Bypass bucket IP filtering rules

You can allow users or service accounts to perform certain operations on buckets without any IP filtering restrictions, while still enforcing restrictions for other operations. To do this, you bypass IP filtering rules.

It's crucial to have a way to regain access to your bucket if you inadvertently block your own IP address. This can happen due to the following reasons:

  • Bucket lockout: When you accidentally add a rule that blocks your own IP address or the IP range of your entire network.

  • Unexpected IP change: In some cases, your IP address might change unexpectedly due to network changes, and you might find yourself locked out.

For background information about bucket IP filtering, see Bucket IP filtering.

Supported operations

When you bypass IP filtering, the following operations are exempt from IP filtering restrictions:

Bypass bucket IP filtering rules

To enable specific users or service accounts to bypass IP filtering restrictions on a bucket, grant them the storage.buckets.exemptFromIpFilter permission using a custom role. This permission exempts the user or service account from IP filtering rules for supported bucket-level operations. To do so, complete the following steps:

  1. Identify the user or service account that needs to bypass the IP filtering restrictions on specific buckets.

  2. Create a custom role.

  3. Add the storage.buckets.exemptFromIpFilter permission to the role.

  4. Grant the custom role to the identified user or service account at the project level. For information about granting roles, see Grant a single role.

After you grant the users or service accounts these permissions, they can perform supported operations without any IP filtering restrictions. Requiring explicit permissions ensures that bypassing IP filtering rules is a deliberate and authorized action by providing granular control over the exceptions to the rules.

What's next