Use public access prevention

Overview

This page describes how to use the public access prevention bucket setting and the public access prevention organization policy constraint. Public access prevention lets you restrict public access to your buckets and objects.

Before you begin

Before using public access prevention in Cloud Storage, make sure you have the required IAM role and review the considerations for enforcing public access prevention.

Get required roles

To manage the public access prevention organization policy at the project, folder, or organization level, ask your administrator to grant you the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role on the organization. This predefined role contains the permissions required to manage public access prevention at the project, folder, or organization level. For information about the permissions that are included in this role, refer to details about the Organization Administrator role.

To manage the public access prevention setting on a bucket, ask your administrator to grant you the Storage Admin (roles/storage.admin) role on the bucket. This role contains the permissions required to manage public access prevention on a bucket. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

storage.buckets.update
storage.buckets.setIamPolicy

For information about the other permissions that are included in the Storage Admin role, refer to details about the Storage Admin role.

Review considerations

Before you begin, it's recommended that you ensure no workflows break as a result of blocking public access. See Considerations when enforcing on existing resources for more details.

Use the bucket setting

This section shows how to enforce and remove public access prevention for individual buckets, as well as how to check the status of individual buckets.

Set public access prevention

To change the public access prevention setting for an individual bucket:

Console

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Buckets
In the list of buckets, click the name of the bucket for which you want to enforce or remove public access prevention.
In the Bucket details page, click the Permissions tab.
In the Public access card, click Prevent public access to enforce public access prevention, or click Allow public access to remove public access prevention.
Click Confirm.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.

Command line

Use the gcloud storage buckets update command with the appropriate flag:

gcloud storage buckets update gs://BUCKET_NAME FLAG

Where:

BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.
FLAG is either --public-access-prevention to enable public access prevention or --no-public-access-prevention to disable it.

If successful, the response looks similar to the following example:

Updating gs://my-bucket/...
 Completed 1

Client libraries

C++

For more information, see the Cloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name){
gcs::BucketIamConfigurationconfiguration;
configuration.public_access_prevention=
gcs::PublicAccessPreventionEnforced();
StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(
bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(
std::move(configuration)));
if(!updated)throwstd::move(updated).status();
std::cout << "Public Access Prevention is set to 'enforced' for "
 << updated->name() << "\n";
}

The following sample sets public access prevention to inherited for a bucket:

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name){
gcs::BucketIamConfigurationconfiguration;
configuration.public_access_prevention=
gcs::PublicAccessPreventionInherited();
autoupdated=client.PatchBucket(
bucket_name,gcs::BucketMetadataPatchBuilder().SetIamConfiguration(
std::move(configuration)));
if(!updated)throwstd::move(updated).status();
std::cout << "Public Access Prevention is set to 'inherited' for "
 << updated->name() << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:


usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassSetPublicAccessPreventionEnforcedSample
{
publicBucketSetPublicAccessPreventionEnforced(stringbucketName="your-unique-bucket-name")
{
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName);
// Set public access prevention to "enforced" for the bucket.
bucket.IamConfiguration.PublicAccessPrevention="enforced";
bucket=storage.UpdateBucket(bucket);
Console.WriteLine($"Public access prevention is 'enforced' for {bucketName}.");
returnbucket;
}
}

The following sample sets public access prevention to inherited for a bucket:


usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassSetPublicAccessPreventionInheritedSample
{
publicBucketSetPublicAccessPreventionInherited(stringbucketName="your-unique-bucket-name")
{
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName);
// Sets public access prevention to "inherited" for the bucket.
bucket.IamConfiguration.PublicAccessPrevention="inherited";
bucket=storage.UpdateBucket(bucket);
Console.WriteLine($"Public access prevention is 'inherited' for {bucketName}.");
returnbucket;
}
}

Go

For more information, see the Cloud Storage Go API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// setPublicAccessPreventionEnforced sets public access prevention to
// "enforced" for the bucket.
funcsetPublicAccessPreventionEnforced(wio.Writer ,bucketNamestring)error{
// bucketName := "bucket-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
bucket:=client.Bucket (bucketName)
setPublicAccessPrevention:=storage.BucketAttrsToUpdate {
PublicAccessPrevention:storage.PublicAccessPreventionEnforced ,
}
if_,err:=bucket.Update(ctx,setPublicAccessPrevention);err!=nil{
returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)
}
fmt.Fprintf(w,"Public access prevention is 'enforced' for %v",bucketName)
returnnil
}

The following sample sets public access prevention to inherited for a bucket:

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// setPublicAccessPreventionInherited sets public access prevention to
// "inherited" for the bucket.
funcsetPublicAccessPreventionInherited(wio.Writer ,bucketNamestring)error{
// bucketName := "bucket-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
bucket:=client.Bucket (bucketName)
setPublicAccessPrevention:=storage.BucketAttrsToUpdate {
PublicAccessPrevention:storage.PublicAccessPreventionInherited ,
}
if_,err:=bucket.Update(ctx,setPublicAccessPrevention);err!=nil{
returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)
}
fmt.Fprintf(w,"Public access prevention is 'inherited' for %v",bucketName)
returnnil
}

Java

For more information, see the Cloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.BucketInfo ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
publicclass SetPublicAccessPreventionEnforced{
publicstaticvoidsetPublicAccessPreventionEnforced(StringprojectId,StringbucketName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
Bucket bucket=storage.get (bucketName);
// Enforces public access prevention for the bucket
bucket.toBuilder ()
.setIamConfiguration(
BucketInfo .IamConfiguration.newBuilder()
.setPublicAccessPrevention (BucketInfo .PublicAccessPrevention.ENFORCED)
.build())
.build()
.update();
System.out.println("Public access prevention is set to enforced for "+bucketName);
}
}

The following sample sets public access prevention to inherited for a bucket:

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.BucketInfo ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
publicclass SetPublicAccessPreventionInherited{
publicstaticvoidsetPublicAccessPreventionInherited(StringprojectId,StringbucketName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
Bucket bucket=storage.get (bucketName);
// Sets public access prevention to 'inherited' for the bucket
bucket.toBuilder ()
.setIamConfiguration(
BucketInfo .IamConfiguration.newBuilder()
.setPublicAccessPrevention (BucketInfo .PublicAccessPrevention.INHERITED)
.build())
.build()
.update();
System.out.println("Public access prevention is set to 'inherited' for "+bucketName);
}
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The name of your GCS bucket
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
// Enforces public access prevention for the bucket
asyncfunctionsetPublicAccessPreventionEnforced(){
awaitstorage.bucket(bucketName).setMetadata({
iamConfiguration:{
publicAccessPrevention:'enforced',
},
});
console.log(
`Public access prevention is set to enforced for ${bucketName}.`
);
}
setPublicAccessPreventionEnforced();

The following sample sets public access prevention to inherited for a bucket:

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The name of your GCS bucket
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctionsetPublicAccessPreventionInherited(){
// Sets public access prevention to 'inherited' for the bucket
awaitstorage.bucket(bucketName).setMetadata({
iamConfiguration:{
publicAccessPrevention:'inherited',
},
});
console.log(`Public access prevention is 'inherited' for ${bucketName}.`);
}
setPublicAccessPreventionInherited();

PHP

For more information, see the Cloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

use Google\Cloud\Storage\StorageClient;
/**
 * Set the bucket Public Access Prevention to enforced.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 */
function set_public_access_prevention_enforced(string $bucketName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $bucket->update([
 'iamConfiguration' => [
 'publicAccessPrevention' => 'enforced'
 ]
 ]);
 printf(
 'Public Access Prevention has been set to enforced for %s.' . PHP_EOL,
 $bucketName
 );
}

The following sample sets public access prevention to inherited for a bucket:

use Google\Cloud\Storage\StorageClient;
/**
 * Set the bucket Public Access Prevention to inherited.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 */
function set_public_access_prevention_inherited(string $bucketName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $bucket->update([
 'iamConfiguration' => [
 'publicAccessPrevention' => 'inherited'
 ]
 ]);
 printf(
 'Public Access Prevention has been set to inherited for %s.' . PHP_EOL,
 $bucketName
 );
}

Python

For more information, see the Cloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

fromgoogle.cloudimport storage
fromgoogle.cloud.storage.constantsimport PUBLIC_ACCESS_PREVENTION_ENFORCED
defset_public_access_prevention_enforced(bucket_name):
"""Enforce public access prevention for a bucket."""
 # The ID of your GCS bucket
 # bucket_name = "my-bucket"
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 bucket.iam_configuration .public_access_prevention = (
 PUBLIC_ACCESS_PREVENTION_ENFORCED
 )
 bucket.patch()
 print(f"Public access prevention is set to enforced for {bucket.name}.")

The following sample sets public access prevention to inherited for a bucket:


fromgoogle.cloudimport storage
fromgoogle.cloud.storage.constantsimport PUBLIC_ACCESS_PREVENTION_INHERITED
defset_public_access_prevention_inherited(bucket_name):
"""Sets the public access prevention status to inherited, so that the bucket inherits its setting from its parent project."""
 # The ID of your GCS bucket
 # bucket_name = "my-bucket"
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 bucket.iam_configuration .public_access_prevention = (
 PUBLIC_ACCESS_PREVENTION_INHERITED
 )
 bucket.patch()
 print(f"Public access prevention is 'inherited' for {bucket.name}.")

Ruby

For more information, see the Cloud Storage Ruby API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

The following sample enforces public access prevention on a bucket:

defset_public_access_prevention_enforcedbucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
bucket.public_access_prevention =:enforced
puts"Public access prevention is set to enforced for #{bucket_name}."
end

The following sample sets public access prevention to inherited for a bucket:

defset_public_access_prevention_inheritedbucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
bucket.public_access_prevention =:inherited
puts"Public access prevention is 'inherited' for #{bucket_name}."
end

REST APIs

JSON API

Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

Create a JSON file that contains the following information:

 {
 "iamConfiguration": {
 "publicAccessPrevention": "STATE",
 }
 }

Where <var>STATE</var> is either enforced or inherited.

Use cURL to call the JSON API with a PATCH Bucket request that includes the desired fields:
```
curl -X PATCH --data-binary @JSON_FILE_NAME \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Content-Type: application/json" \
 "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
```
Where:
- JSON_FILE_NAME is the path for the JSON file that you created in the previous step.
- BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

XML API

The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.

View public access prevention status

To view the public access prevention status for an individual bucket:

Console

In the Google Cloud console, go to the Cloud Storage Buckets page.

Go to Buckets
Click the name of the bucket for which you want to view the public access prevention status.
Click the Permissions tab.
The Public access card shows the status for your bucket.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.

Command line

Use the gcloud storage buckets describe command with the --format flag:

gcloud storage buckets describe gs://BUCKET_NAME --format="default(public_access_prevention)"

Where BUCKET_NAME is the name of the bucket whose status you want to view. For example, my-bucket.

If successful, the response looks similar to the following example:

public_access_prevention:inherited

Client libraries

C++

For more information, see the Cloud Storage C++ API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name){
StatusOr<gcs::BucketMetadata>bucket_metadata=
client.GetBucketMetadata(bucket_name);
if(!bucket_metadata)throwstd::move(bucket_metadata).status();
if(bucket_metadata->has_iam_configuration()&&
bucket_metadata->iam_configuration()
.public_access_prevention.has_value()){
std::cout
 << "Public Access Prevention is "
 << *bucket_metadata->iam_configuration().public_access_prevention
 << " for bucket " << bucket_metadata->name() << "\n";
}else{
std::cout << "Public Access Prevention is not set for "
 << bucket_metadata->name() << "\n";
}
}

C#

For more information, see the Cloud Storage C# API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.


usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassGetPublicAccessPreventionSample
{
publicstringGetPublicAccessPrevention(stringbucketName="your-unique-bucket-name")
{
// Gets Bucket Metadata and prints publicAccessPrevention value (either "unspecified" or "enforced").
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName);
varpublicAccessPrevention=bucket.IamConfiguration.PublicAccessPrevention;
Console.WriteLine($"Public access prevention is {publicAccessPrevention} for {bucketName}.");
returnpublicAccessPrevention;
}
}

Go

For more information, see the Cloud Storage Go API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// getPublicAccessPrevention gets the current public access prevention setting
// for the bucket, either "enforced" or "inherited".
funcgetPublicAccessPrevention(wio.Writer ,bucketNamestring)error{
// bucketName := "bucket-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
attrs,err:=client.Bucket (bucketName).Attrs(ctx)
iferr!=nil{
returnfmt.Errorf("Bucket(%q).Attrs: %w",bucketName,err)
}
fmt.Fprintf(w,"Public access prevention is %s for %v",attrs.PublicAccessPrevention ,bucketName)
returnnil
}

Java

For more information, see the Cloud Storage Java API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.BucketInfo ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
publicclass GetPublicAccessPrevention{
publicstaticvoidgetPublicAccessPrevention(StringprojectId,StringbucketName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
Bucket bucket=storage.get (bucketName);
// Gets Bucket Metadata and prints publicAccessPrevention value (either 'inherited' or
// 'enforced').
BucketInfo .PublicAccessPrevention publicAccessPrevention=
bucket.getIamConfiguration ().getPublicAccessPrevention ();
System.out.println(
"Public access prevention is set to "
+publicAccessPrevention.getValue()
+" for "
+bucketName);
}
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The name of your GCS bucket
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctiongetPublicAccessPrevention(){
// Gets Bucket Metadata and prints publicAccessPrevention value (either 'inherited' or 'enforced').
const[metadata]=awaitstorage.bucket(bucketName).getMetadata();
console.log(
`Public access prevention is ${metadata.iamConfiguration .publicAccessPrevention} for ${bucketName}.`
);
}
getPublicAccessPrevention();

PHP

For more information, see the Cloud Storage PHP API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

use Google\Cloud\Storage\StorageClient;
/**
 * Get the Public Access Prevention setting for a bucket
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 */
function get_public_access_prevention(string $bucketName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $iamConfiguration = $bucket->info()['iamConfiguration'];
 printf(
 'The bucket public access prevention is %s for %s.' . PHP_EOL,
 $iamConfiguration['publicAccessPrevention'],
 $bucketName
 );
}

Python

For more information, see the Cloud Storage Python API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

fromgoogle.cloudimport storage
defget_public_access_prevention(bucket_name):
"""Gets the public access prevention setting (either 'inherited' or 'enforced') for a bucket."""
 # The ID of your GCS bucket
 # bucket_name = "my-bucket"
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 iam_configuration = bucket.iam_configuration
 print(
 f"Public access prevention is {iam_configuration .public_access_prevention } for {bucket.name}."
 )

Ruby

For more information, see the Cloud Storage Ruby API reference documentation.

To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for client libraries.

defget_public_access_preventionbucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
puts"Public access prevention is '#{bucket.public_access_prevention }' for #{bucket_name}."
end

REST APIs

JSON API

Have gcloud CLI installed and initialized , which lets you generate an access token for the Authorization header.

Use cURL to call the JSON API with a GET Bucket request that includes the desired fields:
```
curl -X GET -H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=iamConfiguration"
```
Where BUCKET_NAME is the name of the relevant bucket. For example, my-bucket.

The response looks like the following example:
```
 {
 "iamConfiguration": {
 ...
 "publicAccessPrevention": "FLAG"
 }
 }
```
Where FLAG is either inherited or enforced.

XML API

The XML API cannot be used to manage public access prevention. Use one of the other Cloud Storage tools, such as the Google Cloud console, instead.

Use the organization policy

This section shows how to enforce and remove the public access prevention organization policy, as well as how to check the status of the policy.

Set public access prevention

To set public access prevention at the project, folder, or organization level:

Console

Follow the instructions at Creating and managing organization policies using the storage.publicAccessPrevention constraint.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.

Command line

Use the gcloud beta resource-manager org-policies command:

gcloud beta resource-manager org-policies STATE \
 constraints/storage.publicAccessPrevention \
 --RESOURCE RESOURCE_ID

Where:

STATE can have the following values:
- enable-enforce: Enforce public access prevention for the resource.
- disable-enforce: Disable public access prevention for the resource.
- delete: Remove the organization policy constraint from the resource, so that the resource inherits the value of its parent resource.
RESOURCE is the resource for which you want to set public access prevention. For example, organization, project, or folder.
RESOURCE_ID is the ID for resource. For example, 123456789012 for an organization ID, 245321 for a folder ID, or my-pet-project for a project ID.

See Using constraints for more instructions.

The following is an example of the output when you use disable-enforce:

etag: BwVJi0OOESU=
booleanPolicy: {}
constraint: constraints/storage.publicAccessPrevention

View public access prevention status

To view the public access prevention status at the project, folder, organization level:

Console

Follow the instructions at Creating and managing organization policies using the storage.publicAccessPrevention constraint.

To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.

Command line

Use the describe --effective command:

gcloud beta resource-manager org-policies describe \
 constraints/storage.publicAccessPrevention --effective \
 --RESOURCE RESOURCE_ID

Where:

RESOURCE is the resource for which you want to view the public access prevention status. For example, organization, project, or folder.
RESOURCE_ID is the ID for the resource. For example, 123456789012 for an organization ID, 245321 for a folder ID, and my-pet-project for a project ID.

See Using constraints for more instructions.

What's next

Learn more about public access prevention.