0
0
GcpHow-ToBeginner · 3 min read

How to Set Bucket Permissions in GCP: Simple Guide

To set bucket permissions in GCP, use IAM roles to grant users or service accounts access to your Cloud Storage bucket. You can do this via the Google Cloud Console, gcloud CLI, or by editing the bucket's IAM policy to specify who can read, write, or manage the bucket.
📐

Syntax

Permissions for a GCP bucket are set by assigning IAM roles to members on the bucket resource. The main parts are:

  • resource: The bucket name where permissions apply.
  • member: The user, group, or service account to grant access.
  • role: The predefined or custom role defining allowed actions (e.g., roles/storage.objectViewer).

You apply permissions by updating the bucket's IAM policy with bindings of members to roles.

bash
gcloud storage buckets add-iam-policy-binding [BUCKET_NAME] \
  --member='user:example@gmail.com' \
  --role='roles/storage.objectViewer'
💻

Example

This example grants a user read-only access to a bucket named my-sample-bucket. It uses the gcloud CLI to add the IAM policy binding.

bash
gcloud storage buckets add-iam-policy-binding my-sample-bucket \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
Output
Updated IAM policy for bucket [my-sample-bucket].
⚠️

Common Pitfalls

  • Not specifying the correct member format (e.g., missing user: prefix).
  • Using overly broad roles like roles/storage.admin when only read or write access is needed.
  • Forgetting to replace [BUCKET_NAME] with your actual bucket name.
  • Trying to set permissions on objects instead of the bucket for bucket-level access.

Always verify permissions with gcloud storage buckets get-iam-policy after changes.

bash
## Wrong: missing user prefix

gcloud storage buckets add-iam-policy-binding my-bucket \
  --member='alice@example.com' \
  --role='roles/storage.objectViewer'

## Right: include user prefix

gcloud storage buckets add-iam-policy-binding my-bucket \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
📊

Quick Reference

RoleDescriptionUse Case
roles/storage.objectViewerRead access to objectsView files in bucket
roles/storage.objectCreatorWrite access to add objectsUpload files
roles/storage.objectAdminFull control over objectsManage files fully
roles/storage.adminFull control over bucket and objectsAdminister bucket and contents

Key Takeaways

Use IAM roles to control who can access your GCP storage bucket.
Always specify members with correct prefixes like user:, serviceAccount:, or group:.
Prefer least privilege roles to limit access to only what is needed.
Verify permission changes with gcloud commands after applying them.
Use the Google Cloud Console or gcloud CLI for easy permission management.

Related by keyword

How to Manage Permissions in GCP: Simple GuideIAMHow to Choose GCP Region: Simple Guide for Best LocationGetting StartedHow to Use Workload Identity in GCP: Simple GuideIAMHow to Choose Machine Type in GCP: Simple GuideCompute EngineHow to Use Artifact Registry in GCP: Simple GuideGKE

Up next

Preemptible VM in GCP: What It Is and When to Use ItWhat is Spot VM in GCP: Definition and UsageCloud Functions Gen1 vs Gen2: Key Differences and When to Use EachCloud Functions vs AWS Lambda: Key Differences and When to Use Each

More in Cloud Storage

Cloud Storage vs AWS S3: Key Differences and When to Use EachHow to Configure CORS for Google Cloud Storage BucketsHow to Create a Bucket in Google Cloud StorageHow to Delete a File from Google Cloud Storage Easily