Create a bucket with IP filtering rules

This page describes how to create a bucket with IP filtering rules. By creating a bucket with IP filtering, you can control access to your buckets by examining incoming requests against the IP addresses specified in the bucket IP filtering rules. For details, see Bucket IP filtering.

For information about how to create or update the IP filtering rules on an existing bucket, see Update bucket IP filtering rules.

Required roles

To get the required permissions for creating a bucket with IP filtering rules, ask your administrator to grant you the Storage Admin (roles/storage.admin) role on the bucket. This role contains the permissions required to create a bucket with IP filtering rules.

To see the exact permissions that are required, expand the Required permissions section:

Required permissions

  • storage.buckets.create
  • storage.buckets.setIpFilter

You can also get these permissions with custom roles. You might be able to get these permissions with other predefined roles as well. To see which roles are associated with which permissions, refer to IAM roles for Cloud Storage.

For instructions on granting roles on buckets, see Set and manage IAM policies on buckets.

Create bucket with IP filtering rules

gcloud

  1. Verify that you have the Google Cloud CLI version 526.0.0 or later installed:

    gcloud version | head -n1
    
  2. If you have an earlier gcloud CLI version installed, update the version:

    gcloud components update --version=526.0.0
    
  3. Create a JSON file that defines the rules for incoming requests. For examples and information about how to structure the bucket IP filtering rules, see Bucket IP filtering configurations.

    {
      "mode":"MODE",
      "publicNetworkSource":{
          "allowedIpCidrRanges":[
            "RANGE_CIDR",
            "..."
          ]
      },
      "vpcNetworkSources":[
          {
            "network":"projects/PROJECT_ID/global/networks/NETWORK_NAME",
            "allowedIpCidrRanges":[
                "RANGE_CIDR",
                "..."
            ]
          },
          "..."
      ],
      "allowCrossOrgVpcs":ALLOW_CROSS_ORG_VPCS,
      "allowAllServiceAgentAccess": ALLOW_ALL_SERVICE_AGENT_ACCESS
    }

    Where:

    • MODE is the mode of the bucket IP filtering configuration. Valid values are Enabled and Disabled. When set to Enabled, IP filtering rules are applied to a bucket. Any incoming request to the bucket is evaluated against these rules. When set to Disabled, all incoming requests are allowed to access the bucket.

    • RANGE_CIDR is a public network IPv4 or IPv6 address range that's allowed to access the bucket. You can enter one or multiple address ranges as a list.

    • PROJECT_ID is the project ID where the Virtual Private Cloud (VPC) network exists. To configure multiple VPC networks, you need to specify the project where each network is located.

    • NETWORK_NAME is the name of the VPC network that is allowed to access the bucket. To configure multiple VPC networks, you need to specify a name for each network.

    • ALLOW_CROSS_ORG_VPCS is a boolean value that indicates whether to allow VPC networks that are defined in vpcNetworkSources to originate from a different organization. This field is optional. If set to true, the request allows cross-organizational VPC networks. If set to false, the request restricts the VPC networks to the same organization as the bucket. If not specified, the default value is false. This field applies only if vpcNetworkSources is not empty.

    • ALLOW_ALL_SERVICE_AGENT_ACCESS is a boolean value that indicates whether to allow service agents to access the bucket, regardless of the IP filter configuration. If the value is true, other Google Cloud services can use service agents to access the bucket without IP-based validation.

  4. To create a bucket with IP filtering rules, run the gcloud alpha storage buckets create command in your development environment:

    gcloud alpha storage buckets create gs://BUCKET_NAME --ip-filter-file=IP_FILTER_CONFIG_FILE

    Where:

    • BUCKET_NAME is the name you want to give your bucket, subject to naming requirements. For example, my-bucket.
    • IP_FILTER_CONFIG_FILE is the JSON file that defines the rules for incoming requests.

REST APIs

JSON API

  1. Have gcloud CLI installed and initialized, which lets you generate an access token for the Authorization header.

  2. Create a JSON file that contains the settings for the bucket, which must include the name and ipFilter configuration fields for the bucket. For examples and information about how to structure the bucket IP filtering rules, see Bucket IP filtering configurations.

    {
      "name": "BUCKET_NAME",
      "ipFilter": {
        "mode": "MODE",
        "publicNetworkSource":
          {
            "allowedIpCidrRanges":
              [RANGE_CIDR,
                ...
              ]
          },
        "vpcNetworkSources":
          [
            {"network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
            "allowedIpCidrRanges":
              [RANGE_CIDR,
              ...
              ]
            },
          ...
          ],
        "allowCrossOrgVpcs": ALLOW_CROSS_ORG_VPCS,
        "allowAllServiceAgentAccess": ALLOW_ALL_SERVICE_AGENT_ACCESS
        },
    }

    Where:

    • MODE is the state of the IP filter configuration. Valid values are Enabled and Disabled. When set to Enabled, IP filtering rules are applied to a bucket and all incoming requests to the bucket are evaluated against these rules. When set to Disabled, all incoming requests can access the bucket and its data without any evaluation if you have the required IAM permissions.

    • RANGE_CIDR is a public network IPv4 or IPv6 address range that's allowed to access the bucket. You can enter one or multiple address ranges as a list.

    • PROJECT_ID is the project ID where the VPC network exists. To configure multiple VPC networks, you need to specify the project where each network is located.

    • NETWORK_NAME is the name of the VPC network that is allowed to access the bucket. To configure multiple VPC networks, you need to specify a name for each network.

    • ALLOW_ALL_SERVICE_AGENT_ACCESS is a boolean value that indicates whether to allow service agents to access the bucket, regardless of the IP filter configuration. If the value is true, other Google Cloud services can use service agents to access the bucket without IP-based validation.

    • ALLOW_CROSS_ORG_VPCS is a boolean value that indicates whether to allow VPC networks that are defined in vpcNetworkSources to originate from a different organization. This field is optional. If set to true, the request allows cross-organizational VPC networks. If set to false, the request restricts the VPC networks to the same organization as the bucket. If not specified, the default value is false. This field applies only if vpcNetworkSources is not empty.

  3. Use cURL to call the JSON API with a POST bucket request:

    curl -X POST --data-binary @JSON_FILE_NAME \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json" \
     "https://storage.googleapis.com/storage/v1/b?project=PROJECT_IDENTIFIER"

    Where:

    • JSON_FILE_NAME is name of the JSON file that contains the settings for the bucket.
    • PROJECT_IDENTIFIER is the ID or number of the project with which your bucket is associated. For example, my-project.

Bucket IP filtering configurations

This section provides examples of bucket IP filtering JSON file configurations to control access to your Cloud Storage buckets. You can grant access to incoming requests using any of the following examples:

  • Any public IP address (IPv4 or IPv6):

    The following configuration grants access to any public IPv4 or IPv6 address, but blocks traffic originating from any VPC:

    gcloud

      {
        "mode": "Enabled",
        "publicNetworkSource":
        {
          "allowedIpCidrRanges": ["0.0.0.0/0", "::/0"]
        },
        "allowAllServiceAgentAccess": false
      }
      

    REST APIs

    JSON API

      {
      "ipFilter":
      {
        "mode": "Enabled",
        "publicNetworkSource":
        {
          "allowedIpCidrRanges": ["0.0.0.0/0", "::/0"]
        },
        "allowAllServiceAgentAccess": false
      }
      }
      
  • Specific public IP ranges:

    • The following example configuration grants access to 192.0.2.0/24 public IPv4 address range, but blocks traffic originating from any VPC:

      gcloud

          {
            "mode": "Enabled",
            "publicNetworkSource":
            {
              "allowedIpCidrRanges": ["192.0.2.0/24"]
            },
            "allowAllServiceAgentAccess": false
          }
        

      REST APIs

      JSON API

        {
        "ipFilter":
          {
            "mode": "Enabled",
            "publicNetworkSource":
            {
              "allowedIpCidrRanges": ["192.0.2.0/24"]
            },
            "allowAllServiceAgentAccess": false
          }
        }
    • The following example configuration grants access to 2001:db8::/32 public IPv6 address range, but blocks traffic originating from any VPC:

      gcloud

          {
            "mode": "Enabled",
            "publicNetworkSource":
            {
              "allowedIpCidrRanges": ["2001:db8::/32"]
            },
            "allowAllServiceAgentAccess": false
          }
        

      REST APIs

      JSON API

        {
          "ipFilter":
            {
              "mode": "Enabled",
              "publicNetworkSource":
              {
                "allowedIpCidrRanges": ["2001:db8::/32"]
              },
              "allowAllServiceAgentAccess": false
            }
        }
  • VPC networks: Using the following configurations, you can grant access to resources within your VPC network. You can grant access to all IP addresses within the VPC or specific IP ranges within the VPC. In each of these examples, PROJECT_ID is the project ID where the VPC network exists and NETWORK_NAME is the name of the VPC network that is allowed to access the bucket.

    • The following example configuration grants access to a request from any IPv4 or IPv6 address coming from a specific VPC and blocks traffic originating from a public IP address:

      gcloud

        {
          "mode": "Enabled",
          "vpcNetworkSources":
            [
              {
                "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                "allowedIpCidrRanges": ["0.0.0.0/0", "::/0"]
              },
            ],
          "allowAllServiceAgentAccess": false
        }

      REST APIs

      JSON API

        {
          "ipFilter":
            {
              "mode": "Enabled",
              "vpcNetworkSources":
                [
                  {
                    "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                    "allowedIpCidrRanges": ["0.0.0.0/0", "::/0"]
                  },
                ],
              "allowAllServiceAgentAccess": false
            }
        }
    • The following example configuration only grants access to a request from a VPC associated to a VM with an external IPv4 address as 192.0.2.0/24 and blocks traffic originating from a public IP address:

      gcloud

          {
            "mode": "Enabled",
            "vpcNetworkSources":
              [
                {
                  "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                  "allowedIpCidrRanges": ["192.0.2.0/24"]
                },
              ],
            "allowAllServiceAgentAccess": false
          }
        

      REST APIs

      JSON API

        {
          "ipFilter":
          {
            "mode": "Enabled",
            "vpcNetworkSources":
              [
                {
                  "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                  "allowedIpCidrRanges": ["192.0.2.0/24"]
                },
              ],
            "allowAllServiceAgentAccess": false
          }
        }
    • The following example configuration only grants access to a request coming from a VPC with an internal IPv4 subnet range associated to a VM with no external IP address and blocks traffic originating from a public IP address:

      gcloud

          {
            "mode": "Enabled",
            "vpcNetworkSources":
              [
                {
                  "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                  "allowedIpCidrRanges": ["IP_ADDRESS"]
                },
              ],
            "allowAllServiceAgentAccess": false
          }
          

      Where:

      IP_ADDRESS is an internal IPv4 subnet range.

      REST APIs

      JSON API

        {
        "ipFilter":
          {
            "mode": "Enabled",
            "vpcNetworkSources":
              [
                {
                "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                "allowedIpCidrRanges": ["IP_ADDRESS"]
                },
              ],
            "allowAllServiceAgentAccess": false
          }
        }
        

      Where:

      IP_ADDRESS is an internal IPv4 subnet range.

    • The following example configuration only grants access to a request coming from a VPC with dual-stack IPv4 and IPv6 subnet range associated to a VM with an external IPv6 address range as 2001:db8::/32 and blocks traffic originating from a public IP address:

      gcloud

        {
          "mode": "Enabled",
          "vpcNetworkSources":
          [
            {
              "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
              "allowedIpCidrRanges": ["2001:db8::/32"]
            },
          ],
          "allowAllServiceAgentAccess": false
          }
        

      REST APIs

      JSON API

        {
        "ipFilter":
          {
            "mode": "Enabled",
            "vpcNetworkSources":
              [
                {
                  "network": "projects/PROJECT_ID/global/networks/NETWORK_NAME",
                  "allowedIpCidrRanges": ["2001:db8::/32"]
                },
              ],
            "allowAllServiceAgentAccess": false
            }
        }

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how Cloud Storage performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Try Cloud Storage free