Is there any way in google cloud storage where bucket is not public but it objects are public

Question

I am using a golang storage client and also passing the ACL Rule.

cloudObj := StorageClient.Bucket(BucketName).Object(fileName).NewWriter(ctx)
cloudObj.ACL = append(cloudObj.ACL, storage.ACLRule{Entity: storage.AllUsers, Role: storage.RoleReader})

Here my bucket is private but after uploading the file when I try to open the file link it says AccessDenied. Not sure where I am making it wrong.

Answer 1

What worked for me:

• Remove public access prevention on your bucket - GCP doc

Then:

• if you want to grant access to one file within your bucket:
  • in the same page where you removed public access prevention, "Switch to fine-grained" for Access Controls
  • edit access to your file (like you did)
• if you want to grant access to all files within your bucket: grant "Storage Legacy Object Viewer" to "allUsers" (watch out: if you use "Storage Object Viewer" your bucket will become public)

Note that the public URL is different from the authenticated URL:

• public URL: https://storage.googleapis.com/your_bucket/your_file
• authenticated URL: https://storage.cloud.google.com/your_bucket/your_file

Trying to open the second one from an incognito browser will fail (unless you've made your bucket public).

Answer 2

Yes, it is possible to have your objects public with a private bucket. You can easily do that by using either Signed URLs and Signed Policy Documents for the specific requirements that I see you need (giving your users the ability to perform an operation, either view a file or upload a file with public access without compromising your bucket security)

Also you will not be able to access an object publicly even though the ACL has been set :

• If the bucket, in which your object is stored in, is subject to public access prevention.
• If your bucket uses uniform bucket-level access. This uniform bucket-level-access policy has two consequences:
  • It cancels the use of ACL both at bucket and object level, so new ACL cannot be created and previously created ACL on your objects, if any, are revoked.
  • It enforces your buckets to require IAM permissions only in all the operations relating to buckets such as viewing, listing and creating objects. Therefore the only way to grant access is through IAM.

You can check if your bucket has uniform bucket level access using :

gsutil uniformbucketlevelaccess get gs://BUCKET_NAME    //  where BUCKET_NAME is the name of the relevant bucket.

If uniform bucket-level access is enabled, the response looks like:

Uniform bucket-level access setting for gs://my-bucket/: Enabled: True LockedTime: LOCK_DATE

So, in order to meet your requirement, you have to set Fine grained permissions to your bucket, that way you can use IAM and Access Control Lists (ACLs) together to manage permissions. You can specify access and apply permissions at both the bucket level and per individual object.

This is the way to set the ACLs for your object to public (individually or all at once) in spite of having your bucket private.

Have a look at this Go code example and this gsutil command gsutil acl ch -u AllUsers:R gs://BUCKET_NAME/OBJECT_NAME if making individual objects publicly readable in your bucket.

Have a look at this Go code example and this gsutil command gsutil iam ch allUsers:objectViewer gs://BUCKET_NAME if making all objects publicly readable in your bucket.