You make the rules with authentication controls for Cloud StorageYou make the rules with authentication controls for Cloud StorageCloud Developer Advocate

That’s because IAM aims to make authentication easier by giving you full control and visibility.

Cloud IAM provides a unified view into the security control of your entire organization, across your various Google Cloud services; meaning there’s one place to check for granting and reviewing permissions for employees, dog owners, visitors, other franchise locations, etc. This eases some of the operational burden, for sure—especially when you’re looking after dozens of dogs.

So, that’s how uniform access works for Cloud Storage, and if you need more examples, check out this documentation.

Fine-grained access

If you know you’re going to need to manage permissions at the object level for a given bucket, then you can select fine-grained access. The fine-grained option enables you to use IAM and Access Control Lists (ACLs) together to manage permissions.

It’s good to note that this option is primarily for integrations that rely on legacy access control systems for interoperability with other services, and that using fine-grained controls with ACLs will limit your ability to use other features like Cloud Audit Logs and other IAM conditions.

Additionally, once you enable uniform bucket-level access, you have 90 days to switch back to fine-grained access before uniform bucket-level access becomes permanent. For more details, including recommended bucket architecture, check out this documentation.

Additional authentication options

Beyond choosing between uniform and fine-grained access when creating your bucket, you also have options for specialized control situations.

Signed URLs (query string authentication) let you grant read or write access to an object, through a link, for a specified set amount of time, regardless of whether or not the individual has a Google account. You can create signed URLs with your own program, or using gsutil or Client Libraries.

Signed Policy Documents specify what can be uploaded to a bucket, with more control over upload characteristics than signed URLs, like size or content type. Signed policy documents can also be used by website owners to allow visitors or organization members to upload files to Cloud Storage.

Credential Access Boundaries restrict the permissions that are available to an OAuth 2.0 access token, allowing you to downscope the permissions on a given bucket for a given user. This enables you to give members a distinct set of permissions for each session.