googleStorageBucketAccessControl
Bucket ACLs can be managed authoritatively using the storageBucketAcl
resource. Do not use these two resources in conjunction to manage the same bucket.
The BucketAccessControls resource manages the Access Control List (ACLs) for a single entity/role pairing on a bucket. ACLs let you specify who has access to your data and to what extent.
There are three roles that can be assigned to an entity:
READERs can get the bucket, though no acl property will be returned, and list the bucket's objects. WRITERs are READERs, and they can insert objects into the bucket and delete the bucket's objects. OWNERs are WRITERs, and they can get the acl property of a bucket, update a bucket, and call all BucketAccessControls methods on the bucket. For more information, see Access Control, with the caveat that this API uses READER, WRITER, and OWNER instead of READ, WRITE, and FULL_CONTROL.
To get more information about BucketAccessControl, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Storage Bucket Access Control Public Bucket
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleStorageBucketBucket = new google.storageBucket.StorageBucket(
this,
"bucket",
{
location: "US",
name: "static-content-bucket",
}
);
new google.storageBucketAccessControl.StorageBucketAccessControl(
this,
"public_rule",
{
bucket: googleStorageBucketBucket.name,
entity: "allUsers",
role: "READER",
}
);
Argument Reference
The following arguments are supported:
-
bucket
- (Required) The name of the bucket. -
entity
- (Required) The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.
role
- (Optional) The access permission for the entity. Possible values areowner
,reader
, andwriter
.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with format{{bucket}}/{{entity}}
-
domain
- The domain associated with the entity. -
email
- The email address associated with the entity.
Timeouts
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
Import
BucketAccessControl can be imported using any of these accepted formats: