This page shows you how to make objects you own readable to everyone on the public internet. To learn how to access data that has been made public, see Accessing Public Data.
When an object is shared publicly, any user with knowledge of the object URI can access the object for as long as the object is public.
Required roles
In order to get the required permissions for making objects publicly readable, ask your administrator to grant you the following roles for the bucket that contains the data you want to make public:
To make all objects in a bucket publicly readable: Storage Admin (
roles/storage.admin
)To make individual objects publicly readable: Storage Object Admin (
roles/storage.objectAdmin
)- If you plan on using the Google Cloud console, you'll need the
Storage Admin (
roles/storage.admin
) role instead of the Storage Object Admin role.
- If you plan on using the Google Cloud console, you'll need the
Storage Admin (
These roles contain the permissions required to make objects public. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
The following permissions are only required for using the Google Cloud console to perform the tasks on this page:
storage.buckets.list
storage.objects.list
You might also be able to get these permissions with other predefined roles or custom roles.
For instructions on granting roles on buckets, see Use IAM with buckets.
Make all objects in a bucket publicly readable
To make all objects in a bucket readable to everyone on the public internet,
grant the principal allUsers
the Storage Object Viewer
(roles/storage.objectViewer
) role:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket that you want to make public.
Select the Permissions tab near the top of the page.
In the Permissions section, click the
Grant access button.The Grant access dialog appears.
In the New principals field, enter
allUsers
.In the Select a role drop down, enter Storage Object Viewer in the filter box and select the Storage Object Viewer from the filtered results.
Click Save.
Click Allow public access.
Once public access has been granted, Copy URL appears for each object in the public access column. You can click this button to get the public URL for the object.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
In your development environment, run the
buckets add-iam-policy-binding
command:gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
Where
BUCKET_NAME
is the name of the bucket whose objects you want to make public. For example,my-bucket
.
Client libraries
C++
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
For more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
For more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
For more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
For more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
For more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
For more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Terraform
You can use a Terraform resource to make all objects in a bucket public.
REST APIs
JSON API
Have gcloud CLI installed and initialized, in order to generate an access token for the
Authorization
header.Alternatively, you can create an access token using the OAuth 2.0 Playground and include it in the
Authorization
header.Create a JSON file that contains the following information:
{ "bindings":[ { "role": "roles/storage.objectViewer", "members":["allUsers"] } ] }
Use
cURL
to call the JSON API with aPUT
Bucket request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.BUCKET_NAME
is the name of the bucket whose objects you want to make public. For example,my-bucket
.
XML API
Making all objects in a bucket publicly readable is not supported by
the XML API. Use the Google Cloud console or gcloud storage
.
Make individual objects publicly readable
To make individual objects readable to everyone on the public internet, grant
the principal allUsers
the READER
role:
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
Click the name of the bucket that contains the object you want to make public, and navigate to the object if it's in a subdirectory.
Click the name of the object.
Click Edit access.
In the overlay that appears, click the add_box Add entry button.
Add a permission for allUsers.
- Select Public for the Entity.
- Select allUsers for the Name.
- Select Reader for the Access.
Click Save.
Once public access has been granted, Copy URL appears in the public access column. You can click this button to get the public URL for the object.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
In your development environment, run the
objects update
command with the--add-acl-grant
flag:gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER
Where:
BUCKET_NAME
is the name of the bucket containing the object you want to make public. For example,my-bucket
.OBJECT_NAME
is the name of the object you want to make public. For example,pets/dog.png
.
Client libraries
C++
For more information, see the Cloud Storage C++ API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
C#
For more information, see the Cloud Storage C# API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
For more information, see the Cloud Storage Go API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
For more information, see the Cloud Storage Java API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
For more information, see the Cloud Storage Node.js API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
For more information, see the Cloud Storage PHP API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
For more information, see the Cloud Storage Python API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
For more information, see the Cloud Storage Ruby API reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
REST APIs
JSON API
Have gcloud CLI installed and initialized, in order to generate an access token for the
Authorization
header.Alternatively, you can create an access token using the OAuth 2.0 Playground and include it in the
Authorization
header.Create a JSON file that contains the following information:
{ "entity": "allUsers", "role": "READER" }
Use
cURL
to call the JSON API with anInsert
ACL request:curl -X POST --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/o/OBJECT_NAME/acl"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.BUCKET_NAME
is the name of the bucket containing the object you want to make public. For example,my-bucket
.OBJECT_NAME
is the URL-encoded name of the object you want to make public. For example,pets/dog.png
, URL-encoded aspets%2Fdog.png
.
XML API
Have gcloud CLI installed and initialized, in order to generate an access token for the
Authorization
header.Alternatively, you can create an access token using the OAuth 2.0 Playground and include it in the
Authorization
header.Create a XML file that contains the following information:
<AccessControlList> <Entries> <Entry> <Scope type="AllUsers"/> <Permission>READ</Permission> </Entry> </Entries> </AccessControlList>
Use
cURL
to call the XML API with aSet Object ACL
request:curl -X PUT --data-binary @XML_FILE_NAME \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/BUCKET_NAME/OBJECT_NAME?acl"
Where:
XML_FILE_NAME
is the path for the file that you created in Step 2.BUCKET_NAME
is the name of the bucket containing the object you want to make public. For example,my-bucket
.OBJECT_NAME
is the URL-encoded name of the object you want to make public. For example,pets/dog.png
, URL-encoded aspets%2Fdog.png
.
What's next
- Access data that has been made public.
- Learn about more access control options for your buckets and objects.