gcp.storage.ObjectAccessControl
The ObjectAccessControls resources represent the Access Control Lists (ACLs) for objects within Google Cloud Storage. ACLs let you specify who has access to your data and to what extent.
There are two roles that can be assigned to an entity:
READERs can get an object, though the acl property will not be revealed. OWNERs are READERs, and they can get the acl property, update an object, and call all objectAccessControls methods on the object. The owner of an object is always an OWNER. For more information, see Access Control, with the caveat that this API uses READER and OWNER instead of READ and FULL_CONTROL.
To get more information about ObjectAccessControl, see:
- API documentation
- How-to Guides
Example Usage
Storage Object Access Control Public Object
using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var bucket = new Gcp.Storage.Bucket("bucket", new()
{
Location = "US",
});
var @object = new Gcp.Storage.BucketObject("object", new()
{
Bucket = bucket.Name,
Source = new FileAsset("../static/img/header-logo.png"),
});
var publicRule = new Gcp.Storage.ObjectAccessControl("publicRule", new()
{
Object = @object.OutputName,
Bucket = bucket.Name,
Role = "READER",
Entity = "allUsers",
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
bucket, err := storage.NewBucket(ctx, "bucket", &storage.BucketArgs{
Location: pulumi.String("US"),
})
if err != nil {
return err
}
object, err := storage.NewBucketObject(ctx, "object", &storage.BucketObjectArgs{
Bucket: bucket.Name,
Source: pulumi.NewFileAsset("../static/img/header-logo.png"),
})
if err != nil {
return err
}
_, err = storage.NewObjectAccessControl(ctx, "publicRule", &storage.ObjectAccessControlArgs{
Object: object.OutputName,
Bucket: bucket.Name,
Role: pulumi.String("READER"),
Entity: pulumi.String("allUsers"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.storage.BucketObject;
import com.pulumi.gcp.storage.BucketObjectArgs;
import com.pulumi.gcp.storage.ObjectAccessControl;
import com.pulumi.gcp.storage.ObjectAccessControlArgs;
import com.pulumi.asset.FileAsset;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucket = new Bucket("bucket", BucketArgs.builder()
.location("US")
.build());
var object = new BucketObject("object", BucketObjectArgs.builder()
.bucket(bucket.name())
.source(new FileAsset("../static/img/header-logo.png"))
.build());
var publicRule = new ObjectAccessControl("publicRule", ObjectAccessControlArgs.builder()
.object(object.outputName())
.bucket(bucket.name())
.role("READER")
.entity("allUsers")
.build());
}
}
import pulumi
import pulumi_gcp as gcp
bucket = gcp.storage.Bucket("bucket", location="US")
object = gcp.storage.BucketObject("object",
bucket=bucket.name,
source=pulumi.FileAsset("../static/img/header-logo.png"))
public_rule = gcp.storage.ObjectAccessControl("publicRule",
object=object.output_name,
bucket=bucket.name,
role="READER",
entity="allUsers")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const bucket = new gcp.storage.Bucket("bucket", {location: "US"});
const object = new gcp.storage.BucketObject("object", {
bucket: bucket.name,
source: new pulumi.asset.FileAsset("../static/img/header-logo.png"),
});
const publicRule = new gcp.storage.ObjectAccessControl("publicRule", {
object: object.outputName,
bucket: bucket.name,
role: "READER",
entity: "allUsers",
});
resources:
publicRule:
type: gcp:storage:ObjectAccessControl
properties:
object: ${object.outputName}
bucket: ${bucket.name}
role: READER
entity: allUsers
bucket:
type: gcp:storage:Bucket
properties:
location: US
object:
type: gcp:storage:BucketObject
properties:
bucket: ${bucket.name}
source:
fn::FileAsset: ../static/img/header-logo.png
Create ObjectAccessControl Resource
new ObjectAccessControl(name: string, args: ObjectAccessControlArgs, opts?: CustomResourceOptions);@overload
def ObjectAccessControl(resource_name: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
entity: Optional[str] = None,
object: Optional[str] = None,
role: Optional[str] = None)
@overload
def ObjectAccessControl(resource_name: str,
args: ObjectAccessControlArgs,
opts: Optional[ResourceOptions] = None)func NewObjectAccessControl(ctx *Context, name string, args ObjectAccessControlArgs, opts ...ResourceOption) (*ObjectAccessControl, error)public ObjectAccessControl(string name, ObjectAccessControlArgs args, CustomResourceOptions? opts = null)
public ObjectAccessControl(String name, ObjectAccessControlArgs args)
public ObjectAccessControl(String name, ObjectAccessControlArgs args, CustomResourceOptions options)
type: gcp:storage:ObjectAccessControl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ObjectAccessControlArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ObjectAccessControlArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ObjectAccessControlArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ObjectAccessControlArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ObjectAccessControlArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ObjectAccessControl Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ObjectAccessControl resource accepts the following input properties:
- Bucket string
The name of the bucket.
- Entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- Object string
The name of the object to apply the access control to.
- Role string
The access permission for the entity. Possible values are
OWNERandREADER.
- Bucket string
The name of the bucket.
- Entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- Object string
The name of the object to apply the access control to.
- Role string
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket String
The name of the bucket.
- entity String
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- object String
The name of the object to apply the access control to.
- role String
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket string
The name of the bucket.
- entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- object string
The name of the object to apply the access control to.
- role string
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket str
The name of the bucket.
- entity str
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- object str
The name of the object to apply the access control to.
- role str
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket String
The name of the bucket.
- entity String
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- object String
The name of the object to apply the access control to.
- role String
The access permission for the entity. Possible values are
OWNERandREADER.
Outputs
All input properties are implicitly available as output properties. Additionally, the ObjectAccessControl resource produces the following output properties:
- Domain string
The domain associated with the entity.
- Email string
The email address associated with the entity.
- Entity
Id string The ID for the entity
- Generation int
The content generation of the object, if applied to an object.
- Id string
The provider-assigned unique ID for this managed resource.
- Project
Teams List<ObjectAccess Control Project Team> The project team associated with the entity Structure is documented below.
- Domain string
The domain associated with the entity.
- Email string
The email address associated with the entity.
- Entity
Id string The ID for the entity
- Generation int
The content generation of the object, if applied to an object.
- Id string
The provider-assigned unique ID for this managed resource.
- Project
Teams []ObjectAccess Control Project Team The project team associated with the entity Structure is documented below.
- domain String
The domain associated with the entity.
- email String
The email address associated with the entity.
- entity
Id String The ID for the entity
- generation Integer
The content generation of the object, if applied to an object.
- id String
The provider-assigned unique ID for this managed resource.
- project
Teams List<ObjectAccess Control Project Team> The project team associated with the entity Structure is documented below.
- domain string
The domain associated with the entity.
- email string
The email address associated with the entity.
- entity
Id string The ID for the entity
- generation number
The content generation of the object, if applied to an object.
- id string
The provider-assigned unique ID for this managed resource.
- project
Teams ObjectAccess Control Project Team[] The project team associated with the entity Structure is documented below.
- domain str
The domain associated with the entity.
- email str
The email address associated with the entity.
- entity_
id str The ID for the entity
- generation int
The content generation of the object, if applied to an object.
- id str
The provider-assigned unique ID for this managed resource.
- project_
teams Sequence[ObjectAccess Control Project Team] The project team associated with the entity Structure is documented below.
- domain String
The domain associated with the entity.
- email String
The email address associated with the entity.
- entity
Id String The ID for the entity
- generation Number
The content generation of the object, if applied to an object.
- id String
The provider-assigned unique ID for this managed resource.
- project
Teams List<Property Map> The project team associated with the entity Structure is documented below.
Look up Existing ObjectAccessControl Resource
Get an existing ObjectAccessControl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ObjectAccessControlState, opts?: CustomResourceOptions): ObjectAccessControl@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
bucket: Optional[str] = None,
domain: Optional[str] = None,
email: Optional[str] = None,
entity: Optional[str] = None,
entity_id: Optional[str] = None,
generation: Optional[int] = None,
object: Optional[str] = None,
project_teams: Optional[Sequence[ObjectAccessControlProjectTeamArgs]] = None,
role: Optional[str] = None) -> ObjectAccessControlfunc GetObjectAccessControl(ctx *Context, name string, id IDInput, state *ObjectAccessControlState, opts ...ResourceOption) (*ObjectAccessControl, error)public static ObjectAccessControl Get(string name, Input<string> id, ObjectAccessControlState? state, CustomResourceOptions? opts = null)public static ObjectAccessControl get(String name, Output<String> id, ObjectAccessControlState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Bucket string
The name of the bucket.
- Domain string
The domain associated with the entity.
- Email string
The email address associated with the entity.
- Entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- Entity
Id string The ID for the entity
- Generation int
The content generation of the object, if applied to an object.
- Object string
The name of the object to apply the access control to.
- Project
Teams List<ObjectAccess Control Project Team Args> The project team associated with the entity Structure is documented below.
- Role string
The access permission for the entity. Possible values are
OWNERandREADER.
- Bucket string
The name of the bucket.
- Domain string
The domain associated with the entity.
- Email string
The email address associated with the entity.
- Entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- Entity
Id string The ID for the entity
- Generation int
The content generation of the object, if applied to an object.
- Object string
The name of the object to apply the access control to.
- Project
Teams []ObjectAccess Control Project Team Args The project team associated with the entity Structure is documented below.
- Role string
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket String
The name of the bucket.
- domain String
The domain associated with the entity.
- email String
The email address associated with the entity.
- entity String
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- entity
Id String The ID for the entity
- generation Integer
The content generation of the object, if applied to an object.
- object String
The name of the object to apply the access control to.
- project
Teams List<ObjectAccess Control Project Team Args> The project team associated with the entity Structure is documented below.
- role String
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket string
The name of the bucket.
- domain string
The domain associated with the entity.
- email string
The email address associated with the entity.
- entity string
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- entity
Id string The ID for the entity
- generation number
The content generation of the object, if applied to an object.
- object string
The name of the object to apply the access control to.
- project
Teams ObjectAccess Control Project Team Args[] The project team associated with the entity Structure is documented below.
- role string
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket str
The name of the bucket.
- domain str
The domain associated with the entity.
- email str
The email address associated with the entity.
- entity str
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- entity_
id str The ID for the entity
- generation int
The content generation of the object, if applied to an object.
- object str
The name of the object to apply the access control to.
- project_
teams Sequence[ObjectAccess Control Project Team Args] The project team associated with the entity Structure is documented below.
- role str
The access permission for the entity. Possible values are
OWNERandREADER.
- bucket String
The name of the bucket.
- domain String
The domain associated with the entity.
- email String
The email address associated with the entity.
- entity String
The entity holding the permission, in one of the following forms:
- user-{{userId}}
- user-{{email}} (such as "user-liz@example.com")
- group-{{groupId}}
- group-{{email}} (such as "group-example@googlegroups.com")
- domain-{{domain}} (such as "domain-example.com")
- project-team-{{projectId}}
- allUsers
- allAuthenticatedUsers
- entity
Id String The ID for the entity
- generation Number
The content generation of the object, if applied to an object.
- object String
The name of the object to apply the access control to.
- project
Teams List<Property Map> The project team associated with the entity Structure is documented below.
- role String
The access permission for the entity. Possible values are
OWNERandREADER.
Supporting Types
ObjectAccessControlProjectTeam
- Project
Number string The project team associated with the entity
- Team string
The team. Possible values are
editors,owners, andviewers.
- Project
Number string The project team associated with the entity
- Team string
The team. Possible values are
editors,owners, andviewers.
- project
Number String The project team associated with the entity
- team String
The team. Possible values are
editors,owners, andviewers.
- project
Number string The project team associated with the entity
- team string
The team. Possible values are
editors,owners, andviewers.
- project_
number str The project team associated with the entity
- team str
The team. Possible values are
editors,owners, andviewers.
- project
Number String The project team associated with the entity
- team String
The team. Possible values are
editors,owners, andviewers.
Import
ObjectAccessControl can be imported using any of these accepted formats
$ pulumi import gcp:storage/objectAccessControl:ObjectAccessControl default {{bucket}}/{{object}}/{{entity}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-betaTerraform Provider.