cloud
config_error
ai_generated
true
Access denied. Bucket 'my-bucket' has uniform bucket-level access enabled, so object-level ACLs cannot be set. Use bucket-level IAM permissions instead.
ID: cloud/gcp-cloud-storage-bucket-policy-only-upload-fails
90%Fix Rate
85%Confidence
1Evidence
2024-04-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Google Cloud Storage (JSON API v1) | active | — | — | — |
| gsutil 5.28 | active | — | — | — |
| Google Cloud SDK 474.0.0 | active | — | — | — |
Root Cause
When uniform bucket-level access is enabled, Cloud Storage rejects any request that includes an object ACL (e.g., `x-goog-acl: public-read` header) because all permissions must be managed via IAM at the bucket level.
generic中文
当启用统一存储桶级访问权限时,Cloud Storage 会拒绝任何包含对象 ACL 的请求(例如 `x-goog-acl: public-read` 标头),因为所有权限必须通过存储桶级别的 IAM 进行管理。
Official Documentation
https://cloud.google.com/storage/docs/uniform-bucket-level-accessWorkarounds
-
95% success Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`
Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`
-
80% success If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`
If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`
中文步骤
Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`
If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`
Dead Ends
Common approaches that don't work:
-
90% fail
The error is about ACLs, not object existence; checking existence does not resolve the permission conflict.
-
50% fail
Fine-grained access is the opposite of uniform; enabling it would allow ACLs but may break existing IAM policies.
-
70% fail
The service account may have permissions but the request itself includes an ACL header that is rejected.