允许对 GCS 存储桶进行公共读取访问？

Question

I am trying to allow anonymous (or just from my applications domain) read access for files in my bucket.

When trying to read the files I get

```

<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>
        Anonymous users does not have storage.objects.get access to object.
    </Details>
</Error>

```

I also tried to add a domain with the object default permissions dialog in the google cloud console. that gives me the error "One of your permissions is invalid. Make sure that you enter an authorized id or email for the groups and users and a domain for the domains"

I have also looked into making the ACL for the bucket public-read . My only problem with this is that it removes my ownership over the bucket. I need to have that ownership since I want to allow uploading from a specific Google Access Id.

Answer 1

You can also do it from the console.
https://console.cloud.google.com/storage/
Choose edit the bucket permissions:
Input "allUsers" in Add Members option and "Storage Object Viewer" as the role. Then go to "Select a role" and set "Storage" and "Storage Object Legacy" to "Storage Object View"

Answer 2

You can use gsutil to make new objects created in the bucket publicly readable without removing your ownership. To make new objects created in the bucket publicly readable:

gsutil defacl ch -u AllUsers:R gs://yourbucket

If you have existing objects in the bucket that you want to make publicly readable, you can run:

gsutil acl ch -u AllUsers:R gs://yourbucket/**

Answer 3

Using IAM roles, to make the files readable, and block listing:

gsutil iam ch allUsers:legacyObjectReader gs://bucket-name

To make the files readable, and allow listing:

gsutil iam ch allUsers:objectViewer gs://bucket-name

Answer 4

1. Open the Cloud Storage browser in the Google Cloud Platform Console.
2. In the list of buckets, click on the name of the bucket that contains the object you want to make public, and navigate to the object if it's in a subdirectory.
3. Click the drop-down menu associated with the object that you want to make public.
4. The drop-down menu appears as three vertical dots to the far right of the object's row.
5. Select Edit permissions from the drop-down menu.
6. In the overlay that appears, click the + Add item button.

7. Add a permission for allUsers.

   • Select User for the Entity.
   • Enter allUsers for the Name.
   • Select Reader for the Access.
   • Click Save.

8. Once shared publicly, a link icon appears in the public access column. You can click on this icon to get the URL for the object.

Instruction on Making Data Public from Google Cloud Docs

Answer 5

如果您在firebase 函数中上传文件，则需要在引用对象上调用makePublic()以使其无需传递令牌即可访问。

Answer 6

If you want to allow specific bucket to be accessible with the specific "folder/content" then you have to specify in the command: gsutil iam -r ch allUsers:legacyObjectReader gs://your-bucket/your-files/**

• But this is for specific content inside a bucket that is not public!

Answer 7

Apr, 2022 Update:

You can allow all users to read files in your bucket on Cloud Storage.

First, in Bucket details , click on "PERMISSIONS" then "ADD" :

Then, type "allUsers" :

Then, select the role "Storage Legacy Object Reader" so that all users can read files:

Then, click on "SAVE" :

Then, you should be asked as shown below so click on "ALLOW PUBLIC ACCESS" :

Finally, you can allow all users to read files in your bucket: