Google Cloud Storage AllUsers permission doesn't work

Question

I'm trying to make a bucket with Read/Write permissions for bucket/objects for particular users and Read permissions for objects only for AllUsers.

I've:

• created a bucket,
• added this to default acl list:

<Entry>
    <Scope type="AllUsers"/>
    <Permission>
        READ
    </Permission>
</Entry>

via: gsutil setdefacl <f> gs://bucket

• added an object (test.png)

Now I'm trying to access this from browser with the url http[s]://storage.cloud.google.com/bucket/test.png but it takes me to the google account sign in page. When I signing in with another google acc (not that I've used to create project/bucket/object), which has no explicit rights set, it shows the pic.

gsutil getacl on the new object shows that READ permission is in place for AllUsers, but it works like AllAuthenticatedUsers.

Any ideas on what to do with permissions to work as expected?

Answer 1

When you say you added that Entry to the default ACL, you mean you added it as an element within AccessControlList.Entries, correct? It's somewhat difficult to know what happened without seeing the full ACL text.

But also, since you're making objects publicly readable (READ permission grated for scope AllUsers), you don't need additional scopes in the bucket's default object ACL; you could simply do:

gsutil setdefacl public-read gs://bucket

and then upload objects to the bucket.

I realize you want to grant read/write permission for particular users, but write permission is controlled by the bucket ACL, not the object ACL (and thus also not by the default object ACL on the bucket).

Please try the above and let us know if you're still unable to access objects via a browser without first authenticating.

Mike Schwartz, Google Cloud Storage team