Reputation: 1826
How to disable google cloud storage bucket list from acl control?
We're using google cloud storage as our CDN.
However, any visitors can list all files by typing: http://ourcdn.storage.googleapis.com/
How to disable it while all the files under the bucket is still public readable by default?
We previously set the acl using
gsutil defacl ch -g AllUsers:READ
Upvotes: 17
Views: 12134
Answers (5)
Reputation:
If you're using the bucket for a static website (or not), you can tell (using gsutil) GCP Cloud Storage what file to use as the "index" file, so that the XML file listing all the contents isn't shown, and instead your index.html file. See https://cloud.google.com/storage/docs/gsutil/commands/web
Upvotes: 0
Reputation: 38389
Your defacl looks good. The problem is most likely that for some reason AllUsers must also have READ, WRITE, or FULL_CONTROL on the bucket itself. You can clear those with a command like this:
gsutil acl ch -d AllUsers gs://bucketname
Upvotes: 4
Reputation: 696
In GCP dashboard:
- get in your bucket
- click "Permissions" tab and get in.
- in member list find "allUsers", change role from Storage Object Viewer to Storage Legacy Object Reader
then, listing should be disabled.
Update:
as @Devy comment, just check the note below here
Note: roles/storage.objectViewer includes permission to list the objects in the bucket. If you don't want to grant listing publicly, use roles/storage.legacyObjectReader.
Upvotes: 62
Reputation: 2315
Upload an empty index.html file in the root of your bucket. Open the bucket settings and click Edit website configuration - set index.html as the Main Page.
It will prevent the listing of the directory.
Upvotes: 7
Reputation: 5509
Your command set the default object ACL on the bucket to READ, which means that objects will be accessible by anyone. To prevent users from listing the objects, you need to make sure users don't have an ACL on the bucket itself.
gsutil acl ch -d AllUsers gs://yourbucket
should accomplish this. You may need to run a similar command for AllAuthenticatedUsers; just take a look at the bucket ACL with
gsutil acl get gs://yourbucket
and it should be clear.
Upvotes: 2
Related Questions
- How to set access permissions of google cloud storage bucket folder
- Prevent gcloud public bucket from listing all objects
- Prevent Storage Buckets from going public
- How do I limit access to a bucket in GCS?
- GCS: change object-level permission control to bucket-level
- Google Cloud Storage: With "Bucket Policy Only", how do I make objects public but prevent listing?
- Google Cloud Storage ACL not working for bucket
- Google Cloud Storage Client Library - set acl to both "public-read" and "bucket-owner-full-control"
- Google Cloud Storage - Set Acl for Google Compute Engine
- Change ACL on all objects in bucket with api