This document provides common data sharing and collaboration scenarios. Itincludes how to configure your project and bucketIdentity and Access Management (IAM) policies to implement the scenarios.

Storage and maintenance of private data

In this scenario, a company's marketing analyst wants to use Cloud Storageto back up confidential revenue forecasts and sales projection data. Thedata must be accessible only by the marketing analyst. The company's ITdepartment oversees and manages the company's Cloud Storage account. Theirprimary management responsibilities include creating and sharing buckets sothat various departments throughout the company have access to Cloud Storage.

To meet the confidentiality and privacy needs of the marketing analyst, thebucket and object permissions must allow the IT staff to maintain thebucket in which the spreadsheets are stored, but also ensure that the IT staffcannot view/download the data that is stored in the bucket. To accomplishthis, you create a bucket namedfinance-marketing and grant the followingroles for the listedresources to the specifiedprincipals:

Role	Resource	Principal	Description
Storage Legacy Bucket Owner	The bucketfinance-marketing	IT staff	Giving the IT staff theStorage Legacy Bucket Owner role for the bucket allows them to perform common bucket management tasks, such as deleting objects and changing the IAM policy on the bucket. It also allows the IT staff to list the contents of thefinance-marketing bucket, but not view or download any of the contents.
Storage Object User	The bucketfinance-marketing	Marketing analyst	Giving the marketing analyst theStorage Object User role for the bucket allows her to upload, view, update, and delete objects in the bucket.

With these roles, nobody except the marketing analyst can view or download theobjects that are in the bucket. The IT staff canstill list the contents of thefinance-marketing bucket, and they can deleteand replace the files that are stored in the bucket should the need arise.

Caution: Because the IT staff has permission to manage the bucket, it ispossible for them to grant themselves or others permission to viewobjects in the bucket. To mitigate this, you can viewaudit logs inorder to track changes made to bucket and project permissions.

Implement this scenario

Your actions

You should take the following actions to implement the scenario:

1. Create a bucket namedfinance-marketing. For step-by-step instructions,seeCreating a bucket.

2. Give each IT staff member theStorage Legacy Bucket Owner role forthe bucket. For step-by-step instructions, seeAdding a principal to a bucket-level policy.

IT staff actions

The IT staff should take the following actions to implement the scenario:

1. Give the marketing analyst theStorage Object User for thebucket. For step-by-step instructions, seeAdding a principal to a bucket-level policy.

Vendor drop box

In this scenario, a construction company works with several architecturaldesign firms that deliver building plans for various projects. The constructioncompany wants to set up a drop box for the vendor firms so they can uploadarchitectural plans at various project milestones. The drop box must ensurethe privacy of the construction company's clients, which means the drop boxcannot allow the vendors to see each other's work. To accomplish this, youcreate a separate bucket for each architectural firm and grant thefollowingroles for the listedresources to the specifiedprincipals:

Role	Resource	Principal	Description
Owner	Overall project	Construction company manager	Giving the construction company manager theOwner role at the project level enables her to create buckets for each vendor.
Storage Object Viewer	Overall project	Construction company manager	TheStorage Object Viewer allows the construction company manager to download the objects that the vendors are uploading.
Storage Legacy Bucket Owner	Each vendor bucket	Construction company manager	TheStorage Legacy Bucket Owner role allows the construction company manager to list the contents of each bucket as well as delete objects at the end of each project milestone.
Storage Object Admin	Each vendor bucket	The vendor associated with the bucket	Giving each vendor theStorage Object Admin for their own bucket gives them complete control over the objects in their bucket, including the ability to upload objects, list objects in the bucket, and control who has access to each object. It does not allow them to change or view metadata such as roles on the bucket as a whole, nor does it allow them to list or view other buckets in the project, thus preserving privacy between vendors.

Implement this scenario

Your actions

You should take the following actions to implement the scenario:

1. Give the construction company manager theOwner role on the project aswell as theStorage Object Viewer role on the project. For step-by-stepinstructions, seeGrant a single role.

Construction company manager actions

The construction company manager should take the following actions to implementthe scenario:

1. Create a separate bucket for each vendor. Forstep-by-step instructions, seeCreating a bucket.

   Since the construction manager has theOwner role, she automaticallygets theStorage Legacy Bucket Owner role for each bucket she creates.

2. Give each vendor theStorage Object Admin for their respectivebucket. For step-by-step instructions, seeAdding a principal to a bucket-level policy.

3. If any vendor intends to use the Google Cloud console, give them a link to theirbucket, which has the format:

   https://console.cloud.google.com/storage/browser/BUCKET_NAME

   whereBUCKET_NAME is the name of the vendor's bucket.

Vendor actions

Each vendor should take the following actions to implement the scenario:

1. Upload objects to the assigned bucket. The easiest way to accomplish this isthrough the Google Cloud console. Other methods, such as the Google Cloud CLI,require additional setup prior to use. For step-by-step instructions, seeUploading an object.

   Note: Based on the permissions set in this scenario, vendors are required tosign in using one of the emails associated with the bucket assigned to them.

Authenticated browser downloads

In this scenario, a client wants to make files available to specificindividuals through simple browser downloads. You can do this using theCloud Storage cookie-based authentication. To download objects,users must authenticate by signing in to a valid account, which includesGoogle Workspace, Cloud Identity, Gmail, andworkforce identity federation. The following authenticated usersare able to download the object:

• Users who haveREAD orFULL_CONTROL permission on theaccess control list (ACL) of the object itself.

• Users withstorage.objects.get permission in theIdentity and Access Management (IAM) policy for the bucket or projectthat contains the object.

All other users get a403 Forbidden (access denied) error.

To use the feature, grant a user permission to access an object, then give theuser a special URL to the object. When the user clicks the URL,Cloud Storage prompts them to sign in to their account (if theyare not already logged in) and the object is downloaded to their computer.

Implement this scenario

You can implement cookie-based authentication in four general steps:

1. Create a bucket. For step-by-step instructions, seeCreating a bucket.

   Assuming you create a bucket in a project you own, you automatically gainpermissions that allow you to upload objects to the bucket and change whohas access to the bucket.

   Note: If you already have a bucket that you want to use, keep in mind thatyou're serving secure content from the bucket in this scenario. As a bestpractice, make sure anonymous users don't have bucket or project-levelroles that give access to the objects.

2. Upload the object you want to share. For step-by-step instructions,seeUploading an object.

3. Give users access to the object. A common way to do this is to modify thebucket's IAM policy to give specific users theStorageObject Viewer role, which applies to all objects in the bucket. Forstep-by-step instructions, seeAdding a principal to a bucket-level policy.

4. Provide users with a special URL to the object.

   Authenticated browser downloads access Cloud Storage through aspecific URL endpoint. Use the following URL:

   https://storage.cloud.google.com/BUCKET_NAME/OBJECT_NAME

   Where:

   • BUCKET_NAME is the name of the bucket thatcontains the desired object. For example,my-bucket.
   • OBJECT_NAME is the name of the desired object.For example,pets/dog.png.

   Since only users with appropriate access permissions can view it, itdoesn't matter how you make this URL available. You can send it to themdirectly, or you can post it on a web page.

Use a group to control access

In this scenario, you want to make objects available to specific users, such asusers invited to try out new software. In addition, you want to invite manyusers, but you do not want to set permissions for each user individually.At the same time, you don't want to make the objects publicly readable andsend invited customers links to access the objects, becausethere is a risk the links may be sent to users who are not invited.

One way to handle this scenario is through the use ofGoogle Groups.You can create a group and add only invited users to the group. Then, youcan give the group as a whole access to the objects:

Role	Resource	Principal	Description
Storage Object Viewer	Your bucket	Google Group	Giving the Google Group theStorage Object Viewer role for the bucket allows any customer who is part of the Google Group to view objects in the bucket. No one outside of the group has access to the objects.

Note: When using groups to manage access to your resources, you should be awareofGroup policies and limits that determine how many members can be in thegroup. If you need to invite more users than can be added to a group, youcan create a service that authenticates users and redirects them to a URLsigned by aservice account. For more information, seeSigned URLs (query string authentication).

Implement this scenario

1. Create a Google Group and add customers to it. For step-by-stepinstructions seeCreate a group.

2. Create a bucket. For step-by-step instructions, seeCreating a bucket.

3. Upload objects to your bucket. For step-by-step instructions,seeUploading an object.

4. Give the Google Group access to the objects.

   • You can use the IAM rolestorage.objectViewer to give viewing accessto all objects in your bucket. For step-by-step instructions, seeAdding a principal to a bucket-level policy.

   • If you want to only give access to some of the objects in the bucket,set theReader ACL on those individual objects. For step-by-stepinstructions, seeSetting ACLs.

5. Share the appropriaterequest endpoint with the group, so that theyknow where to go to access the objects.

   For example, when using the Google Cloud console, the URLhttps://console.cloud.google.com/storage/browser/BUCKET_NAMEtakes you to the list of objects in the bucketBUCKET_NAME.

Use managed folders to control access

In this scenario, you have multiple customers that each own a unique websitecontaining custom images. You want customers to be able to upload images totheir website only, but not to other websites. When a customer cancels theiraccount, you want to disable public access to the images on their website, butavoid deleting the images in case the customer wants to reactivate theiraccount.

One way to handle this scenario is through the use ofmanaged folders.You can create multiple managed folders within a bucket and useIAM to control access to individual managed folders for both yourcustomers and their end users.

Implement this scenario

1. Create a bucket.

2. Create a managed folder in the bucket for each customer website.

3. For each managed folder,set an IAM policy that grants acustomer the Storage Object User (roles/storage.objectUser) role, so thecustomer can upload objects to the managed folder and remove objects fromthe managed folder.

4. For all managed folders,set an IAM policy that grantsthe Storage Object Viewer (roles/storage.objectViewer) role to theprincipalallUsers, so the image objects in the managed folders can beviewable to the public.

   Alternatively, you can grant acustom role that givesallUsers thestorage.objects.get IAM permission.

5. When a customer cancels their account,remove the IAM policy that grants the customerthe Storage Object User (roles/storage.objectUser) role for theassociated managed folder. To disable public access to the objects withinthat managed folder, remove the IAM policy that grants theStorage Object Viewer (roles/storage.objectViewer) role toallUsers.