Managed folders (original) (raw)
This page provides an overview of managed folders in Cloud Storage. Managed folders are a type of folder on which you can grant IAM roles, so you have more fine-grained access control over specific groups of objects within a bucket. Managed folders exist as resources within Cloud Storage and are different fromsimulated folders, which operate with a flat namespace.
IAM for managed folders
When you apply an IAM policy on a managed folder, the access granted in the policy applies to any object within the bucket that uses the managed folder path as a prefix in the object name. For example, if you grant a principal the Storage Object Viewer (roles/storage.objectViewer) role on a managed folder named example-managed-folder/, the principal can view any object within the example-managed-folder path, such asexample-managed-folder/dog.png or example-managed-folder/cat.jpeg. When you nest managed folders, the permissions granted through IAM policies are applied additively.
Managed folders can only be created in buckets that have uniform bucket-level access enabled.
Read the following pages for more information about managed folders:
- Creating and managing managed folders
- Control access to managed folders
- ManagedFolder reference page for the JSON API
Managed folder names
The name you give to a managed folder must meet the following requirements:
- Managed folder names can contain any sequence of valid Unicode characters, of length 1-1024 bytes when UTF-8 encoded.
- Managed folder names cannot containCarriage Return or Line Feed characters.
- Managed folder names must end with
/. At most, a managed folder name can have 15/s. In other words, managed folders can be nested up to 15 levels deep. - Managed folder names cannot start with
.well-known/acme-challenge/. - Managed folders cannot be named
.or...
It is strongly recommended that you avoid the following in your managed folder names:
- Control characters that are illegal in XML 1.0 (#x7Fâ#x84 and #x86â#x9F): these characters cause XML listing issues when you try to list your managed folders.
- The
[,],*, or?characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally,*and?are not valid characters for file names in Windows. - Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.
Considerations
When working with managed folders, note the following considerations:
- Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named
my-folder/, even if you have an existing object namedmy-folder/object.txt. Note that the IAM policy on the managed foldermy-folder/will then apply to all objects that hasmy-folder/as a name prefix. - You can create child managed folders before the parent managed folder is created. For example, you can create a managed folder named
my-folder-A/my-folder-B/without first creating a managed folder namedmy-folder-A/. - By default, you can't delete a non-empty managed folder that contains objects or other child managed folders. You can bypass this rule when using the
allowNonEmptyparameter in a Delete ManagedFolder JSON API request. - Managed folder names are visible in error messages and Cloud Audit Logs when a request to delete a folder that has a managed folder at the same path fails, even without explicit
storage.managedFolders.getorstorage.managedFolders.listpermissions.
What's next
- Create and manage managed folders.
- Learn about simulated folders.
- Upload objects to a Cloud Storage bucket.
- Learn about the best practices for using managed folders.