GCP account: How do GCP Cloud Storage configure public access? GCS static website hosting and permission control novice tutorial
Many people are confused by a bunch of professional terms such as "IAM, ACL, unified access, fine-grained" when they first come into contact with the Cloud Storage (GCS) of Google Cloud (GCP). Originally, I just wanted to make a few pictures or static web pages public, but I didn't report them for half a day.
AccessDenied
, is worried that they accidentally put sensitive data to the public.
As an elder who has stepped on countless pits, I will not endorse the concept with you today. We use the most down-to-earth and vernacular way to take you through two things:
First, configure public access to the GCS bucket; second, host a pure static website (HTML/CSS/JS) on GCS.
Move the small bench, we will go directly to the dry goods, settle the accounts and avoid the pit!
Part I: Preparations (Two "Key Choices" for Creating a Bucket)
Search in the GCP console
Cloud Storage
, click
Create
. At this time will jump out of several options, beginners are most likely to bury hidden dangers here.
1. Bucket Name: Must be globally unique
If you
Only used to save pictures, audio and video
, name casually (for example
my-unique-assets-2026
).
If you
Want to host a static website and use your own top-level domain (such as www.example.com)
then your bucket name
It must be exactly the same as your domain name.
! That is, the bucket must be called www.example.com.
2. Access Control (Access Control): Select "Unified (Uniform)"
At the penultimate step of creation, GCP asks you which access control you choose:
Unity (Uniform):(Highly recommended!) The permissions of all files in a bucket are managed by the bucket. If you want to be public, you can be all public; if you want to be private, you can be all private.
Fine-grained (Fine-grained): One file in a bucket is allowed to be set public and the other file is allowed to be set private (through ACL).
⚠Experience: Unless you have a very special business scenario, you will always choose "Unification (Uniform)". Fine-grained control is extremely easy to cause data leakage accidents due to misoperation of employees and separate disclosure of customer information that should not be disclosed.
Part 2: Hand-in-hand configuration "public access" (for everyone to download)
By default, newly created buckets are absolutely private for security reasons. To make the files in the bucket accessible to everyone via URL, we need to do two things:
Lifting public access precautions
and also
Give Public Read Permission
.
Step 1: Turn off the "Block Public Access" switch
Go to the bucket you just created and click the "Configuration (Configuration)" tab at the top.
Find the entry "Prevent public access. You will find that it is turned on (this is the GCP protection mechanism).
Click Edit, uncheck it, and save. Note: At this point the bucket is still private, you just allow it to be "publicly eligible".
Step 2: Add the full network public read permission
Switch to the Permissions tab and click Grant Access ".
In the New principals input box, manually enter: allUsers (Note: allUsers is a built-in keyword for GCP and represents anyone on the Internet and does not require login).
In Select a role, search for and select: Storage Object Viewer. (Remember: Don't choose Storage Admin or Storage Object Creator, otherwise others can delete your files or spread viruses into your bucket!)
Click Save (Save), the system will pop up to warn you that "this will be accessible to everyone on the Internet" and confirm decisively.
🧪To verify:
At this time, you upload a picture (such
logo.png
). In the file list, you will see one more next to the file.
Public Link Icon
.
Copy that URL (the format is usually
ht
tps:// storage.
), open in the "Incognito Mode" of the browser. If you can see the picture normally, congratulations, public access configuration is successful!
Part III: Advanced Combat: GCS Static Website Hosting
If you have a set of front-end packaged static web pages (including
index.html
and
404.html
), you don't need to buy a server to install Nginx at all, you can use GCS to host it perfectly.
1. Upload your web files
Take yours.
index.html
,
404.html
and also
css/
,
js/
Folder, all dragged and uploaded to the already configured
allUsers
under the root of the bucket that exposes permissions.
2. Configure the Bucket's Website Specialty Properties"
After uploading the direct access URL, you will find that it only shows a list of files, or can only be downloaded in a single file, and will not render like a website. We also need to tell GCS who the home page is.
Return to the bucket list page.
Find your bucket, click on the three points on the far right (more operations), and select "Edit website configuration (Edit website configu
ration) ".
In the pop-up window, set: home page (Index page suffix): fill in index.html error page (Error page): fill in 404.html (optional, but it is recommended to fill in)
Click Save.
How to access your static website?
After the configuration is completed, your static website official access portal format is:
https://storage.googleapis.com/[你的存储桶名称]/index.html
If your bucket name happens to be your domain name (e. g.
www
W.mywebsite.com), you can also cooperate with GCP's Cloud CDN or load balancer (Load Balancer), or even use Cloudflare to do CNAME alias analysis, and you can directly use your own domain name to open this static website in a cool way!