How to Make a Bucket Public in Google Cloud Storage
To make a bucket public in GCP, you grant the
allUsers group the roles/storage.objectViewer role on the bucket. This can be done using the gsutil iam ch command or via the Google Cloud Console by adding a member with public access.Syntax
Use the gsutil iam ch command to change bucket permissions. The syntax is:
gsutil iam ch allUsers:roles/storage.objectViewer gs://[BUCKET_NAME]
This command adds the permission for anyone on the internet to view objects in the bucket.
bash
gsutil iam ch allUsers:roles/storage.objectViewer gs://[BUCKET_NAME]Example
This example makes the bucket named my-public-bucket public so anyone can read its objects.
bash
gsutil iam ch allUsers:roles/storage.objectViewer gs://my-public-bucketOutput
Updated IAM policy for gs://my-public-bucket
Common Pitfalls
- Not specifying
allUserswill not make the bucket public. - Granting
roles/storage.adminor write permissions publicly is unsafe. - Forgetting to replace
[BUCKET_NAME]with your actual bucket name causes errors. - Public access only applies to objects, not bucket metadata.
bash
gsutil iam ch allUsers:roles/storage.admin gs://my-public-bucket # Unsafe # Correct way: gsutil iam ch allUsers:roles/storage.objectViewer gs://my-public-bucket
Quick Reference
Summary tips for making a GCP bucket public:
- Use
allUsers:roles/storage.objectViewerto allow public read access. - Use
gsutil iam chcommand or Google Cloud Console IAM settings. - Never grant write or admin roles publicly.
- Verify public access by opening an object URL in a browser.
Key Takeaways
Grant the allUsers group the storage.objectViewer role to make a bucket public.
Use gsutil iam ch command or Cloud Console IAM to set permissions.
Never grant public write or admin permissions to avoid security risks.
Replace [BUCKET_NAME] with your actual bucket name in commands.
Test public access by accessing an object URL in a browser.