{ "id": "cloud/gcp-cloud-storage-bucket-policy-only-upload-fails", "signature": "Access denied. Bucket 'my-bucket' has uniform bucket-level access enabled, so object-level ACLs cannot be set. Use bucket-level IAM permissions instead.", "signature_zh": "访问被拒绝。存储桶 'my-bucket' 启用了统一存储桶级访问权限,因此无法设置对象级 ACL。请改用存储桶级 IAM 权限。", "regex": "has uniform bucket-level access enabled, so object-level ACLs cannot be set", "domain": "cloud", "category": "config_error", "subcategory": null, "root_cause": "When uniform bucket-level access is enabled, Cloud Storage rejects any request that includes an object ACL (e.g., `x-goog-acl: public-read` header) because all permissions must be managed via IAM at the bucket level.", "root_cause_type": "generic", "root_cause_zh": "当启用统一存储桶级访问权限时,Cloud Storage 会拒绝任何包含对象 ACL 的请求(例如 `x-goog-acl: public-read` 标头),因为所有权限必须通过存储桶级别的 IAM 进行管理。", "versions": [ { "version": "Google Cloud Storage (JSON API v1)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "gsutil 5.28", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Google Cloud SDK 474.0.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The error is about ACLs, not object existence; checking existence does not resolve the permission conflict.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Fine-grained access is the opposite of uniform; enabling it would allow ACLs but may break existing IAM policies.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "The service account may have permissions but the request itself includes an ACL header that is rejected.", "fail_rate": 0.7, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`", "success_rate": 0.95, "how": "Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`", "condition": "", "sources": [] }, { "action": "If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`", "success_rate": 0.8, "how": "If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`", "condition": "", "sources": [] } ], "workarounds_zh": [ "Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`", "If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://cloud.google.com/storage/docs/uniform-bucket-level-access", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2024-04-05", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }