ObjectAccessControls: insert

Creates a new ACL entry on the specifiedobject.

Important: This method fails with a400 Bad Request response for buckets with uniform bucket-level access enabled. Use storage.buckets.getIamPolicy andstorage.buckets.setIamPolicy to control access instead.

Required permissions

The authenticated user must have one of the following permissions to use this method:

Thestorage.objects.setIamPolicy IAM permission for the bucketcontaining the object
TheOWNER ACL permission for the object

POST https://storage.googleapis.com/storage/v1/b/bucket/o/object/acl

In addition tostandard query parameters, the following query parameters apply to this method.

To see an example of how to include query parameters in a request, see theJSON API Overview page.

Parameter name	Value	Description
Path parameters
`bucket`	`string`	Name of a bucket.
`object`	`string`	Name of the object. For information about how to URL encode object names to be path safe, seeEncoding URI path parts.
Optional query parameters
`generation`	`long`	If present, selects a specific revision of this object (as opposed to the latest version, the default).

In the request body, supply anObjectAccessControls resource with the following properties:

Property name Value Description Notes

Property name	Value	Description	Notes
Required Properties
`entity`	`string`	The entity holding the permission, in one of the following forms: `user-email` `group-groupId` `group-email` `domain-domain` `project-team-projectId` `allUsers` `allAuthenticatedUsers` Examples: The user`liz@example.com` would be`user-liz@example.com`. The group`example@googlegroups.com` would be`group-example@googlegroups.com`. To refer to all members of the domain`example.com`, the entity would be`domain-example.com`.	writable
`role`	`string`	The access permission for the entity. Acceptable values are: "`OWNER`" "`READER`"	writable

Required Properties

entity

string

The entity holding the permission, in one of the following forms:

Examples:

The userliz@example.com would beuser-liz@example.com.
The groupexample@googlegroups.com would begroup-example@googlegroups.com.
To refer to all members of the domainexample.com, the entity would bedomain-example.com.

writable

role

string

The access permission for the entity.

Acceptable values are:

writable

If successful, this method returns anObjectAccessControls resource in the response body.

Use the APIs Explorer below to call this method on live data and see the response.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.