Bypass bucket IP filtering rules

Bypassing bucket IP filtering rules exempts users or service accounts from IP filtering restrictions for creating, deleting, or configuring buckets, while still enforcing rules for others. For more information about bucket IP filtering, see Bucket IP filtering.

It's crucial to have a way to regain access to your bucket if you inadvertently block your own IP address. This can happen due to the following reasons:

  • Bucket lockout: When you accidentally add a rule that blocks your own IP address or the IP range of your entire network.

  • Unexpected IP change: In some cases, your IP address might change unexpectedly due to network changes, and you might find yourself locked out.

To enable specific users or service accounts to bypass IP filtering restrictions on a bucket, grant them the storage.buckets.exemptFromIpFilter permission using a custom role. This permission exempts the user or service account from IP filtering rules for bucket-level operations such as creating, deleting, or configuring buckets. To do so, complete the following steps:

  1. Identify the user or service account that needs to bypass the IP filtering restrictions on specific buckets.

  2. Create a custom role.

  3. Add the storage.buckets.exemptFromIpFilter permission to the role.

  4. Grant the custom role to the identified user or service account at the project level. For information about granting roles, see Grant a single role.

After you have granted the users or service accounts these permissions, operations can be performed without any IP filtering restrictions. Requiring explicit permissions ensures that bypassing IP filtering rules is a deliberate and authorized action by providing granular control over the exceptions to the rules.

What's next