Access Control (IAM & ACLs)

Securing your Cloud Storage data is critical. Google Cloud provides two access control models — IAM (Identity and Access Management) and Access Control Lists (ACLs) — along with additional features like public access prevention and VPC Service Controls.

Two Access Control Models

Uniform Bucket-Level Access (Recommended)

Uniform access uses IAM only to control access to the bucket and its objects. ACLs are disabled, providing a simpler, more consistent security model.

# Enable uniform bucket-level access
gsutil uniformbucketlevelaccess set on gs://my-bucket

Important: After enabling uniform access, there is a 90-day grace period during which you can revert. After 90 days, it becomes permanent.

Fine-Grained Access (ACLs)

Fine-grained access allows per-object ACLs in addition to IAM. This is the legacy model and is generally not recommended for new buckets because:

It adds complexity
ACLs and IAM interact in ways that are hard to audit
IAM alone is sufficient for most use cases

Access Control (IAM & ACLs)

Access Control (IAM & ACLs)

Two Access Control Models

Uniform Bucket-Level Access (Recommended)

Fine-Grained Access (ACLs)

IAM Roles for Cloud Storage

Predefined Roles

More in Cloud