ObjectAccessControls

The ObjectAccessControls resources represent the Access Control Lists (ACLs) for objects within Cloud Storage. ACLs let you specify who has access to your data and to what extent.Important: The methods for this resource fail with a400 Bad Request response for buckets with uniform bucket-level access enabled. Usestorage.buckets.getIamPolicy andstorage.buckets.setIamPolicy to control access instead. There are two roles that can be assigned to an entity:

  • READERs canget an object, though theacl property will not be revealed.
  • OWNERs areREADERs, and they can get theacl property,update an object, and call all objectAccessControls methods on the object. The owner of an object is always anOWNER.
For more information, seeAccess Control, with the caveat that this API usesREADER andOWNER instead ofREAD andFULL_CONTROL.

To try out the methods for this resource, seeMethods.

Resource representations

{  "kind": "storage#objectAccessControl",  "object":string,  "generation": "long",  "id":string,  "selfLink":string,  "bucket":string,  "entity":string,  "role":string,  "email":string,  "domain":string,  "entityId":string,  "etag":string,  "projectTeam": {    "projectNumber":string,    "team":string  }}
Property nameValueDescriptionNotes
bucketstringThe name of the bucket.
domainstringThe domain associated with the entity, if any.
emailstringThe email address associated with the entity, if any.
entitystringThe entity holding the permission, in one of the following forms:
  • user-email
  • group-groupId
  • group-email
  • domain-domain
  • project-team-projectId
  • allUsers
  • allAuthenticatedUsers
Examples:
  • The userliz@example.com would beuser-liz@example.com.
  • The groupexample@googlegroups.com would begroup-example@googlegroups.com.
  • To refer to all members of the domainexample.com, the entity would bedomain-example.com.
 writable
entityIdstringThe ID for the entity, if any.
etagstringHTTP 1.1Entity tag for the access-control entry.
generationlong1The content generation of the object, if applied to an object.
idstringThe ID of the access-control entry.
kindstringThe kind of item this is. For object access control entries, this is alwaysstorage#objectAccessControl.
objectstringThe name of the object, if applied to an object.
projectTeamobjectThe project team associated with the entity, if any.
projectTeam.projectNumberstringThe project number.
projectTeam.teamstringThe team.

Acceptable values are:
  • "editors"
  • "owners"
  • "viewers"
rolestringThe access permission for the entity.

Acceptable values are:
  • "OWNER"
  • "READER"
 writable
selfLinkstringThe link to this access-control entry.
1 This property is a string formatted as the specified value type.

Methods

The methods for working with an object's access controls are as follows:

delete
Permanently deletes the ACL entry for the specified entity on the specifiedobject.
get
Returns the ACL entry for the specified entity on the specifiedobject.
insert
Creates a new ACL entry on the specifiedobject.
list
Retrieves ACL entries on the specifiedobject.
patch
Updates an ACL entry on the specifiedobject. This method supportspatch semantics.
update
Updates an ACL entry on the specifiedobject.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.