Skip to main content

Creating and Managing GCP Storage Bucket Roles and ACLs

Hands-On Lab


Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content





Google Cloud Storage makes it possible to control who has access to the files stored in it's buckets in a number of ways. Generally, you can choose to allow uniform permissions to be applied at the bucket level, the default option. Or, you can opt to use the fine-grained permission control option, which allows you to specify permissions and accessibility for each object in the bucket individually. In this Hands-On Lab, I'll show you how to set up buckets, populate them with files from a repository, and then set the permissions as desired.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating and Managing GCP Storage Bucket Roles and ACLs

In this lab, we've been directed to create two storage buckets: one for fine-grained access control and another that grants uniform access. We'll need to retrieve and populate the buckets with files for testing; then, we'll set up one bucket so that it has fine-grained control where only one object is generally viewable, and the other bucket is set for uniform access so that all objects share the same permissions.

We'll need to accomplish the following:

  1. Create a Cloud Storage buckets for our files
  2. Retrieve our working files
  3. Set the object-level permissions
  4. Set the bucket-level permissions

Before We Begin

To get started, we need to log in to our Google Cloud Platform using the provided credentials. It is recommended we use an Incognito window.

Create Cloud Storage Buckets

Once we log in, on the main Google Cloud Platform page, click on the main navigation menu (the three horizontal lines at the top of the page). Scroll down and select Storage then Browse. Here, select the button to activate the Cloud Shell, which looks like >_ at the top right of the page. Select Continue to finish connecting to the Cloud Shell. In here, we need to create the first bucket for uniform access, with a unique name. In this example, we need to replace the [BUCKET_NAME] to a unique name: gsutil mb gs://[BUCKET_NAME]/.

Next, we need to create a second bucket for fine-grained access, also with a unique name, and again replacing [BUCKET_NAME]: gsutil mb gs://[BUCKET_NAME]/

At the top of the Storage browser page, select the REFRESH button to see our new buckets.

Retrieve the Working Files

With the buckets created, we need to retrieve our working files. We will use git to claim those files using the following: git clone

Next, we need to change the directories with the following command: cd content-gc-iam-deepdive/

Copy the appropriate files from our Cloud Shell to our buckets with the following commands:

gsutil -m cp -r fine-grained-access/* gs://[BUCKET_NAME]/
gsutil -m cp -r uniform-access/* gs://[BUCKET_NAME]/

Finally, we need to confirm the files were copied by returning to the Cloud Storage Browser and refreshing the buckets. Each now has three images.

Set the Fine-Grained Permissions

With our buckets set and files placed, we need to set our fine-grained permissions. This will allow us to set permissions for a single image in our fine-grained bucket.

From the Storage Browser page, open the fine-grained-access bucket. Now, go to the right of one of the images, select the Action (3-dot) menu, and choose Edit Permissions. When the Edit Permissions dialog appears, click + Add Item. In the new row, set the fields as follows:

  • Entity: User.
  • Name: allUsers
  • Access: Reader Once finished, click Save. Only the image we selected can be viewed publicly.

Set the Uniform Permissions

Finally, we need to set to uniform permission for all of the images in our uniform-access bucket. To start, we need to return to the Cloud Storage Browser page. Here, to the right of the uniformed-access file, select the Action (3-dot) menu and choose Edit Bucket Permissions. Next, in the Permissions tab, select Edit. When the Edit Access Control dialog opens, choose the Uniform option, and then check the Add project ACLs to the bucket IAM policy checkbox. Select Save.

With our bucket edited, we need to select Add Member. In the New Members field, enter allUsers. In the Role field, choose Storage then Storage Object Viewer. Finally, click Save.

To make sure that everything is working correctly, open up our uniformed-access bucket. Here, in the Public Access column, we can see that each has Public next to them.


Upon completing this lab, we are now able to create a Cloud Storage bucket for our files, retrieve those working files, set the object-level permissions, and set the bucket-level permissions. Congratulations on completing the lab!