Google Cloud Storage: deny access to a single file by fine-grained ACL rules

[Vi]

Supposing I have:

• a Google Cloud Storage bucket bucketxyz;
  
• two users groups: group1 and group2;
  
• a third group allusers that includes all the users among group1 and group2;
  
• an IAM policy for bucketxyz that grants read only access to allusers and read/write (but no ownership, to avoid files deletion) to group1.
  

Now, consider two files for bucketxyz: file_shared.txt and file_resticted.txt and these two scenarios:

1. file_shared.txt can be written by someone in group1 but also accessible by users in group2 - Done just by using the IAM policy above.
2. file_restricted.txt can be written and accessible ONLY by users in group1.

Is it possible to implement the scenario #2 by using dedicated ACL rule for file_restricted.txtin bucketxyz? If yes, how?

[Katayoon (Cloud Platform Support)]

Yes, you can control access to buckets and objects using Access Control Lists (ACLs). Here you may find how to set an ACL on a file (object). You could also change/remove the ACL of an existing object or bucket as well. Hope this works for you?

[Vi]

Hi.

As specified here, I can setup as acl only READER or OWNER for a specific file.

This does not prevent an user to access the specific file.

[Katayoon (Cloud Platform Support)]

Hi. If you define an ACL on a bucket, it applies on all objects inside the bucket. Preventing a user/group to access a specific file, you may delete the ACL entry for the specified entity or update an ACL entry on the specified object.