage.admin	Full control over buckets and objects
roles/storage.legacyBucketReader	List bucket contents (legacy)

Granting Access

# Grant a user read access to all objects in a bucket
gsutil iam ch user:alice@example.com:objectViewer gs://my-bucket

# Grant a service account write access
gsutil iam ch serviceAccount:etl-sa@my-project.iam.gserviceaccount.com:objectCreator gs://my-bucket

# Grant access at the project level (applies to all buckets in the project)
gcloud projects add-iam-policy-binding my-project \
  --member=user:alice@example.com \
  --role=roles/storage.objectViewer

IAM Conditions

IAM Conditions allow you to add contextual restrictions:

# Grant access only to objects with a specific prefix
gcloud storage buckets add-iam-policy-binding gs://my-bucket \
  --member=user:analyst@example.com \
  --role=roles/storage.objectViewer \
  --condition='expression=resource.name.startsWith("projects/_/buckets/my-bucket/objects/analytics/"),title=analytics-prefix-only'

You can restrict by:

Object name prefix — access only certain "directories"
Request time — access only during business hours
Source IP — access from specific networks

Access Control Lists (ACLs)

ACLs are the legacy per-object access control mechanism. They are only available on buckets that have not enabled uniform bucket-level access.

ACL Entries

Each ACL entry (called a "scope-permission pair") consists of:

Scope — who has access (user, group, domain, allUsers, allAuthenticatedUsers)
Permission — what they can do (READER, WRITER, OWNER)

# Grant public read access to a specific object (ACL)
gsutil acl ch -u AllUsers:R gs://my-bucket/public-image.png

# Remove public access
gsutil acl ch -d AllUsers gs://my-bucket/public-image.png

Access Control (IAM & ACLs)

Access Control (IAM & ACLs)

Two Access Control Models

Uniform Bucket-Level Access (Recommended)

Fine-Grained Access (ACLs)

IAM Roles for Cloud Storage

Predefined Roles

Granting Access

IAM Conditions

Access Control Lists (ACLs)

ACL Entries

More in Cloud