Make data public

This page shows you how to make objects you own readable to everyone onthe public internet and how to remove public access from your bucket. To learnhow to access data that has been made public, seeAccessing Public Data.

When an object is shared publicly, any user with knowledge of theobject URI can access the object for as long as the object is public.

Important: You cannot publicly share an object if the bucket it's stored inis subject topublic access prevention.

Required roles

In order to get the required permissions for making objects publicly readable,ask your administrator to grant you the following roles for the bucket thatcontains the data you want to make public:

  • To make all objects in a bucket publicly readable: Storage Admin(roles/storage.admin)

  • To make individual objects publicly readable: Storage Object Admin(roles/storage.objectAdmin)

    • If you plan on using the Google Cloud console, you'll need theStorage Admin (roles/storage.admin) role instead of the Storage ObjectAdmin role.

  • To remove public access from all objects in a bucket: Storage Admin(roles/storage.admin)

These roles contain the permissions required to make objects public. To see theexact permissions that are required, expand theRequired permissionssection:

Required permissions

  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.setIamPolicy
  • storage.objects.update

The following permissions are only required for using theGoogle Cloud console to perform the tasks on this page:

  • storage.buckets.list
  • storage.objects.list

You might also be able to get these permissions with otherpredefined roles orcustom roles.

For instructions on granting roles on buckets, seeSet and manage IAM policies on buckets.

Make all objects in a bucket publicly readable

To make all objects in a bucket readable to everyone on the public internet,grant the principalallUsers the Storage Object Viewer(roles/storage.objectViewer) role:

Note: The Storage Object Viewer (roles/storage.objectViewer) role includesthe permission required to list the objects in the bucket. For a less permissiverole that only allows your users to get objects without listing them, granttheStorage Legacy Object Reader (roles/storage.legacyObjectReader) roleinstead.

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. In the list of buckets, click the name of the bucket that you want tomake public.

  3. Select thePermissions tab near the top of the page.

  4. In thePermissions section, click theGrant access button.

    TheGrant access dialog appears.

  5. In theNew principals field, enterallUsers.

  6. In theSelect a role drop down, enterStorage Object Viewer inthe filter box and select theStorage Object Viewer from thefiltered results.

  7. ClickSave.

  8. ClickAllow public access.

Once public access has been granted, aCopy URL button appears for eachobject in thepublic access column. You can click this button to get thepublic URL for the object. The public URL is different from the linkyou get from directly right-clicking an object. Both links provideaccess to an object, but the public URL works without the user having tosign into a user account. SeeRequest endpoints for more information.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

To learn how to resolve organization policy error and permission error, seeTroubleshoot making data public.

Command line

Note: Cloud Shell provisions a temporary virtual machine. If you wantto upload objects to Cloud Storage or download objects fromCloud Storage, use a local development environment.

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. In your development environment, run thebuckets add-iam-policy-binding command:

    gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer

    WhereBUCKET_NAME is the name of the bucketwhose objects you want to make public. For example,my-bucket.

Client libraries

C++

For more information, see theCloud StorageC++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){autocurrent_policy=client.GetNativeBucketIamPolicy(bucket_name,gcs::RequestedPolicyVersion(3));if(!current_policy)throwstd::move(current_policy).status();current_policy->set_version(3);current_policy->bindings().emplace_back(gcs::NativeIamBinding("roles/storage.objectViewer",{"allUsers"}));autoupdated=client.SetNativeBucketIamPolicy(bucket_name,*current_policy);if(!updated)throwstd::move(updated).status();std::cout <<"Policy successfully updated: " <<*updated <<"\n";}

C#

For more information, see theCloud StorageC# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;usingSystem.Collections.Generic;publicclassMakeBucketPublicSample{publicvoidMakeBucketPublic(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();Policypolicy=storage.GetBucketIamPolicy(bucketName);policy.Bindings.Add(newPolicy.BindingsData{Role="roles/storage.objectViewer",Members=newList<string>{"allUsers"}});storage.SetBucketIamPolicy(bucketName,policy);Console.WriteLine(bucketName+" is now public ");}}

Go

For more information, see theCloud StorageGo API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

import("context""fmt""io""cloud.google.com/go/iam""cloud.google.com/go/iam/apiv1/iampb""cloud.google.com/go/storage")// setBucketPublicIAM makes all objects in a bucket publicly readable.funcsetBucketPublicIAM(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()policy,err:=client.Bucket(bucketName).IAM().V3().Policy(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).IAM().V3().Policy: %w",bucketName,err)}role:="roles/storage.objectViewer"policy.Bindings=append(policy.Bindings,&iampb.Binding{Role:role,Members:[]string{iam.AllUsers},})iferr:=client.Bucket(bucketName).IAM().V3().SetPolicy(ctx,policy);err!=nil{returnfmt.Errorf("Bucket(%q).IAM().SetPolicy: %w",bucketName,err)}fmt.Fprintf(w,"Bucket %v is now publicly readable\n",bucketName)returnnil}

Java

For more information, see theCloud StorageJava API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

importcom.google.cloud.Identity;importcom.google.cloud.Policy;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;importcom.google.cloud.storage.StorageRoles;publicclassMakeBucketPublic{publicstaticvoidmakeBucketPublic(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();PolicyoriginalPolicy=storage.getIamPolicy(bucketName);storage.setIamPolicy(bucketName,originalPolicy.toBuilder().addIdentity(StorageRoles.objectViewer(),Identity.allUsers())// All users can view.build());System.out.println("Bucket "+bucketName+" is now publicly readable");}}

Node.js

For more information, see theCloud StorageNode.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionmakeBucketPublic(){awaitstorage.bucket(bucketName).makePublic();console.log(`Bucket${bucketName} is now publicly readable`);}makeBucketPublic().catch(console.error);

PHP

For more information, see theCloud StoragePHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

use Google\Cloud\Storage\StorageClient;/** * Update the specified bucket's IAM configuration to make it publicly accessible. * * @param string $bucketName The name of your Cloud Storage bucket. *        (e.g. 'my-bucket') */function set_bucket_public_iam(string $bucketName): void{    $storage = new StorageClient();    $bucket = $storage->bucket($bucketName);    $policy = $bucket->iam()->policy(['requestedPolicyVersion' => 3]);    $policy['version'] = 3;    $role = 'roles/storage.objectViewer';    $members = ['allUsers'];    $policy['bindings'][] = [        'role' => $role,        'members' => $members    ];    $bucket->iam()->setPolicy($policy);    printf('Bucket %s is now public', $bucketName);}

Python

For more information, see theCloud StoragePython API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

fromtypingimportListfromgoogle.cloudimportstoragedefset_bucket_public_iam(bucket_name:str="your-bucket-name",members:List[str]=["allUsers"],):"""Set a public IAM Policy to bucket"""# bucket_name = "your-bucket-name"storage_client=storage.Client()bucket=storage_client.bucket(bucket_name)policy=bucket.get_iam_policy(requested_policy_version=3)policy.bindings.append({"role":"roles/storage.objectViewer","members":members})bucket.set_iam_policy(policy)print(f"Bucket{bucket.name} is now publicly readable")

Ruby

For more information, see theCloud StorageRuby API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

defset_bucket_public_iambucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.policydo|p|p.add"roles/storage.objectViewer","allUsers"endputs"Bucket#{bucket_name} is now publicly readable"end

Terraform

You can use aTerraform resource to make all objects in abucket public.

# Make bucket publicresource "google_storage_bucket_iam_member" "member" {  provider = google  bucket   = google_storage_bucket.default.name  role     = "roles/storage.objectViewer"  member   = "allUsers"}

REST APIs

JSON API

  1. Have gcloud CLIinstalled and initialized, which lets you generate an access token for theAuthorization header.

  2. Create a JSON file that contains the following information:

    {"bindings":[{"role":"roles/storage.objectViewer","members":["allUsers"]}]}

  3. UsecURL to call theJSON API with aPUT Bucket request:

    curl -X PUT --data-binary @JSON_FILE_NAME \  -H "Authorization: Bearer $(gcloud auth print-access-token)" \  -H "Content-Type: application/json" \  "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"

    Where:

    • JSON_FILE_NAME is the path for the filethat you created in Step 2.
    • BUCKET_NAME is the name of the bucketwhose objects you want to make public. For example,my-bucket.

XML API

Making all objects in a bucket publicly readable is not supported bythe XML API. Use the Google Cloud console orgcloud storage.

Make a portion of a bucket publicly readable

Important: To complete this task, the target bucket must useuniform bucket-level access. If uniform bucket-level access is disabled forthe bucket, you canenable it, or you can useaccess control lists (ACLs) instead to grant access to individual objects.

Use amanaged folder to control access to objects whose name prefix matchthe name of the managed folder. For example, a managed folder namedmy-foldercan be used to control access to objects namedmy-folder/cats.jpg andmy-folder/dogs.jpg.

To make such objects publicly accessible, first create the managed folder, andthen set an IAM policy on the folder that grantsallUsers theStorage Object Viewer (roles/storage.objectViewer) role:

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. Click the name of the bucket that contains the objects you want tomake public.

  3. Create a folder, using the following steps:

    1. Click theCreate folder button.

    2. Enter theName for the folder. Once the folder is converted to amanaged folder, objects whose name start with this name will besubject to IAM roles set on the folder.

    3. ClickCreate.

  4. Convert the folder to a managed folder, using the following steps:

    1. In the pane that shows the bucket's contents, find the name of thefolder you created, and click theMore options icon.

    2. ClickEdit access.

    3. In the window that appears, clickEnable.

  5. Add an IAM policy to the folder that grantsallUsers theStorage Object Viewer (roles/storage.objectViewer) role, using thefollowing steps:

    1. If thePermissions pane for your managed folder isn't alreadyopen, click theMore options icon for the managedfolder, and then clickEdit access.

    2. In thePermissions pane, click theAdd principalbutton.

    3. In theNew principals field, enterallUsers.

    4. In theSelect a role drop down, enterStorage Object Viewerin the filter box, and selectStorage Object Viewer from thefiltered results.

    5. ClickSave.

    6. ClickAllow public access.

Once public access has been granted, aCopy URL button appears for eachapplicable object in thepublic access column. You can click this buttonto get the public URL for the object. The public URL is different from thelink you get from directly right-clicking an object. Both links provideaccess to an object, but the public URL works without the user having tosign into a user account. SeeRequest endpoints for more information.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

To learn how to resolve organization policy error and permission error, seeTroubleshoot making data public.

Command line

Note: Cloud Shell provisions a temporary virtual machine. If youwant to upload objects to Cloud Storage or download objects fromCloud Storage, use a local development environment.

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. In your development environment, create a managed folder using thegcloud storage managed-folders create command:

    gcloud storage managed-folders create gs://BUCKET_NAME/MANAGED_FOLDER_NAME/

    Where:

    • BUCKET_NAME is the name of the bucket in whichyou want to create a managed folder. For example,my-bucket.

    • MANAGED_FOLDER_NAME is the name of the managedfolder you want to create. For example,my-managed-folder.

  3. In your development environment, addallUsers to the managed folder'sIAM policy using thegcloud storage managed-folders add-iam-policy-binding command:

    gcloud storage managed-folders add-iam-policy-binding gs://BUCKET_NAME/MANAGED_FOLDER_NAME --member=allUsers --role=roles/storage.objectViewer

    Where:

    • BUCKET_NAME is the name of the bucketcontaining the managed folder you're adding the IAMpolicy to. For example,my-bucket.
    • MANAGED_FOLDER_NAME is the name of the managedfolder that you want to add public access to. For example,my-managed-folder.

REST APIs

JSON API

  1. Have gcloud CLIinstalled and initialized, which lets you generate an access token for theAuthorization header.

  2. Create a JSON file that contains the following information:

    {"name":"MANAGED_FOLDER_NAME"}

    WhereMANAGED_FOLDER_NAME is the name of themanaged folder you want to create. For example,my-managed-folder.

  3. UsecURL to call theJSON API with aInsert ManagedFolder request:

    curl -X POST --data-binary @JSON_FILE_NAME \  -H "Authorization: Bearer $(gcloud auth print-access-token)" \  -H "Content-Type: application/json" \  "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders"

    Where:

    • JSON_FILE_NAME is the path for the filethat you created in the previous step.
    • BUCKET_NAME is the name of the bucketin which you want to create a managed folder. For example,my-bucket.

  4. Create a JSON file that contains the following information:

    {"bindings":[{"role":"roles/storage.objectViewer","members":["allUsers"]}]}

  5. UsecURL to call theJSON API with asetIamPolicy ManagedFolder request:

    curl -X PUT --data-binary @JSON_FILE_NAME \  -H "Authorization: Bearer $(gcloud auth print-access-token)" \  -H "Content-Type: application/json" \  "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"

    Where:

    • JSON_FILE_NAME is the path for the filethat you created in the previous step.
    • BUCKET_NAME is the name of the bucketcontaining the managed folder you're adding the IAMpolicy to. For example,my-bucket.
    • MANAGED_FOLDER_NAME is the name of themanaged folder you're adding the IAM policy to.For example,my-managed-folder.

XML API

The XML API does not support working with managed folders. Use adifferent tool, such as the Google Cloud console, or set ACLs onindividual objects usingSet Object ACL requests. The followingis an example ACL file the would grantallUsers access to an object:

<AccessControlList>  <Entries>    <Entry>      <Scope type="AllUsers"/>      <Permission>READ</Permission>    </Entry>  </Entries></AccessControlList>

Remove public access for all objects within a bucket

To remove public access for all objects within a bucket, remove theIAM policy that grantsallUsers the Storage Object Viewer(roles/storage.objectViewer) role:

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. In the list of buckets, click the name of the bucket you want toremove public access from.

  3. Select thePermissions tab.

    The IAM policy that applies to the bucket appears inthePermissions section.

  4. In theView by principals tab, select the checkbox for theallUsers principal you're removing.

  5. Click the- Remove access button.

  6. In the overlay window that appears, clickConfirm.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

Command line

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. In your development environment, run thebuckets remove-iam-policy-binding command:

gcloud storage buckets remove-iam-policy-binding  gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer

WhereBUCKET_NAME is the name of the bucket you are revoking access to. For example,my-bucket.

REST APIs

JSON

  1. Have gcloud CLIinstalled and initialized, which lets you generate an access token for theAuthorization header.

  2. Get the existing policy applied to your bucket. To do so, usecURL to call theJSON API with aGET getIamPolicy request:

    curl -X GET \-H "Authorization: Bearer $(gcloud auth print-access-token)" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"

    WhereBUCKET_NAME is the name of the bucketwhose IAM policy you want to view. For example,my-bucket.

  3. Create a JSON file that contains the policy you retrieved in theprevious step and edit the file to remove the binding of theallUsersprincipal from the policy.

  4. UsecURL to call theJSON API with aPUT setIamPolicy request:

    curl -X PUT --data-binary @JSON_FILE_NAME \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"

    Where:

    • JSON_FILE_NAME is the path for the filethat you created in Step 3.

    • BUCKET_NAME is the name of the bucket fromwhich you want to remove access. For example,my-bucket.

Important: It typically takes about a minute for revoking access to takeeffect. In some cases it may take longer. If you remove a user's access,this change is immediately reflected in the metadata; however, the user maystill have access to the object for a short period of time.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.