How to disable google cloud storage bucket list from acl control?

Asked 1/10, 2013 at 19:20 Answered 16/3, 2023 at 18:33

Solved cdn google-cloud-storage google-cdn

We're using google cloud storage as our CDN.

However, any visitors can list all files by typing: http://ourcdn.storage.googleapis.com/

How to disable it while all the files under the bucket is still public readable by default?

We previously set the acl using

gsutil defacl ch -g AllUsers:READ

Mccutchen answered 1/10, 2013 at 19:20 Comment(0)

In GCP dashboard：

get in your bucket
click "Permissions" tab and get in.
in member list find "allUsers", change role from Storage Object Viewer to Storage Legacy Object Reader

then, listing should be disabled.

Update:

as @Devy comment, just check the note below here

Note: roles/storage.objectViewer includes permission to list the objects in the bucket. If you don't want to grant listing publicly, use roles/storage.legacyObjectReader.

Bluebonnet answered 29/5, 2019 at 6:51 Comment(3)

This is the official recommended way in GCP documentation: cloud.google.com/storage/docs/access-control/… since the GCP Storage Legacy Object Reader permission role bundle specifically do not have the Listing permission. See screenshot: d1sz9tkli0lfjq.cloudfront.net/items/3v042M2q2a2q3Y2O1P1Y/… – Brion 27/8, 2019 at 21:57

Great solution. Handling GCP permissions is always a pain in the neck but this time it was fine. – Gamaliel 2/7, 2021 at 7:49

Just ran into this. What a terrible default; completely inappropriate and totally unexpected. Listing is not something I want enabled on any public service. There's nothing legacy about not having that permission. We don't want people stealing content from our servers if they don't know the url for the things they are getting. We use impossible to guess ids for files so unless you know the url, you are not getting anything. – Pettish 20/5, 2022 at 12:4

Upload an empty index.html file in the root of your bucket. Open the bucket settings and click Edit website configuration - set index.html as the Main Page.

It will prevent the listing of the directory.

Ralph answered 25/9, 2018 at 15:39 Comment(2)

Perfect solution! Thank! – Congreve 8/9, 2020 at 11:56

But that doesn't stop listings of other directories. As per the accepted answer, change role from Storage Object Viewer to Storage Legacy Object Reader. – Foamflower 25/7, 2021 at 11:52

Your defacl looks good. The problem is most likely that for some reason AllUsers must also have READ, WRITE, or FULL_CONTROL on the bucket itself. You can clear those with a command like this:

gsutil acl ch -d AllUsers gs://bucketname

Saunder answered 1/10, 2013 at 20:30 Comment(0)

Your command set the default object ACL on the bucket to READ, which means that objects will be accessible by anyone. To prevent users from listing the objects, you need to make sure users don't have an ACL on the bucket itself.

gsutil acl ch -d AllUsers gs://yourbucket

should accomplish this. You may need to run a similar command for AllAuthenticatedUsers; just take a look at the bucket ACL with

gsutil acl get gs://yourbucket

and it should be clear.

Boling answered 1/10, 2013 at 20:40 Comment(0)

If you're using the bucket for a static website (or not), you can tell (using gsutil) GCP Cloud Storage what file to use as the "index" file, so that the XML file listing all the contents isn't shown, and instead your index.html file. See https://cloud.google.com/storage/docs/gsutil/commands/web

Pygmy answered 16/3, 2023 at 18:33 Comment(0)

Recommended topics

Hot tags