How to disable google cloud storage bucket list from acl control?

Question

We're using google cloud storage as our CDN.

However, any visitors can list all files by typing: http://ourcdn.storage.googleapis.com/

How to disable it while all the files under the bucket is still public readable by default?

We previously set the acl using

gsutil defacl ch -g AllUsers:READ

Hao Xu · Accepted Answer · 2019-08-29T01:30:16.480

56

In GCP dashboard：

get in your bucket
click "Permissions" tab and get in.
in member list find "allUsers", change role from Storage Object Viewer to Storage Legacy Object Reader

then, listing should be disabled.

Update:

as @Devy comment, just check the note below here

Note: roles/storage.objectViewer includes permission to list the objects in the bucket. If you don't want to grant listing publicly, use roles/storage.legacyObjectReader.

edited Aug 29 '19 at 01:30

answered May 29 '19 at 06:51

Hao Xu

636
7
4

2

This is the official recommended way in GCP documentation: https://cloud.google.com/storage/docs/access-control/making-data-public#buckets since the GCP Storage Legacy Object Reader permission role bundle specifically do not have the Listing permission. See screenshot: https://d1sz9tkli0lfjq.cloudfront.net/items/3v042M2q2a2q3Y2O1P1Y/%5Be353a730509d8daea03ccf20f66daa4d%5D_GCP-Storage-LegacyObjectReaderPerm.png?v=e7c67e8b – Devy Aug 27 '19 at 21:57
Great solution. Handling GCP permissions is always a pain in the neck but this time it was fine. – afe Jul 02 '21 at 07:49
Just ran into this. What a terrible default; completely inappropriate and totally unexpected. Listing is not something I want enabled on any public service. There's nothing legacy about not having that permission. We don't want people stealing content from our servers if they don't know the url for the things they are getting. We use impossible to guess ids for files so unless you know the url, you are not getting anything. – Jilles van Gurp May 20 '22 at 12:04

score 7 · Answer 2 · answered Sep 25 '18 at 15:39

7

Upload an empty index.html file in the root of your bucket. Open the bucket settings and click Edit website configuration - set index.html as the Main Page.

It will prevent the listing of the directory.

answered Sep 25 '18 at 15:39

maxime

1,993
3
28
57

Perfect solution! Thank! – Qulery Sep 08 '20 at 11:56
3

But that doesn't stop listings of other directories. As per the accepted answer, change role from Storage Object Viewer to Storage Legacy Object Reader. – gingerCodeNinja Jul 25 '21 at 11:52

score 4 · Answer 3 · edited Oct 08 '19 at 15:58

4

Your defacl looks good. The problem is most likely that for some reason AllUsers must also have READ, WRITE, or FULL_CONTROL on the bucket itself. You can clear those with a command like this:

gsutil acl ch -d AllUsers gs://bucketname

edited Oct 08 '19 at 15:58

jterrace

64,866
22
157
202

answered Oct 01 '13 at 20:30

Brandon Yarbrough

37,021
23
116
145

score 2 · Answer 4 · answered Oct 01 '13 at 20:40

Your command set the default object ACL on the bucket to READ, which means that objects will be accessible by anyone. To prevent users from listing the objects, you need to make sure users don't have an ACL on the bucket itself.

gsutil acl ch -d AllUsers gs://yourbucket

should accomplish this. You may need to run a similar command for AllAuthenticatedUsers; just take a look at the bucket ACL with

gsutil acl get gs://yourbucket

and it should be clear.

score 0 · Answer 5 · answered Mar 16 '23 at 18:33

If you're using the bucket for a static website (or not), you can tell (using gsutil) GCP Cloud Storage what file to use as the "index" file, so that the XML file listing all the contents isn't shown, and instead your index.html file. See https://cloud.google.com/storage/docs/gsutil/commands/web

How to disable google cloud storage bucket list from acl control?

5 Answers5

Linked

Related