Bucket
Authoritatively manages a bucket's ACLs in Google cloud storage service (GCS). For more information see the official documentation and API. Bucket ACLs can be managed non authoritatively using the storage_bucket_access_control resource. Do not use these two resources in conjunction to manage the same bucket. Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs. NOTE This resource will not remove the project-owners-<project_id> entity from the OWNER role.
Example Usage
Example creating an ACL on a bucket with one owner, and one reader.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const image_store = new gcp.storage.Bucket("image-store", {
name: "image-store-bucket",
location: "EU",
});
const image_store_acl = new gcp.storage.BucketACL("image-store-acl", {
bucket: image_store.name,
roleEntities: [
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
],
});import pulumi
import pulumi_gcp as gcp
image_store = gcp.storage.Bucket("image-store",
name="image-store-bucket",
location="EU")
image_store_acl = gcp.storage.BucketACL("image-store-acl",
bucket=image_store.name,
role_entities=[
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var image_store = new Gcp.Storage.Bucket("image-store", new()
{
Name = "image-store-bucket",
Location = "EU",
});
var image_store_acl = new Gcp.Storage.BucketACL("image-store-acl", new()
{
Bucket = image_store.Name,
RoleEntities = new[]
{
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup",
},
});
});package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := storage.NewBucket(ctx, "image-store", &storage.BucketArgs{
Name: pulumi.String("image-store-bucket"),
Location: pulumi.String("EU"),
})
if err != nil {
return err
}
_, err = storage.NewBucketACL(ctx, "image-store-acl", &storage.BucketACLArgs{
Bucket: image_store.Name,
RoleEntities: pulumi.StringArray{
pulumi.String("OWNER:user-my.email@gmail.com"),
pulumi.String("READER:group-mygroup"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.storage.BucketACL;
import com.pulumi.gcp.storage.BucketACLArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var image_store = new Bucket("image-store", BucketArgs.builder()
.name("image-store-bucket")
.location("EU")
.build());
var image_store_acl = new BucketACL("image-store-acl", BucketACLArgs.builder()
.bucket(image_store.name())
.roleEntities(
"OWNER:user-my.email@gmail.com",
"READER:group-mygroup")
.build());
}
}resources:
image-store:
type: gcp:storage:Bucket
properties:
name: image-store-bucket
location: EU
image-store-acl:
type: gcp:storage:BucketACL
properties:
bucket: ${["image-store"].name}
roleEntities:
- OWNER:user-my.email@gmail.com
- READER:group-mygroupImport
This resource does not support import.
Properties
Configure this ACL to be the default ACL.
The canned GCS ACL to apply. Must be set if role_entity is not.
List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.