# 访问被拒绝。存储桶 'my-bucket' 启用了统一存储桶级访问权限，因此无法设置对象级 ACL。请改用存储桶级 IAM 权限。

- **ID:** `cloud/gcp-cloud-storage-bucket-policy-only-upload-fails`
- **领域:** cloud
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

当启用统一存储桶级访问权限时，Cloud Storage 会拒绝任何包含对象 ACL 的请求（例如 `x-goog-acl: public-read` 标头），因为所有权限必须通过存储桶级别的 IAM 进行管理。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Google Cloud Storage (JSON API v1) | active | — | — |
| gsutil 5.28 | active | — | — |
| Google Cloud SDK 474.0.0 | active | — | — |

## 解决方案

1. ```
   Remove the ACL header from the upload request and instead grant public access via IAM: `gsutil iam ch allUsers:objectViewer gs://my-bucket`
   ```
2. ```
   If object-level ACLs are required, disable uniform bucket-level access: `gsutil bucket update gs://my-bucket --no-uniform-bucket-level-access`
   ```

## 无效尝试

- **** — The error is about ACLs, not object existence; checking existence does not resolve the permission conflict. (90% 失败率)
- **** — Fine-grained access is the opposite of uniform; enabling it would allow ACLs but may break existing IAM policies. (50% 失败率)
- **** — The service account may have permissions but the request itself includes an ACL header that is rejected. (70% 失败率)