Use public access prevention

Overview

This page describes how to use the public access prevention bucket setting andthe public access prevention organization policy constraint. Public accessprevention lets you restrict public access to your buckets and objects.

Before you begin

Before using public access prevention in Cloud Storage, make sureyou have the required IAM role and review theconsiderations for enforcing public access prevention.

Get required roles

To manage the public access prevention organization policy at the project,folder, or organization level, ask your administrator to grant you theOrganization Policy Administrator (roles/orgpolicy.policyAdmin)role on the organization. This predefined role contains thepermissions required to manage public access prevention at the project, folder,or organization level. For information about the permissions that are includedin this role, refer todetails about the Organization Administrator role.

Note: The Organization Policy Administrator role is configured at theorganization node, so Project IAM Admins don't have thepermissions associated with the role by default.

To manage the public access prevention setting on a bucket, ask youradministrator to grant you the Storage Admin (roles/storage.admin) roleon the bucket. This role contains the permissions required to manage publicaccess prevention on a bucket. To see the exact permissions that are required,expand theRequired permissions section:

Note: If the bucket's parent project has public access prevention enforcedthrough an organization policy, Storage Admins can't exempt the bucket frompublic access prevention.

Review considerations

Before you begin, it's recommended that you ensure no workflows break as aresult of blocking public access. SeeConsiderations when enforcing on existing resources for more details.

Use the bucket setting

This section shows how to enforce and remove public access prevention forindividual buckets, as well as how to check the status of individual buckets.

Set public access prevention

Important: When you set public access prevention toinherited for anindividual bucket, the bucket might still be subject to public access preventiondue to anorganization policy. To ensure that public access preventionis disabled for a bucket with aninherited setting, make sure public accessprevention is alsodisabled for its parent project.

To change the public access prevention setting for an individual bucket:

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. In the list of buckets, click the name of the bucket for which you wantto enforce or remove public access prevention.

  3. In theBucket details page, click thePermissions tab.

  4. In thePublic access card, clickPrevent public access to enforcepublic access prevention, or clickAllow public access to removepublic access prevention.

  5. ClickConfirm.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

Command line

Use thegcloud storage buckets update command with theappropriate flag:

gcloud storage buckets update gs://BUCKET_NAMEFLAG

Where:

  • BUCKET_NAME is the name of the relevantbucket. For example,my-bucket.

  • FLAG is either--public-access-prevention toenable public access prevention or--no-public-access-prevention todisable it.

If successful, the response looks similar to the following example:

Updating gs://my-bucket/...  Completed 1

Client libraries

C++

For more information, see theCloud StorageC++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){gcs::BucketIamConfigurationconfiguration;configuration.public_access_prevention=gcs::PublicAccessPreventionEnforced();StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(std::move(configuration)));if(!updated)throwstd::move(updated).status();std::cout <<"Public Access Prevention is set to 'enforced' for "            <<updated->name() <<"\n";}

The following sample sets public access prevention toinherited for a bucket:

namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){gcs::BucketIamConfigurationconfiguration;configuration.public_access_prevention=gcs::PublicAccessPreventionInherited();autoupdated=client.PatchBucket(bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(std::move(configuration)));if(!updated)throwstd::move(updated).status();std::cout <<"Public Access Prevention is set to 'inherited' for "            <<updated->name() <<"\n";}

C#

For more information, see theCloud StorageC# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassSetPublicAccessPreventionEnforcedSample{publicBucketSetPublicAccessPreventionEnforced(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);// Set public access prevention to "enforced" for the bucket.bucket.IamConfiguration.PublicAccessPrevention="enforced";bucket=storage.UpdateBucket(bucket);Console.WriteLine($"Public access prevention is 'enforced' for {bucketName}.");returnbucket;}}

The following sample sets public access prevention toinherited for a bucket:

usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassSetPublicAccessPreventionInheritedSample{publicBucketSetPublicAccessPreventionInherited(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);// Sets public access prevention to "inherited" for the bucket.bucket.IamConfiguration.PublicAccessPrevention="inherited";bucket=storage.UpdateBucket(bucket);Console.WriteLine($"Public access prevention is 'inherited' for {bucketName}.");returnbucket;}}

Go

For more information, see theCloud StorageGo API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

import("context""fmt""io""time""cloud.google.com/go/storage")// setPublicAccessPreventionEnforced sets public access prevention to// "enforced" for the bucket.funcsetPublicAccessPreventionEnforced(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)setPublicAccessPrevention:=storage.BucketAttrsToUpdate{PublicAccessPrevention:storage.PublicAccessPreventionEnforced,}if_,err:=bucket.Update(ctx,setPublicAccessPrevention);err!=nil{returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)}fmt.Fprintf(w,"Public access prevention is 'enforced' for %v",bucketName)returnnil}

The following sample sets public access prevention toinherited for a bucket:

import("context""fmt""io""time""cloud.google.com/go/storage")// setPublicAccessPreventionInherited sets public access prevention to// "inherited" for the bucket.funcsetPublicAccessPreventionInherited(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)setPublicAccessPrevention:=storage.BucketAttrsToUpdate{PublicAccessPrevention:storage.PublicAccessPreventionInherited,}if_,err:=bucket.Update(ctx,setPublicAccessPrevention);err!=nil{returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)}fmt.Fprintf(w,"Public access prevention is 'inherited' for %v",bucketName)returnnil}

Java

For more information, see theCloud StorageJava API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassSetPublicAccessPreventionEnforced{publicstaticvoidsetPublicAccessPreventionEnforced(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Bucketbucket=storage.get(bucketName);// Enforces public access prevention for the bucketbucket.toBuilder().setIamConfiguration(BucketInfo.IamConfiguration.newBuilder().setPublicAccessPrevention(BucketInfo.PublicAccessPrevention.ENFORCED).build()).build().update();System.out.println("Public access prevention is set to enforced for "+bucketName);}}

The following sample sets public access prevention toinherited for a bucket:

importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassSetPublicAccessPreventionInherited{publicstaticvoidsetPublicAccessPreventionInherited(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Bucketbucket=storage.get(bucketName);// Sets public access prevention to 'inherited' for the bucketbucket.toBuilder().setIamConfiguration(BucketInfo.IamConfiguration.newBuilder().setPublicAccessPrevention(BucketInfo.PublicAccessPrevention.INHERITED).build()).build().update();System.out.println("Public access prevention is set to 'inherited' for "+bucketName);}}

Node.js

For more information, see theCloud StorageNode.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

/** * TODO(developer): Uncomment the following lines before running the sample. */// The name of your GCS bucket// const bucketName = 'Name of a bucket, e.g. my-bucket';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();// Enforces public access prevention for the bucketasyncfunctionsetPublicAccessPreventionEnforced(){awaitstorage.bucket(bucketName).setMetadata({iamConfiguration:{publicAccessPrevention:'enforced',},});console.log(`Public access prevention is set to enforced for${bucketName}.`);}setPublicAccessPreventionEnforced();

The following sample sets public access prevention toinherited for a bucket:

/** * TODO(developer): Uncomment the following lines before running the sample. */// The name of your GCS bucket// const bucketName = 'Name of a bucket, e.g. my-bucket';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctionsetPublicAccessPreventionInherited(){// Sets public access prevention to 'inherited' for the bucketawaitstorage.bucket(bucketName).setMetadata({iamConfiguration:{publicAccessPrevention:'inherited',},});console.log(`Public access prevention is 'inherited' for${bucketName}.`);}setPublicAccessPreventionInherited();

PHP

For more information, see theCloud StoragePHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

use Google\Cloud\Storage\StorageClient;/** * Set the bucket Public Access Prevention to enforced. * * @param string $bucketName the name of your Cloud Storage bucket. *        (e.g. 'my-bucket') */function set_public_access_prevention_enforced(string $bucketName): void{    $storage = new StorageClient();    $bucket = $storage->bucket($bucketName);    $bucket->update([        'iamConfiguration' => [            'publicAccessPrevention' => 'enforced'        ]    ]);    printf(        'Public Access Prevention has been set to enforced for %s.' . PHP_EOL,        $bucketName    );}

The following sample sets public access prevention toinherited for a bucket:

use Google\Cloud\Storage\StorageClient;/** * Set the bucket Public Access Prevention to inherited. * * @param string $bucketName the name of your Cloud Storage bucket. *        (e.g. 'my-bucket') */function set_public_access_prevention_inherited(string $bucketName): void{    $storage = new StorageClient();    $bucket = $storage->bucket($bucketName);    $bucket->update([        'iamConfiguration' => [            'publicAccessPrevention' => 'inherited'        ]    ]);    printf(        'Public Access Prevention has been set to inherited for %s.' . PHP_EOL,        $bucketName    );}

Python

For more information, see theCloud StoragePython API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

fromgoogle.cloudimportstoragefromgoogle.cloud.storage.constantsimportPUBLIC_ACCESS_PREVENTION_ENFORCEDdefset_public_access_prevention_enforced(bucket_name):"""Enforce public access prevention for a bucket."""# The ID of your GCS bucket# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)bucket.iam_configuration.public_access_prevention=(PUBLIC_ACCESS_PREVENTION_ENFORCED)bucket.patch()print(f"Public access prevention is set to enforced for{bucket.name}.")

The following sample sets public access prevention toinherited for a bucket:

fromgoogle.cloudimportstoragefromgoogle.cloud.storage.constantsimportPUBLIC_ACCESS_PREVENTION_INHERITEDdefset_public_access_prevention_inherited(bucket_name):"""Sets the public access prevention status to inherited, so that the bucket inherits its setting from its parent project."""# The ID of your GCS bucket# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)bucket.iam_configuration.public_access_prevention=(PUBLIC_ACCESS_PREVENTION_INHERITED)bucket.patch()print(f"Public access prevention is 'inherited' for{bucket.name}.")

Ruby

For more information, see theCloud StorageRuby API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

defset_public_access_prevention_enforcedbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.public_access_prevention=:enforcedputs"Public access prevention is set to enforced for#{bucket_name}."end

The following sample sets public access prevention toinherited for a bucket:

defset_public_access_prevention_inheritedbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.public_access_prevention=:inheritedputs"Public access prevention is 'inherited' for#{bucket_name}."end

REST APIs

JSON API

  1. Have gcloud CLIinstalled and initialized, which lets you generate an access token for theAuthorization header.

  2. Create a JSON file that contains the following information:

     {    "iamConfiguration": {      "publicAccessPrevention": "STATE",    }  }

    Where<var>STATE</var> is eitherenforced orinherited.

  3. UsecURL to call the JSON API with aPATCH Bucketrequest that includes the desiredfields:

    curl -X PATCH --data-binary @JSON_FILE_NAME \    -H "Authorization: Bearer $(gcloud auth print-access-token)" \    -H "Content-Type: application/json" \    "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"

    Where:

    • JSON_FILE_NAME is the path for the JSONfile that you created in the previous step.
    • BUCKET_NAME is the name of the relevantbucket. For example,my-bucket.

XML API

The XML API cannot be used to manage public access prevention. Use oneof the other Cloud Storage tools, such as the Google Cloud console,instead.

View public access prevention status

To view the public access prevention status for an individual bucket:

Console

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. Click the name of the bucket for which you want to view the publicaccess prevention status.

  3. Click thePermissions tab.

  4. ThePublic access card shows the status for your bucket.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

Command line

Use thegcloud storage buckets describe command with the--format flag:

gcloud storage buckets describe gs://BUCKET_NAME --format="default(public_access_prevention)"

WhereBUCKET_NAME is the name of the bucketwhose status you want to view. For example,my-bucket.

If successful, the response looks similar to the following example:

public_access_prevention:inherited

Client libraries

C++

For more information, see theCloud StorageC++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){StatusOr<gcs::BucketMetadata>bucket_metadata=client.GetBucketMetadata(bucket_name);if(!bucket_metadata)throwstd::move(bucket_metadata).status();if(bucket_metadata->has_iam_configuration()&&bucket_metadata->iam_configuration().public_access_prevention.has_value()){std::cout        <<"Public Access Prevention is "        <<*bucket_metadata->iam_configuration().public_access_prevention        <<" for bucket " <<bucket_metadata->name() <<"\n";}else{std::cout <<"Public Access Prevention is not set for "              <<bucket_metadata->name() <<"\n";}}

C#

For more information, see theCloud StorageC# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassGetPublicAccessPreventionSample{publicstringGetPublicAccessPrevention(stringbucketName="your-unique-bucket-name"){// Gets Bucket Metadata and prints publicAccessPrevention value (either "unspecified" or "enforced").varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);varpublicAccessPrevention=bucket.IamConfiguration.PublicAccessPrevention;Console.WriteLine($"Public access prevention is {publicAccessPrevention} for {bucketName}.");returnpublicAccessPrevention;}}

Go

For more information, see theCloud StorageGo API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

import("context""fmt""io""time""cloud.google.com/go/storage")// getPublicAccessPrevention gets the current public access prevention setting// for the bucket, either "enforced" or "inherited".funcgetPublicAccessPrevention(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()attrs,err:=client.Bucket(bucketName).Attrs(ctx)iferr!=nil{returnfmt.Errorf("Bucket(%q).Attrs: %w",bucketName,err)}fmt.Fprintf(w,"Public access prevention is %s for %v",attrs.PublicAccessPrevention,bucketName)returnnil}

Java

For more information, see theCloud StorageJava API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageOptions;publicclassGetPublicAccessPrevention{publicstaticvoidgetPublicAccessPrevention(StringprojectId,StringbucketName){// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Bucketbucket=storage.get(bucketName);// Gets Bucket Metadata and prints publicAccessPrevention value (either 'inherited' or// 'enforced').BucketInfo.PublicAccessPreventionpublicAccessPrevention=bucket.getIamConfiguration().getPublicAccessPrevention();System.out.println("Public access prevention is set to "+publicAccessPrevention.getValue()+" for "+bucketName);}}

Node.js

For more information, see theCloud StorageNode.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

/** * TODO(developer): Uncomment the following lines before running the sample. */// The name of your GCS bucket// const bucketName = 'Name of a bucket, e.g. my-bucket';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctiongetPublicAccessPrevention(){// Gets Bucket Metadata and prints publicAccessPrevention value (either 'inherited' or 'enforced').const[metadata]=awaitstorage.bucket(bucketName).getMetadata();console.log(`Public access prevention is${metadata.iamConfiguration.publicAccessPrevention} for${bucketName}.`);}getPublicAccessPrevention();

PHP

For more information, see theCloud StoragePHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

use Google\Cloud\Storage\StorageClient;/** * Get the Public Access Prevention setting for a bucket * * @param string $bucketName the name of your Cloud Storage bucket. *        (e.g. 'my-bucket') */function get_public_access_prevention(string $bucketName): void{    $storage = new StorageClient();    $bucket = $storage->bucket($bucketName);    $iamConfiguration = $bucket->info()['iamConfiguration'];    printf(        'The bucket public access prevention is %s for %s.' . PHP_EOL,        $iamConfiguration['publicAccessPrevention'],        $bucketName    );}

Python

For more information, see theCloud StoragePython API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

fromgoogle.cloudimportstoragedefget_public_access_prevention(bucket_name):"""Gets the public access prevention setting (either 'inherited' or 'enforced') for a bucket."""# The ID of your GCS bucket# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)iam_configuration=bucket.iam_configurationprint(f"Public access prevention is{iam_configuration.public_access_prevention} for{bucket.name}.")

Ruby

For more information, see theCloud StorageRuby API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.

defget_public_access_preventionbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_nameputs"Public access prevention is '#{bucket.public_access_prevention}' for#{bucket_name}."end

REST APIs

JSON API

  1. Have gcloud CLIinstalled and initialized, which lets you generate an access token for theAuthorization header.

  2. UsecURL to call the JSON API with aGET Bucketrequest that includes the desiredfields:

    curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"

    WhereBUCKET_NAME is the name of therelevant bucket. For example,my-bucket.

    The response looks like the following example:

     {  "iamConfiguration": {      ...      "publicAccessPrevention": "FLAG"    }  }

    WhereFLAG is eitherinherited orenforced.

XML API

The XML API cannot be used to manage public access prevention. Use oneof the other Cloud Storage tools, such as the Google Cloud console,instead.

Use the organization policy

This section shows how to enforce and remove the public access preventionorganization policy, as well as how to check the status of the policy.

Set public access prevention

To set public access prevention at the project, folder, or organization level:

Console

Follow the instructions atCreating and managing organization policiesusing thestorage.publicAccessPrevention constraint.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

Command line

Use thegcloud beta resource-manager org-policies command:

gcloud beta resource-manager org-policiesSTATE \  constraints/storage.publicAccessPrevention \  --RESOURCERESOURCE_ID

Where:

  • STATE can have the following values:

    • enable-enforce: Enforce public access prevention for the resource.
    • disable-enforce: Disable public access prevention for the resource.
    • delete: Remove the organization policy constraint from the resource,so that the resource inherits the value of its parent resource.

  • RESOURCE is the resource for which you want toset public access prevention. For example,organization,project,orfolder.

  • RESOURCE_ID is the ID for resource. For example,123456789012 for anorganization ID,245321 for afolder ID,ormy-pet-project for aproject ID.

SeeUsing constraints for more instructions.

The following is an example of the output when you usedisable-enforce:

etag: BwVJi0OOESU=booleanPolicy: {}constraint: constraints/storage.publicAccessPrevention

View public access prevention status

To view the public access prevention status at the project, folder, organizationlevel:

Console

Follow the instructions atCreating and managing organization policiesusing thestorage.publicAccessPrevention constraint.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.

Command line

Use thedescribe --effective command:

gcloud beta resource-manager org-policies describe \  constraints/storage.publicAccessPrevention --effective \  --RESOURCERESOURCE_ID

Where:

  • RESOURCE is the resource for which you want toview the public access prevention status. For example,organization,project, orfolder.

  • RESOURCE_ID is the ID for the resource. Forexample,123456789012 for anorganization ID,245321for afolder ID, andmy-pet-project for aproject ID.

SeeUsing constraints for more instructions.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.