defacl - Get, set, or change default ACL on buckets
Synopsis
gsutil defacl set (<file-path>|<predefined-acl>) gs://<bucket_name>...
gsutil defacl get gs://<bucket_name>
gsutil defacl ch [-f] -u|-g|-d|-p <grant>... gs://<bucket_name>...
Description
The defacl command has three sub-commands:
Set
The
defacl set
command sets default object ACLs for the specified
buckets. If you specify a default object ACL for a certain bucket, Cloud Storage
applies the default object ACL to all new objects uploaded to that
bucket, unless an ACL for that object is separately specified during upload.
Similar to the
acl set
command, the
defacl set
command specifies either
a predefined ACL or the path to a file that contains ACL text. See
gsutil help acl
for examples of editing and setting ACLs via the acl command. See
Predefined ACLs
for a list of predefined ACLs.
Setting a default object ACL on a bucket provides a convenient way to ensure
newly uploaded objects have a specific ACL. If you don't set the bucket's
default object ACL, it will default to project-private. If you then upload
objects that need a different ACL, you will need to perform a separate ACL
update operation for each object. Depending on how many objects require
updates, this could be very time-consuming.
Get
Gets the default ACL text for a bucket, which you can save and edit
for use with the "defacl set" command.
Ch
The "defacl ch" (or "defacl change") command updates the default object
access control list for a bucket. The syntax is shared with the "acl ch"
command, so see the "CH" section of
gsutil help acl
for the full help
description.
Ch Examples
Grant anyone on the internet READ access by default to any object created
in the bucket example-bucket:
gsutil defacl ch -u AllUsers:R gs://example-bucket
Add the user
john.doe@example.com
to the default object ACL on bucket
example-bucket with READ access:
gsutil defacl ch -u john.doe@example.com:READ gs://example-bucket
Add the group
admins@example.com
to the default object ACL on bucket
example-bucket with OWNER access:
gsutil defacl ch -g admins@example.com:O gs://example-bucket
Remove the group
admins@example.com
from the default object ACL on bucket
example-bucket:
gsutil defacl ch -d admins@example.com gs://example-bucket
Add the owners of project example-project-123 to the default object ACL on
bucket example-bucket with READ access:
gsutil defacl ch -p owners-example-project-123:R gs://example-bucket
Ch Options
The "ch" sub-command has the following options
- -d
Remove all roles associated with the matching entity.
- -f
Normally gsutil stops at the first error. The -f option causes
it to continue when it encounters errors. With this option the
gsutil exit status will be 0 even if some ACLs couldn't be
changed.
- -g
Add or modify a group entity's role.
- -p
Add or modify a project viewers/editors/owners role.
- -u
Add or modify a user entity's role.