Create or update IP filtering rules on an existing bucket
This page describes how to create or update the bucket IP filtering rules
on an existing bucket.
Required roles
To get the required permissions for updating the IP filtering rules on a bucket,
ask your administrator to grant you the Storage Admin (roles/storage.admin)
role on the bucket. This role contains the permissions required to update bucket
IP filtering rules.
To see the exact permissions that are required, expand the
Required permissions section:
Required permissions
storage.buckets.updatestorage.buckets.setIpFilter
You can also get these permissions with custom roles. You might be able to get these permissions with other predefined roles as well. To see which roles are associated with which permissions,
refer to IAM roles for Cloud Storage.
For instructions on granting roles for projects, see Manage access to
projects.
Create or update IP filtering rules on an existing bucket
gcloud
Verify that you have the Google Cloud CLI version 526.0.0 or later installed:
gcloud version | head -n1
If you have an earlier gcloud CLI version installed, update the version:
gcloud components update --version=526.0.0
Create a JSON file that defines rules for incoming requests. For
examples and information about how to structure the bucket IP filtering
rules, see Bucket IP filtering configurations.
{
"mode":"MODE",
"publicNetworkSource":{
"allowedIpCidrRanges":[
"RANGE_CIDR",
"..."
]
},
"vpcNetworkSources":[
{
"network":"projects/PROJECT_ID/global/networks/NETWORK_NAME",
"allowedIpCidrRanges":[
"RANGE_CIDR",
"..."
]
},
"..."
],
"allowCrossOrgVpcs": ALLOW_CROSS_ORG_VPCS,
"allowAllServiceAgentAccess": ALLOW_ALL_SERVICE_AGENT_ACCESS
}
Where:
MODE is the mode of the bucket IP
filtering configuration. Valid values are Enabled
and Disabled. When set to Enabled, IP
filtering rules are applied to a bucket. Any incoming request to
the bucket is evaluated against these rules. When set to
Disabled, all incoming requests are allowed to
access the bucket.
RANGE_CIDR is a public network IPv4 or IPv6
address range that's allowed to access the bucket. You can
enter one or multiple address ranges as a list.
PROJECT_ID is the project ID where
the Virtual Private Cloud (VPC) network exists. To configure
multiple VPC networks, you need to specify
the project where each network is located.
NETWORK_NAME is the name of the
VPC network that is allowed to access the
bucket. To configure multiple VPC networks,
you need to specify a name for each network.
ALLOW_CROSS_ORG_VPCS is a boolean value
that indicates whether to allow VPC networks
that are defined in vpcNetworkSources to originate
from a different organization. This field is optional. If set to true, the
request allows cross-organizational VPC
networks. If set to false, the request restricts
the VPC networks to the same organization as the
bucket. If not specified, the default value is
false. This field applies only if vpcNetworkSources is not empty.
ALLOW_ALL_SERVICE_AGENT_ACCESS is a
boolean value that indicates whether to allow service
agents to access the bucket,
regardless of the IP filter configuration. If the value is
true, other Trusted Cloud services can use
service agents to access the bucket without IP-based validation.
To update bucket IP filtering rules, run the gcloud alpha storage
buckets update command in your development environment:
gcloud alpha storage buckets update gs://BUCKET_NAME --ip-filter-file=IP_FILTER_CONFIG_FILE
Where:
BUCKET_NAME is the name of your bucket. For example, my-bucket.IP_FILTER_CONFIG_FILE is the JSON file created
in the preceding step.
REST APIs
JSON API
Have gcloud CLI installed and initialized, which lets
you generate an access token for the Authorization header.
Create a JSON file that contains the settings for the bucket, which
must include the name and the ipFilter configuration fields for the bucket. For examples and information about how to structure the bucket IP filtering rules, see Bucket IP filtering configurations.
{
"ipFilter":{
"mode":"MODE",
"publicNetworkSource":{
"allowedIpCidrRanges":[
"RANGE_CIDR",
"..."
]
},
"vpcNetworkSources":[
{
"network":"projects/PROJECT_ID/global/networks/NETWORK_NAME",
"allowedIpCidrRanges":[
"RANGE_CIDR",
"..."
]
},
"..."
],
"allowCrossOrgVpcs": ALLOW_CROSS_ORG_VPCS,
"allowAllServiceAgentAccess": ALLOW_ALL_SERVICE_AGENT_ACCESS
}
}
Where:
MODE is the state of the IP filter
configuration. Valid values are Enabled and
Disabled. When set to Enabled, IP
filtering rules are applied to a bucket and all incoming
requests to the bucket are evaluated against these rules. When
set to Disabled, all incoming requests can access
the bucket and its data without any evaluation.
RANGE_CIDR is a public network IPv4 or
IPv6 address range that's allowed to access the bucket. You can
enter one or multiple address ranges as a list.
PROJECT_ID is the project ID where the
VPC network exists. To configure multiple
VPC networks, you need to specify the project
where each network is located.
NETWORK_NAME is the name of the
VPC network that is allowed to access the
bucket. To configure multiple VPC networks, you
need to specify a name for each network.
ALLOW_ALL_SERVICE_AGENT_ACCESS is a
boolean value that indicates whether to allow service
agents to access the bucket,
regardless of the IP filter configuration. If the value is
true, other Trusted Cloud services can use
service agents to access the bucket without IP-based validation.
ALLOW_CROSS_ORG_VPCS is a boolean value that indicates whether to allow VPC networks that are defined in the vpcNetworkSources list to originate from a different organization. This field is optional. If set to true, the request allows cross-organizational VPC networks. If set to false, the request restricts the VPC networks to the same organization as the bucket. If not specified, the default value is false. This field applies only if vpcNetworkSources is not empty.
Use cURL to call the JSON API with a PATCH bucket request:
curl -X PATCH --data-binary @JSON_FILE_NAME \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://storage.s3nsapis.fr/storage/v1/b/BUCKET_NAME?project=PROJECT_IDENTIFIER"
Where:
JSON_FILE_NAME is name of the JSON file
you created in the preceding step.BUCKET_NAME is the name of your bucket.PROJECT_IDENTIFIER is the ID or number of
the project with which your bucket is associated. For
example, my-project.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Create or update IP filtering rules on an existing bucket\n\nThis page describes how to create or update the [bucket IP filtering](/storage/docs/ip-filtering-overview) rules\non an existing bucket.\n\nRequired roles\n--------------\n\nTo get the required permissions for updating the IP filtering rules on a bucket,\nask your administrator to grant you the Storage Admin (`roles/storage.admin`)\nrole on the bucket. This role contains the permissions required to update bucket\nIP filtering rules.\n\nTo see the exact permissions that are required, expand the\n**Required permissions** section: \n\n#### Required permissions\n\n- `storage.buckets.update`\n- `storage.buckets.setIpFilter`\n\nYou can also get these permissions with [custom roles](/iam/docs/creating-custom-roles). You might be able to get these permissions with other predefined roles as well. To see which roles are associated with which permissions,\nrefer to [IAM roles for Cloud Storage](/iam/docs/understanding-roles).\n\nFor instructions on granting roles for projects, see [Manage access to\nprojects](/storage/docs/access-control/using-iam-permissions#bucket-iam).\n\nCreate or update IP filtering rules on an existing bucket\n---------------------------------------------------------\n\n### gcloud\n\n1. Verify that you have the Google Cloud CLI version 526.0.0 or later installed:\n\n gcloud version | head -n1\n\n2. If you have an earlier gcloud CLI version installed, update the version:\n\n gcloud components update --version=526.0.0\n\n3. Create a JSON file that defines rules for incoming requests. For\n examples and information about how to structure the bucket IP filtering\n rules, see [Bucket IP filtering configurations](/storage/docs/create-ip-filter#ip-filtering-configurations).\n\n \u003cbr /\u003e\n\n ```json\n {\n \"mode\":\"\u003cvar translate=\"no\"\u003eMODE\u003c/var\u003e\",\n \"publicNetworkSource\":{\n \"allowedIpCidrRanges\":[\n \"\u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e\",\n \"...\"\n ]\n },\n \"vpcNetworkSources\":[\n {\n \"network\":\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/global/networks/\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e\",\n \"allowedIpCidrRanges\":[\n \"\u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e\",\n \"...\"\n ]\n },\n \"...\"\n ],\n \"allowCrossOrgVpcs\": ALLOW_CROSS_ORG_VPCS,\n \"allowAllServiceAgentAccess\": ALLOW_ALL_SERVICE_AGENT_ACCESS\n }\n \n ```\n\n \u003cbr /\u003e\n\n Where:\n - \u003cvar translate=\"no\"\u003eMODE\u003c/var\u003e is the mode of the bucket IP\n filtering configuration. Valid values are `Enabled`\n and `Disabled`. When set to `Enabled`, IP\n filtering rules are applied to a bucket. Any incoming request to\n the bucket is evaluated against these rules. When set to\n `Disabled`, all incoming requests are allowed to\n access the bucket.\n\n - \u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e is a public network IPv4 or IPv6\n address range that's allowed to access the bucket. You can\n enter one or multiple address ranges as a list.\n\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is the project ID where\n the Virtual Private Cloud (VPC) network exists. To configure\n multiple VPC networks, you need to specify\n the project where each network is located.\n\n - \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e is the name of the\n VPC network that is allowed to access the\n bucket. To configure multiple VPC networks,\n you need to specify a name for each network.\n\n - \u003cvar translate=\"no\"\u003eALLOW_CROSS_ORG_VPCS\u003c/var\u003e is a boolean value\n that indicates whether to allow VPC networks\n that are defined in `vpcNetworkSources` to originate\n from a different organization. This field is optional. If set to `true`, the\n request allows cross-organizational VPC\n networks. If set to `false`, the request restricts\n the VPC networks to the same organization as the\n bucket. If not specified, the default value is\n `false`. This field applies only if `vpcNetworkSources` is not empty.\n\n - \u003cvar translate=\"no\"\u003eALLOW_ALL_SERVICE_AGENT_ACCESS\u003c/var\u003e is a\n boolean value that indicates whether to allow [service\n agents](/iam/docs/service-agents) to access the bucket,\n regardless of the IP filter configuration. If the value is\n `true`, other Google Cloud services can use\n service agents to access the bucket without IP-based validation.\n\n4. To update bucket IP filtering rules, run the [`gcloud alpha storage\n buckets update`](/sdk/gcloud/reference/alpha/storage/buckets/update) command in your development environment:\n\n ```\n gcloud alpha storage buckets update gs://BUCKET_NAME --ip-filter-file=IP_FILTER_CONFIG_FILE\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e is the name of your bucket. For example, `my-bucket`.\n - \u003cvar translate=\"no\"\u003eIP_FILTER_CONFIG_FILE\u003c/var\u003e is the JSON file created in the preceding step.\n\n### REST APIs\n\n### JSON API\n\n1. Have gcloud CLI [installed and initialized](/sdk/docs/install), which lets\n you generate an access token for the `Authorization` header.\n\n\n2.\n\n Create a JSON file that contains the settings for the bucket, which\n must include the `name` and the `ipFilter` configuration fields for the bucket. For examples and information about how to structure the bucket IP filtering rules, see [Bucket IP filtering configurations](/storage/docs/create-ip-filter#ip-filtering-configurations). \n\n ```json\n {\n \"ipFilter\":{\n \"mode\":\"\u003cvar translate=\"no\"\u003eMODE\u003c/var\u003e\",\n \"publicNetworkSource\":{\n \"allowedIpCidrRanges\":[\n \"\u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e\",\n \"...\"\n ]\n },\n \"vpcNetworkSources\":[\n {\n \"network\":\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/global/networks/\u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e\",\n \"allowedIpCidrRanges\":[\n \"\u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e\",\n \"...\"\n ]\n },\n \"...\"\n ],\n \"allowCrossOrgVpcs\": ALLOW_CROSS_ORG_VPCS,\n \"allowAllServiceAgentAccess\": ALLOW_ALL_SERVICE_AGENT_ACCESS\n }\n }\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eMODE\u003c/var\u003e is the state of the IP filter\n configuration. Valid values are `Enabled` and\n `Disabled`. When set to `Enabled`, IP\n filtering rules are applied to a bucket and all incoming\n requests to the bucket are evaluated against these rules. When\n set to `Disabled`, all incoming requests can access\n the bucket and its data without any evaluation.\n\n - \u003cvar translate=\"no\"\u003eRANGE_CIDR\u003c/var\u003e is a public network IPv4 or\n IPv6 address range that's allowed to access the bucket. You can\n enter one or multiple address ranges as a list.\n\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is the project ID where the\n VPC network exists. To configure multiple\n VPC networks, you need to specify the project\n where each network is located.\n\n - \u003cvar translate=\"no\"\u003eNETWORK_NAME\u003c/var\u003e is the name of the\n VPC network that is allowed to access the\n bucket. To configure multiple VPC networks, you\n need to specify a name for each network.\n\n - \u003cvar translate=\"no\"\u003eALLOW_ALL_SERVICE_AGENT_ACCESS\u003c/var\u003e is a\n boolean value that indicates whether to allow [service\n agents](/iam/docs/service-agents) to access the bucket,\n regardless of the IP filter configuration. If the value is\n `true`, other Google Cloud services can use\n service agents to access the bucket without IP-based validation.\n\n - \u003cvar translate=\"no\"\u003eALLOW_CROSS_ORG_VPCS\u003c/var\u003e is a boolean value that indicates whether to allow VPC networks that are defined in the `vpcNetworkSources` list to originate from a different organization. This field is optional. If set to `true`, the request allows cross-organizational VPC networks. If set to `false`, the request restricts the VPC networks to the same organization as the bucket. If not specified, the default value is `false`. This field applies only if `vpcNetworkSources` is not empty.\n\n3. Use [`cURL`](http://curl.haxx.se/) to call the [JSON API](/storage/docs/json_api) with a [PATCH bucket](/storage/docs/json_api/v1/buckets/patch) request:\n\n ```\n curl -X PATCH --data-binary @JSON_FILE_NAME \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json\" \\\n \"https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?project=PROJECT_IDENTIFIER\"\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003eJSON_FILE_NAME\u003c/var\u003e is name of the JSON file you created in the preceding step.\n - \u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e is the name of your bucket.\n - \u003cvar translate=\"no\"\u003ePROJECT_IDENTIFIER\u003c/var\u003e is the ID or number of the project with which your bucket is associated. For example, `my-project`.\n\nWhat's next\n-----------\n\n- [List bucket IP filtering rules](/storage/docs/list-ip-filter).\n- [Disable bucket IP filtering rules](/storage/docs/disable-ip-filtering).\n\nTry it for yourself\n-------------------\n\n\nIf you're new to Google Cloud, create an account to evaluate how\nCloud Storage performs in real-world\nscenarios. New customers also get $300 in free credits to run, test, and\ndeploy workloads.\n[Try Cloud Storage free](https://console.cloud.google.com/freetrial)"]]
