Use uniform bucket-level access
This page shows you how to enable, disable, and check the status ofuniform bucket-level access on a bucket in Cloud Storage.
Required roles
To get the permissions that you need to set and manage uniform bucket-level access on abucket, ask your administrator to grant you the Storage Admin(roles/storage.admin) role on the bucket. Thispredefined role contains the permissions required to set and manageuniform bucket-level access. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
storage.buckets.getstorage.buckets.list- This permission is only required if you plan on using theGoogle Cloud console to perform the instructions on this page.
storage.buckets.update
You might also be able to get these permissions withcustom roles.
For information about granting roles on buckets, seeUse IAM with buckets.
Check for ACL usage
Before you enable uniform bucket-level access, use Cloud Monitoring to ensure yourbucket is not using ACLs for any workflows. For more information, seeCheck object ACL usage.
Console
To view the metrics for a monitored resource by using theMetrics Explorer, do the following:
In the Google Cloud console, go to theleaderboard Metrics explorer page:
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
- In the toolbar of the Google Cloud console, select your Google Cloud project. ForApp Hub configurations, select the App Hub host project or the app-enabled folder's management project.
- In theMetric element, expand theSelect a metric menu, enter
ACLs usagein the filter bar, and then use the submenus to select a specific resource type and metric:- In theActive resources menu, selectGCS Bucket.
- In theActive metric categories menu, selectAuthz.
- In theActive metrics menu, selectACLs usage.
- ClickApply.
To add filters, which remove time series from the query results, use theFilter element.
- Configure how the data is viewed. For example, to view your data by the ACLoperation, for theAggregation element, set the first menu toSumand the second menu toacl_operation.
For more information about configuring a chart, seeSelect metrics when using Metrics Explorer.
Seestorage for a complete list of metrics available forCloud Storage. For information about time series, seeMetrics, time series, and resources.
JSON API
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Use
cURLto call theMonitoringJSON API:curl\'https://monitoring.googleapis.com/v3/projects/PROJECT_ID/timeSeries?filter=metric.type%20%3D%20%22storage.googleapis.com%2Fauthz%2Facl_operations_count%22&interval.endTime=END_TIME&interval.startTime=START_TIME' \--header'Authorization:Bearer$(gcloudauthprint-access-token)'\--header'Accept:application/json'
Where:
PROJECT_IDis the project ID or number forwhich you want to view ACL usage. For example,my-project.END_TIMEis the end of the time range forwhich you want to view ACL usage. For example,2019-11-02T15:01:23.045123456Z.START_TIMEis the start of the time range forwhich you want to view ACL usage. For example,2016-10-02T15:01:23.045123456Z.
If the request returns an empty object{}, there is no recent ACL usage for your project.
Set uniform bucket-level access
Note: There are several requirements that must be met before you can disableuniform bucket-level access. To review the requirements, seeRequirements for disabling uniform bucket-level access.Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
In the list of buckets, click the name of the bucket for which you wantto enable or disable uniform bucket-level access.
Select thePermissions tab near the top of the page.
In the field namedAccess Control, click theSwitch to link.
In the menu that appears, selectUniform orFine-grained.
ClickSave.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Use thegcloud storage buckets update command:
gcloud storage buckets update gs://BUCKET_NAME --STATE
Where:
BUCKET_NAMEis the name of the relevantbucket. For example,my-bucket.STATEis eitheruniform-bucket-level-accessto enable uniform bucket-level access orno-uniform-bucket-level-accesstodisable it.
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket: For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. The following sample enables uniform bucket-level access on a bucket: The following sample disables uniform bucket-level access on a bucket:C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){gcs::BucketIamConfigurationconfiguration;configuration.uniform_bucket_level_access=gcs::UniformBucketLevelAccess{true,{}};StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(std::move(configuration)));if(!updated)throwstd::move(updated).status();std::cout <<"Successfully enabled Uniform Bucket Level Access on bucket " <<updated->name() <<"\n";}namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){gcs::BucketIamConfigurationconfiguration;configuration.uniform_bucket_level_access=gcs::UniformBucketLevelAccess{false,{}};StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(std::move(configuration)));if(!updated)throwstd::move(updated).status();std::cout <<"Successfully disabled Uniform Bucket Level Access on bucket " <<updated->name() <<"\n";}C#
usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassEnableUniformBucketLevelAccessSample{publicBucketEnableUniformBucketLevelAccess(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);bucket.IamConfiguration.UniformBucketLevelAccess.Enabled=true;bucket=storage.UpdateBucket(bucket);Console.WriteLine($"Uniform bucket-level access was enabled for {bucketName}.");returnbucket;}}usingGoogle.Apis.Storage.v1.Data;usingGoogle.Cloud.Storage.V1;usingSystem;publicclassDisableUniformBucketLevelAccessSample{publicBucketDisableUniformBucketLevelAccess(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);bucket.IamConfiguration.UniformBucketLevelAccess.Enabled=false;bucket.IamConfiguration.BucketPolicyOnly.Enabled=false;bucket=storage.UpdateBucket(bucket);Console.WriteLine($"Uniform bucket-level access was disabled for {bucketName}.");returnbucket;}}Go
import("context""fmt""io""time""cloud.google.com/go/storage")// enableUniformBucketLevelAccess sets uniform bucket-level access to true.funcenableUniformBucketLevelAccess(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)enableUniformBucketLevelAccess:=storage.BucketAttrsToUpdate{UniformBucketLevelAccess:&storage.UniformBucketLevelAccess{Enabled:true,},}if_,err:=bucket.Update(ctx,enableUniformBucketLevelAccess);err!=nil{returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)}fmt.Fprintf(w,"Uniform bucket-level access was enabled for %v\n",bucketName)returnnil}import("context""fmt""io""time""cloud.google.com/go/storage")// disableUniformBucketLevelAccess sets uniform bucket-level access to false.funcdisableUniformBucketLevelAccess(wio.Writer,bucketNamestring)error{// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnfmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()bucket:=client.Bucket(bucketName)disableUniformBucketLevelAccess:=storage.BucketAttrsToUpdate{UniformBucketLevelAccess:&storage.UniformBucketLevelAccess{Enabled:false,},}if_,err:=bucket.Update(ctx,disableUniformBucketLevelAccess);err!=nil{returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)}fmt.Fprintf(w,"Uniform bucket-level access was disabled for %v\n",bucketName)returnnil}Java
importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.Storage.BucketTargetOption;importcom.google.cloud.storage.StorageException;importcom.google.cloud.storage.StorageOptions;publicclassEnableUniformBucketLevelAccess{publicstaticvoidenableUniformBucketLevelAccess(StringprojectId,StringbucketName)throwsStorageException{// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();// first look up the bucket, so we will have its metagenerationBucketbucket=storage.get(bucketName);BucketInfo.IamConfigurationiamConfiguration=BucketInfo.IamConfiguration.newBuilder().setIsUniformBucketLevelAccessEnabled(true).build();storage.update(bucket.toBuilder().setIamConfiguration(iamConfiguration).setAcl(null).setDefaultAcl(null).build(),BucketTargetOption.metagenerationMatch());System.out.println("Uniform bucket-level access was enabled for "+bucketName);}}importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.Storage.BucketTargetOption;importcom.google.cloud.storage.StorageException;importcom.google.cloud.storage.StorageOptions;publicclassDisableUniformBucketLevelAccess{publicstaticvoiddisableUniformBucketLevelAccess(StringprojectId,StringbucketName)throwsStorageException{// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();// first look up the bucket, so we will have its metagenerationBucketbucket=storage.get(bucketName);BucketInfo.IamConfigurationiamConfiguration=BucketInfo.IamConfiguration.newBuilder().setIsUniformBucketLevelAccessEnabled(false).build();storage.update(bucket.toBuilder().setIamConfiguration(iamConfiguration).build(),BucketTargetOption.metagenerationMatch());System.out.println("Uniform bucket-level access was disabled for "+bucketName);}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();// Enables uniform bucket-level access for the bucketasyncfunctionenableUniformBucketLevelAccess(){awaitstorage.bucket(bucketName).setMetadata({iamConfiguration:{uniformBucketLevelAccess:{enabled:true,},},});console.log(`Uniform bucket-level access was enabled for${bucketName}.`);}enableUniformBucketLevelAccess().catch(console.error);/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctiondisableUniformBucketLevelAccess(){// Disables uniform bucket-level access for the bucketawaitstorage.bucket(bucketName).setMetadata({iamConfiguration:{uniformBucketLevelAccess:{enabled:false,},},});console.log(`Uniform bucket-level access was disabled for${bucketName}.`);}disableUniformBucketLevelAccess().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Enable uniform bucket-level access. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') */function enable_uniform_bucket_level_access(string $bucketName): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $bucket->update([ 'iamConfiguration' => [ 'uniformBucketLevelAccess' => [ 'enabled' => true ], ] ]); printf('Uniform bucket-level access was enabled for %s' . PHP_EOL, $bucketName);}use Google\Cloud\Storage\StorageClient;/** * Enable uniform bucket-level access. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') */function disable_uniform_bucket_level_access(string $bucketName): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $bucket->update([ 'iamConfiguration' => [ 'uniformBucketLevelAccess' => [ 'enabled' => false ], ] ]); printf('Uniform bucket-level access was disabled for %s' . PHP_EOL, $bucketName);}Python
fromgoogle.cloudimportstoragedefenable_uniform_bucket_level_access(bucket_name):"""Enable uniform bucket-level access for a bucket"""# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)bucket.iam_configuration.uniform_bucket_level_access_enabled=Truebucket.patch()print(f"Uniform bucket-level access was enabled for{bucket.name}.")fromgoogle.cloudimportstoragedefdisable_uniform_bucket_level_access(bucket_name):"""Disable uniform bucket-level access for a bucket"""# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)bucket.iam_configuration.uniform_bucket_level_access_enabled=Falsebucket.patch()print(f"Uniform bucket-level access was disabled for{bucket.name}.")Ruby
defenable_uniform_bucket_level_accessbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.uniform_bucket_level_access=trueputs"Uniform bucket-level access was enabled for#{bucket_name}."enddefdisable_uniform_bucket_level_accessbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_namebucket.uniform_bucket_level_access=falseputs"Uniform bucket-level access was disabled for#{bucket_name}."end
REST APIs
JSON API
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Create a JSON file that contains the following information:
{"iamConfiguration":{"uniformBucketLevelAccess":{"enabled":STATE}}}
WhereSTATE is either
trueorfalse.Use
cURLto call the JSON API with aPATCHBucketrequest:curl -X PATCH --data-binary @JSON_FILE_NAME \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Content-Type: application/json" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where:
JSON_FILE_NAMEis the path for the filethat you created in Step 2.BUCKET_NAMEis the name of the relevantbucket. For example,my-bucket.
XML API
The XML API cannot be used to work with uniform bucket-level access. Use one ofthe other Cloud Storage tools, such as the gcloud CLI,instead.
View uniform bucket-level access status
Console
- In the Google Cloud console, go to the Cloud StorageBuckets page.
Click the name of the bucket whose status you want to view.
Click theConfiguration tab.
The uniform bucket-level access status for the bucket is found in theAccess control field.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, seeTroubleshooting.
Command line
Use thegcloud storage buckets describe command with the--format flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(uniform_bucket_level_access)"
WhereBUCKET_NAME is the name of the relevantbucket. For example,my-bucket.
If successful, the response looks like:
uniform_bucket_level_access:true
Client libraries
For more information, see theCloud StorageC++ API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageC# API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageGo API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageJava API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageNode.js API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePHP API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StoragePython API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries. For more information, see theCloud StorageRuby API reference documentation. To authenticate to Cloud Storage, set up Application Default Credentials. For more information, seeSet up authentication for client libraries.C++
namespacegcs=::google::cloud::storage;using::google::cloud::StatusOr;[](gcs::Clientclient,std::stringconst&bucket_name){StatusOr<gcs::BucketMetadata>bucket_metadata=client.GetBucketMetadata(bucket_name);if(!bucket_metadata)throwstd::move(bucket_metadata).status();if(bucket_metadata->has_iam_configuration()&&bucket_metadata->iam_configuration().uniform_bucket_level_access.has_value()){gcs::UniformBucketLevelAccessuniform_bucket_level_access=*bucket_metadata->iam_configuration().uniform_bucket_level_access;std::cout <<"Uniform Bucket Level Access is enabled for " <<bucket_metadata->name() <<"\n";std::cout <<"Bucket will be locked on " <<uniform_bucket_level_access <<"\n";}else{std::cout <<"Uniform Bucket Level Access is not enabled for " <<bucket_metadata->name() <<"\n";}}C#
usingGoogle.Cloud.Storage.V1;usingSystem;usingstaticGoogle.Apis.Storage.v1.Data.Bucket.IamConfigurationData;publicclassGetUniformBucketLevelAccessSample{publicUniformBucketLevelAccessDataGetUniformBucketLevelAccess(stringbucketName="your-unique-bucket-name"){varstorage=StorageClient.Create();varbucket=storage.GetBucket(bucketName);varuniformBucketLevelAccess=bucket.IamConfiguration.UniformBucketLevelAccess;booluniformBucketLevelAccessEnabled=uniformBucketLevelAccess.Enabled??false;if(uniformBucketLevelAccessEnabled){Console.WriteLine($"Uniform bucket-level access is enabled for {bucketName}.");Console.WriteLine($"Uniform bucket-level access will be locked on {uniformBucketLevelAccess.LockedTime}.");}else{Console.WriteLine($"Uniform bucket-level access is not enabled for {bucketName}.");}returnuniformBucketLevelAccess;}}Go
import("context""fmt""io""time""cloud.google.com/go/storage")// getUniformBucketLevelAccess gets uniform bucket-level access.funcgetUniformBucketLevelAccess(wio.Writer,bucketNamestring)(*storage.BucketAttrs,error){// bucketName := "bucket-name"ctx:=context.Background()client,err:=storage.NewClient(ctx)iferr!=nil{returnnil,fmt.Errorf("storage.NewClient: %w",err)}deferclient.Close()ctx,cancel:=context.WithTimeout(ctx,time.Second*10)defercancel()attrs,err:=client.Bucket(bucketName).Attrs(ctx)iferr!=nil{returnnil,fmt.Errorf("Bucket(%q).Attrs: %w",bucketName,err)}uniformBucketLevelAccess:=attrs.UniformBucketLevelAccessifuniformBucketLevelAccess.Enabled{fmt.Fprintf(w,"Uniform bucket-level access is enabled for %q.\n",attrs.Name)fmt.Fprintf(w,"Bucket will be locked on %q.\n",uniformBucketLevelAccess.LockedTime)}else{fmt.Fprintf(w,"Uniform bucket-level access is not enabled for %q.\n",attrs.Name)}returnattrs,nil}Java
importcom.google.cloud.storage.Bucket;importcom.google.cloud.storage.BucketInfo;importcom.google.cloud.storage.Storage;importcom.google.cloud.storage.StorageException;importcom.google.cloud.storage.StorageOptions;importjava.util.Date;publicclassGetUniformBucketLevelAccess{publicstaticvoidgetUniformBucketLevelAccess(StringprojectId,StringbucketName)throwsStorageException{// The ID of your GCP project// String projectId = "your-project-id";// The ID of your GCS bucket// String bucketName = "your-unique-bucket-name";Storagestorage=StorageOptions.newBuilder().setProjectId(projectId).build().getService();Bucketbucket=storage.get(bucketName,Storage.BucketGetOption.fields(Storage.BucketField.IAMCONFIGURATION));BucketInfo.IamConfigurationiamConfiguration=bucket.getIamConfiguration();Booleanenabled=iamConfiguration.isUniformBucketLevelAccessEnabled();DatelockedTime=newDate(iamConfiguration.getUniformBucketLevelAccessLockedTime());if(enabled!=null &&enabled){System.out.println("Uniform bucket-level access is enabled for "+bucketName);System.out.println("Bucket will be locked on "+lockedTime);}else{System.out.println("Uniform bucket-level access is disabled for "+bucketName);}}}Node.js
/** * TODO(developer): Uncomment the following lines before running the sample. */// The ID of your GCS bucket// const bucketName = 'your-unique-bucket-name';// Imports the Google Cloud client libraryconst{Storage}=require('@google-cloud/storage');// Creates a clientconststorage=newStorage();asyncfunctiongetUniformBucketLevelAccess(){// Gets Bucket Metadata and checks if uniform bucket-level access is enabled.const[metadata]=awaitstorage.bucket(bucketName).getMetadata();if(metadata.iamConfiguration){constuniformBucketLevelAccess=metadata.iamConfiguration.uniformBucketLevelAccess;console.log(`Uniform bucket-level access is enabled for${bucketName}.`);console.log(`Bucket will be locked on${uniformBucketLevelAccess.lockedTime}.`);}else{console.log(`Uniform bucket-level access is not enabled for${bucketName}.`);}}getUniformBucketLevelAccess().catch(console.error);PHP
use Google\Cloud\Storage\StorageClient;/** * Enable uniform bucket-level access. * * @param string $bucketName The name of your Cloud Storage bucket. * (e.g. 'my-bucket') */function get_uniform_bucket_level_access(string $bucketName): void{ $storage = new StorageClient(); $bucket = $storage->bucket($bucketName); $bucketInformation = $bucket->info(); $ubla = $bucketInformation['iamConfiguration']['uniformBucketLevelAccess']; if ($ubla['enabled']) { printf('Uniform bucket-level access is enabled for %s' . PHP_EOL, $bucketName); printf('Uniform bucket-level access will be locked on %s' . PHP_EOL, $ubla['LockedTime']); } else { printf('Uniform bucket-level access is disabled for %s' . PHP_EOL, $bucketName); }}Python
fromgoogle.cloudimportstoragedefget_uniform_bucket_level_access(bucket_name):"""Get uniform bucket-level access for a bucket"""# bucket_name = "my-bucket"storage_client=storage.Client()bucket=storage_client.get_bucket(bucket_name)iam_configuration=bucket.iam_configurationifiam_configuration.uniform_bucket_level_access_enabled:print(f"Uniform bucket-level access is enabled for{bucket.name}.")print("Bucket will be locked on{}.".format(iam_configuration.uniform_bucket_level_locked_time))else:print(f"Uniform bucket-level access is disabled for{bucket.name}.")Ruby
defget_uniform_bucket_level_accessbucket_name:# The ID of your GCS bucket# bucket_name = "your-unique-bucket-name"require"google/cloud/storage"storage=Google::Cloud::Storage.newbucket=storage.bucketbucket_nameifbucket.uniform_bucket_level_access?puts"Uniform bucket-level access is enabled for#{bucket_name}."puts"Bucket will be locked on#{bucket.uniform_bucket_level_access_locked_at}."elseputs"Uniform bucket-level access is disabled for#{bucket_name}."endend
REST APIs
JSON API
Have gcloud CLIinstalled and initialized, which lets you generate an access token for the
Authorizationheader.Use
cURLto call the JSON API with aGETBucketrequest that includes the desiredfields:curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
Where
BUCKET_NAMEis the name of therelevant bucket. For example,my-bucket.If the bucket has uniform bucket-level access enabled, the response lookslike the following example:
{"iamConfiguration":{"uniformBucketLevelAccess":{"enabled":true,"lockedTime":"LOCK_DATE"}}}
XML API
The XML API cannot be used to work with uniform bucket-level access. Use one ofthe other Cloud Storage tools, such as the gcloud CLI,instead.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.