Google Cloud Storage Bucket ACL

This page shows how to write Terraform for Cloud Storage Bucket ACL and write them securely.

google_storage_bucket_acl (Terraform)

The Bucket ACL in Cloud Storage can be configured in Terraform with the resource name google_storage_bucket_acl. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

storage_bucket_acl.tf#L1
resource "google_storage_bucket_acl" "tfer--trip-002D-planner-002D-gcs" {
  bucket = "trip-planner-gcs"
}

resource "google_storage_bucket_acl" "tfer--trip-002D-planner-002D-storage" {
  bucket = "trip-planner-storage"

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The name of the bucket it applies to.

Configure this ACL to be the default ACL.

The canned GCS ACL to apply. Must be set if role_entity is not.

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

Explanation in Terraform Registry

Authoritatively manages a bucket's ACLs in Google cloud storage service (GCS). For more information see the official documentation and API. Bucket ACLs can be managed non authoritatively using the storage_bucket_access_control resource. Do not use these two resources in conjunction to manage the same bucket. Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs. NOTE This resource will not remove the project-owners-<project_id> entity from the OWNER role.

Tips: Best Practices for The Other Google Cloud Storage Resources

In addition to the google_storage_bucket, Google Cloud Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_storage_bucket

Ensure uniform bucket-level access of your GCS bucket is enabled

It is better to enable uniform bucket-level access of the GCS bucket. Uniform bucket-level access unifies and simplifies how you grant access to resources in the bucket.

Review your Google Cloud Storage settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Cloud Storage Bucket ACL?

Google Cloud Storage Bucket ACL is a resource for Cloud Storage of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Storage Bucket ACL?

For Terraform, the tsm2k/terraform_deploy source code example is useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.