Google Cloud (GCP) Classic

v6.44.0 published on Tuesday, Nov 29, 2022 by Pulumi

BucketACL

Authoritatively manages a bucket’s ACLs in Google cloud storage service (GCS). For more information see the official documentation and API.

Bucket ACLs can be managed non authoritatively using the storage_bucket_access_control resource. Do not use these two resources in conjunction to manage the same bucket.

Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.

NOTE This resource will not remove the project-owners-<project_id> entity from the OWNER role.

Example Usage

Example creating an ACL on a bucket with one owner, and one reader.

using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var image_store = new Gcp.Storage.Bucket("image-store", new()
    {
        Location = "EU",
    });

    var image_store_acl = new Gcp.Storage.BucketACL("image-store-acl", new()
    {
        Bucket = image_store.Name,
        RoleEntities = new[]
        {
            "OWNER:user-my.email@gmail.com",
            "READER:group-mygroup",
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/storage"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := storage.NewBucket(ctx, "image-store", &storage.BucketArgs{
			Location: pulumi.String("EU"),
		})
		if err != nil {
			return err
		}
		_, err = storage.NewBucketACL(ctx, "image-store-acl", &storage.BucketACLArgs{
			Bucket: image_store.Name,
			RoleEntities: pulumi.StringArray{
				pulumi.String("OWNER:user-my.email@gmail.com"),
				pulumi.String("READER:group-mygroup"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.storage.BucketACL;
import com.pulumi.gcp.storage.BucketACLArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var image_store = new Bucket("image-store", BucketArgs.builder()        
            .location("EU")
            .build());

        var image_store_acl = new BucketACL("image-store-acl", BucketACLArgs.builder()        
            .bucket(image_store.name())
            .roleEntities(            
                "OWNER:user-my.email@gmail.com",
                "READER:group-mygroup")
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

image_store = gcp.storage.Bucket("image-store", location="EU")
image_store_acl = gcp.storage.BucketACL("image-store-acl",
    bucket=image_store.name,
    role_entities=[
        "OWNER:user-my.email@gmail.com",
        "READER:group-mygroup",
    ])
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const image_store = new gcp.storage.Bucket("image-store", {location: "EU"});
const image_store_acl = new gcp.storage.BucketACL("image-store-acl", {
    bucket: image_store.name,
    roleEntities: [
        "OWNER:user-my.email@gmail.com",
        "READER:group-mygroup",
    ],
});
resources:
  image-store:
    type: gcp:storage:Bucket
    properties:
      location: EU
  image-store-acl:
    type: gcp:storage:BucketACL
    properties:
      bucket: ${["image-store"].name}
      roleEntities:
        - OWNER:user-my.email@gmail.com
        - READER:group-mygroup

Create BucketACL Resource

new BucketACL(name: string, args: BucketACLArgs, opts?: CustomResourceOptions);
@overload
def BucketACL(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              bucket: Optional[str] = None,
              default_acl: Optional[str] = None,
              predefined_acl: Optional[str] = None,
              role_entities: Optional[Sequence[str]] = None)
@overload
def BucketACL(resource_name: str,
              args: BucketACLArgs,
              opts: Optional[ResourceOptions] = None)
func NewBucketACL(ctx *Context, name string, args BucketACLArgs, opts ...ResourceOption) (*BucketACL, error)
public BucketACL(string name, BucketACLArgs args, CustomResourceOptions? opts = null)
public BucketACL(String name, BucketACLArgs args)
public BucketACL(String name, BucketACLArgs args, CustomResourceOptions options)
type: gcp:storage:BucketACL
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args BucketACLArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args BucketACLArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args BucketACLArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args BucketACLArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args BucketACLArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

BucketACL Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The BucketACL resource accepts the following input properties:

Bucket string

The name of the bucket it applies to.

DefaultAcl string

Configure this ACL to be the default ACL.

PredefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

RoleEntities List<string>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

Bucket string

The name of the bucket it applies to.

DefaultAcl string

Configure this ACL to be the default ACL.

PredefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

RoleEntities []string

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket String

The name of the bucket it applies to.

defaultAcl String

Configure this ACL to be the default ACL.

predefinedAcl String

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities List<String>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket string

The name of the bucket it applies to.

defaultAcl string

Configure this ACL to be the default ACL.

predefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities string[]

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket str

The name of the bucket it applies to.

default_acl str

Configure this ACL to be the default ACL.

predefined_acl str

The canned GCS ACL to apply. Must be set if role_entity is not.

role_entities Sequence[str]

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket String

The name of the bucket it applies to.

defaultAcl String

Configure this ACL to be the default ACL.

predefinedAcl String

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities List<String>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

Outputs

All input properties are implicitly available as output properties. Additionally, the BucketACL resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing BucketACL Resource

Get an existing BucketACL resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: BucketACLState, opts?: CustomResourceOptions): BucketACL
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        bucket: Optional[str] = None,
        default_acl: Optional[str] = None,
        predefined_acl: Optional[str] = None,
        role_entities: Optional[Sequence[str]] = None) -> BucketACL
func GetBucketACL(ctx *Context, name string, id IDInput, state *BucketACLState, opts ...ResourceOption) (*BucketACL, error)
public static BucketACL Get(string name, Input<string> id, BucketACLState? state, CustomResourceOptions? opts = null)
public static BucketACL get(String name, Output<String> id, BucketACLState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Bucket string

The name of the bucket it applies to.

DefaultAcl string

Configure this ACL to be the default ACL.

PredefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

RoleEntities List<string>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

Bucket string

The name of the bucket it applies to.

DefaultAcl string

Configure this ACL to be the default ACL.

PredefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

RoleEntities []string

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket String

The name of the bucket it applies to.

defaultAcl String

Configure this ACL to be the default ACL.

predefinedAcl String

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities List<String>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket string

The name of the bucket it applies to.

defaultAcl string

Configure this ACL to be the default ACL.

predefinedAcl string

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities string[]

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket str

The name of the bucket it applies to.

default_acl str

Configure this ACL to be the default ACL.

predefined_acl str

The canned GCS ACL to apply. Must be set if role_entity is not.

role_entities Sequence[str]

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

bucket String

The name of the bucket it applies to.

defaultAcl String

Configure this ACL to be the default ACL.

predefinedAcl String

The canned GCS ACL to apply. Must be set if role_entity is not.

roleEntities List<String>

List of role/entity pairs in the form ROLE:entity. See GCS Bucket ACL documentation for more details. Must be set if predefined_acl is not.

Import

This resource does not support import.

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.