Public Access to Storage Buckets

Regardless of the ACL settings (uniform bucket access), disabling public access will disallow content to be READ from the bucket. This means, that no website hosting is possible with this setting.

This is also something that can be enforced at an individual bucket level, the project level (all buckets within the project) or even at an ORG level (using Org Policies).

Default bucket ACLs

All buckets are owned by the project owners group. Additionally, project owners are granted OWNER permission for any buckets inside their project that use a predefined ACL.

If you create a bucket with the default bucket ACL—that is, you do not specify a predefined ACL when you create the bucket—your bucket has the predefined projectPrivate ACL applied to it.

By default, anyone who has OWNER permission or WRITER permission on a bucket can upload objects into that bucket. When you upload an object, you can provide a predefined ACL or not specify an ACL at all. If you don't specify an ACL, Cloud Storage applies the bucket's default object ACL to the object. Every bucket has a default object ACL, and this ACL is applied to all objects uploaded to that bucket without a predefined ACL or an ACL specified in the request (JSON API only). The initial value for the default object ACL of every bucket is projectPrivate.

Based on how objects are uploaded, object ACLs are applied accordingly:

  • Authenticated UploadsIf you make an authenticated request to upload an object and do not specify any object ACLs when you upload it, then you are listed as the owner of the object and the predefined projectPrivate ACL is applied to the object by default. This means:
    • You (the person who uploaded the object) are listed as the object owner. Object ownership cannot be changed by modifying ACLs. You can change object ownership only by replacing an object.
    • You (the object owner) are granted OWNER permission on the object. If you attempt to give less than OWNER permission to the owner, Cloud Storage automatically escalates the permission to OWNER.
    • The project owners and project editors group have OWNER permission on the object.
    • The project team members group has READER permission on the object.
  • Anonymous UploadsIf an unauthenticated (anonymous) user uploads an object, which is possible if a bucket grants the allUsers group WRITER or OWNER permission, then the default bucket ACLs are applied to the object as described above.

    Anonymous users cannot specify a predefined ACL during object upload.

What if I want to still block / restrict access to this bucket at a network level?

VPC Service Controls will help you define a perimeter around the bucket, so that only authorized perimeter bridge resources can access it.  More on VPC Service Controls

Summary

Cloud storage bucket has several access control mechanisms - including IAM, ACLs and VPC Service Controls.