Google Cloud Storage Client Library - set acl to both "public-read" and "bucket-owner-full-control"

Question

For appengine created files in google cloud storage, the bucket owner doesn't have full control permission.

I cannot set the acl this way: ( to have both public read and owner full control )

GcsFileOptions options = new GcsFileOptions.Builder().acl("bucket-owner-full-control;public-read").build();

What is the solution here?

Answer 1

Unfortunately you can't use multiple canned ACLs at once. There is no canned ACL that means "give the bucket owner full control of the object and also make it publicly readable." Also unfortunately, I don't believe GcsFileOptions provides an easy way to specify custom ACLs (although I might've missed it, anybody who knows of one should feel free to edit this).

One possibility would be to change the default ACL for new objects in your bucket and then not to set ACLs explicitly at all. You can add a default read permission for anonymous users pretty easily with gsutil:

$> gsutil defacl ch -g AllUsers:R gs://mybucket

(Note: there's a similar command, gsutil acl, that controls a bucket or object ACL and not the default ACL for newly created objects in a bucket. It's easy to confuse the two)

N.B. This will affect all objects created in this bucket that don't specify an ACL, which may not be appropriate if you're also creating other objects in this bucket for other purposes and are relying on a specific default ACL.