访问被拒绝。存储桶 'my-bucket' 启用了统一存储桶级访问权限,因此无法设置对象级 ACL。请改用存储桶级 IAM 权限。
Access denied. Bucket 'my-bucket' has uniform bucket-level access enabled, so object-level ACLs cannot be set. Use bucket-level IAM permissions instead.
ID: cloud/gcp-cloud-storage-bucket-policy-only-upload-fails
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Google Cloud Storage (JSON API v1) | active | — | — | — |
| gsutil 5.28 | active | — | — | — |
| Google Cloud SDK 474.0.0 | active | — | — | — |
根因分析
当启用统一存储桶级访问权限时,Cloud Storage 会拒绝任何包含对象 ACL 的请求(例如 `x-goog-acl: public-read` 标头),因为所有权限必须通过存储桶级别的 IAM 进行管理。
English
When uniform bucket-level access is enabled, Cloud Storage rejects any request that includes an object ACL (e.g., `x-goog-acl: public-read` header) because all permissions must be managed via IAM at the bucket level.
官方文档
https://cloud.google.com/storage/docs/uniform-bucket-level-access解决方案
-
Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`
-
If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`
无效尝试
常见但无效的做法:
-
90% 失败
The error is about ACLs, not object existence; checking existence does not resolve the permission conflict.
-
50% 失败
Fine-grained access is the opposite of uniform; enabling it would allow ACLs but may break existing IAM policies.
-
70% 失败
The service account may have permissions but the request itself includes an ACL header that is rejected.