Overview of access control

You control who has access to your Cloud Storage buckets and objectsand what level of access they have.

Choose between uniform and fine-grained access

When you create a bucket, you should decide whether you want to applypermissions usinguniform orfine-grained access.

  • Uniform (recommended):Uniform bucket-level access allows you to useIdentity and Access Management (IAM) alone to manage permissions. IAMapplies permissions to all the objects contained inside the bucket or groups ofobjects with common name prefixes. IAM also allows you to usefeatures that are not available when working with ACLs, such asmanaged folders,IAM Conditions,domain restricted sharing, andworkforce identity federation.

  • Fine-grained: The fine-grained option enables you to useIAM andAccess Control Lists (ACLs) together to managepermissions. ACLs are a legacy access control system for Cloud Storagedesigned for interoperability with Amazon S3. ACLs also allow you to specifyaccess on a per-object basis.

    Because fine-grained access requires you to coordinate between two differentaccess control systems, there is an increased chance of unintentional dataexposure, and auditing who has access to resources is more complicated.Particularly if you have objects that contain sensitive data, such aspersonally identifiable information, we recommend storing that data in abucket with uniform bucket-level access enabled.

Note: Once you enable uniform bucket-level access, you have 90 days to switchback to fine-grained access before uniform bucket-level access becomespermanent.

Using IAM permissions with ACLs

Cloud Storage offers two systems for granting users access your bucketsand objects: IAM and Access Control Lists (ACLs). These systemsact in parallel - in order for a user to access a Cloud Storageresource, only one of the systems needs to grant that user permission. Forexample, if your bucket's IAM policy only allows a few users toread object data in the bucket, but one of the objects in the bucket has an ACLthat makes it publicly readable, then that specific object is exposed to thepublic.

Caution: In general, IAM cannot detect permissions granted byACLs, and ACLs cannot detect permissions granted by IAM.

In most cases, IAM is the recommended method for controllingaccess to your resources. IAM controls permissioning throughoutGoogle Cloud and allows you to grant permissions at the bucket and projectlevels. You should use IAM for any permissions that apply tomultiple objects in a bucket to reduce the risks of unintended exposure. To useIAM exclusively, enable uniform bucket-level access to disallow ACLs forall Cloud Storage resources.

ACLs control permissioning only for Cloud Storage resources and have limitedpermission options, but allow you to grant permissions per individual objects.You most likely want to use ACLs for the following use cases:

  • Customize access to individual objects within a bucket.
  • Migrate data from Amazon S3.

Additional access control options

In addition to IAM and ACLs, the following tools are available to help youcontrol access to your resources:

Signed URLs (query string authentication)

Usesigned URLs to give time-limited read or write access to an objectthrough a URL you generate. Anyone with whom you share the URL can access theobject for the duration of time you specify, regardless of whether or not theyhave a user account.

You can use signed URLs in addition to IAM and ACLs. For example,you can use IAM to grant access to a bucket for only a fewpeople, then create a signed URL that allows others to access a specificresource within the bucket.

Learn how to create signed URLs:

Signed Policy Documents

Usesigned policy documents to specify what can be uploaded to a bucket. Policydocuments allow greater control over size, content type, and other uploadcharacteristics than signed URLs, and can be used by website owners to allowvisitors to upload files to Cloud Storage.

You can use signed policy documents in addition to IAM and ACLs.For example, you can use IAM to allow people in your organizationto upload any object, then create a signed policy document that allows websitevisitors to upload only objects that meet specific criteria.

Firebase Security Rules

UseFirebase Security Rules to provide granular, attribute-based access controlto mobile and web apps using theFirebase SDKs for Cloud Storage. For example,you can specify who can upload or download objects, how large an object can be,or when an object can be downloaded.

Public access prevention

Usepublic access prevention to restrict public access to your buckets andobjects. When you enable public access prevention, users who gain accessthroughallUsers andallAuthenticatedUsers are disallowed access todata.

Credential Access Boundaries

UseCredential Access Boundaries to downscope the permissions that areavailable to an OAuth 2.0 access token. First, you define a Credential AccessBoundary that specifies which buckets the token can access, as well as an upperbound on the permissions that are available on that bucket. You can thencreate an OAuth 2.0 access token and exchange it for a new access tokenthat respects the Credential Access Boundary.

Bucket IP Filtering

UseBucket IP filtering to restrict access on your bucket based on the source IP address of the request. Bucket IP filtering adds a layer of security by preventing unauthorized networks from accessing your bucket and its data.You can configure a list of permitted IP address ranges, including public IP addresses,ranges of public IP addresses and IP addresses within your Virtual Private Cloud.Any requests originating from an IP address that's not on your list are blocked.As a result, only authorized users can access your bucket.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.