Skip to content

googleStorageDefaultObjectAccessControl

The DefaultObjectAccessControls resources represent the Access Control Lists (ACLs) applied to a new object within a Google Cloud Storage bucket when no ACL was provided for that object. ACLs let you specify who has access to your bucket contents and to what extent.

There are two roles that can be assigned to an entity:

READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.

To get more information about DefaultObjectAccessControl, see:

Open in Cloud Shell

Example Usage - Storage Default Object Access Control Public

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleStorageBucketBucket = new google.storageBucket.StorageBucket(
  this,
  "bucket",
  {
    location: "US",
    name: "static-content-bucket",
  }
);
new google.storageDefaultObjectAccessControl.StorageDefaultObjectAccessControl(
  this,
  "public_rule",
  {
    bucket: googleStorageBucketBucket.name,
    entity: "allUsers",
    role: "READER",
  }
);

Argument Reference

The following arguments are supported:

  • bucket - (Required) The name of the bucket.

  • entity - (Required) The entity holding the permission, in one of the following forms:

    • user-{{userId}}
    • user-{{email}} (such as "user-liz@example.com")
    • group-{{groupId}}
    • group-{{email}} (such as "group-example@googlegroups.com")
    • domain-{{domain}} (such as "domain-example.com")
    • project-team-{{projectId}}
    • allUsers
    • allAuthenticatedUsers

  • role - (Required) The access permission for the entity. Possible values are owner and reader.

  • object - (Optional) The name of the object, if applied to an object.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format {{bucket}}/{{entity}}

  • domain - The domain associated with the entity.

  • email - The email address associated with the entity.

  • entityId - The ID for the entity

  • generation - The content generation of the object, if applied to an object.

  • projectTeam - The project team associated with the entity Structure is documented below.

The projectTeam block contains:

  • projectNumber - (Optional) The project team associated with the entity

  • team - (Optional) The team. Possible values are editors, owners, and viewers.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

DefaultObjectAccessControl can be imported using any of these accepted formats:

$ terraform import google_storage_default_object_access_control.default {{bucket}}/{{entity}}