Overview Configuration samples
Cross Origin Resource Sharing (CORS) allows interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior. Use this page to learn how to set a CORS configuration on a Cloud Storage bucket and how to view the CORS configuration set on a bucket. See Configuration examples for CORS for example CORS configurations, including the configuration that disables any existing configuration on your bucket.
Required roles
To get the permissions that you need to set and view the CORS configuration
on a bucket, ask your administrator to grant you the Storage Admin
(roles/storage.admin) role on the bucket.
This predefined role contains the permissions required to set and view CORS configurations. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
- storage.buckets.get
- storage.buckets.update
You can also get these permissions with other predefined roles or custom roles.
For information about granting roles on buckets, see Set and manage IAM policies on buckets.
Set the CORS configuration on a bucket
You set a CORS configuration on a bucket by specifying information, such as HTTP methods and originating domains, that identify the types of requests the bucket can accept.
Use the following steps to set a CORS configuration on your bucket:
Console
You cannot manage CORS using the Google Cloud console. Use the gcloud CLI instead.
Command line
- Create a JSON file with the CORS configuration you would like to apply. See configuration examples for sample JSON files. 
- Use the - gcloud storage buckets updatecommand with the- --cors-fileflag:- gcloud storage buckets update gs://BUCKET_NAME --cors-file=CORS_CONFIG_FILE - Where: - BUCKET_NAMEis the name of the relevant bucket. For example,- my-bucket.
- CORS_CONFIG_FILEis the path to the JSON file you created in Step 1.
 
Client libraries
  
  
  
    
  
 
      
      
  For more information, see the
  Cloud Storage C++ API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage C# API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage Go API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage Java API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage Node.js API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage PHP API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage Python API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket: 
      
      
  For more information, see the
  Cloud Storage Ruby API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     The following sample sets a CORS configuration on a bucket:C++
  
  
    
    C#
  
  
    
    Go
  
  
    
    Java
  
  
    
    Node.js
  
  
    
    PHP
  
  
    
    Python
  
  
    
    Ruby
  
  
    
    
REST APIs
JSON API
- Have gcloud CLI installed and initialized, which lets you generate an access token for the - Authorizationheader.
- Create a JSON file with the CORS configuration you would like to apply. See configuration examples for sample JSON files. 
- Use - cURLto call the JSON API with a- PATCHBucket request:- curl --request PATCH \ 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=cors' \ --header 'Authorization: Bearer $(gcloud auth print-access-token)' \ --header 'Content-Type: application/json' \ --data-binary @CORS_CONFIG_FILE - Where: - BUCKET_NAMEis the name of the bucket. For example,- my-bucket.
- CORS_CONFIG_FILEis the path to the JSON file you created in Step 2.
 
XML API
- Have gcloud CLI installed and initialized, which lets you generate an access token for the - Authorizationheader.
- Create a XML file with the CORS configuration you would like to apply. See configuration examples for sample XML files. 
- Use - cURLto call the XML API with a- PUT Bucketrequest scoped to- ?cors:- curl -X PUT --data-binary @CORS_CONFIG_FILE \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "x-goog-project-id: PROJECT_ID" \ "https://storage.googleapis.com/BUCKET_NAME?cors" - Where: - BUCKET_NAMEis the name of the bucket. For example,- my-bucket.
- PROJECT_IDis the ID of the project associated with the bucket. For example,- my-project.
- CORS_CONFIG_FILEis the path to the XML file you created in Step 2.
 
To remove the CORS configuration for a bucket, set an empty CORS configuration.
View the CORS configuration for a bucket
To view the CORS configuration for a bucket:
Console
You cannot manage CORS using the Google Cloud console. Use the gcloud CLI instead.
Command line
Use the gcloud storage buckets describe command with the
--format flag:
gcloud storage buckets describe gs://BUCKET_NAME --format="default(cors_config)"
Where BUCKET_NAME is the name of the bucket
whose CORS configuration you want to view. For example, my-bucket.
Client libraries
To view the CORS configuration for a bucket using the client libraries, follow the instructions for displaying a bucket's metadata and look for the CORS field in the response:
  
  
  
    
  
 
      
      
  For more information, see the
  Cloud Storage C++ API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage C# API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage Go API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage Java API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage Node.js API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage PHP API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage Python API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
     
      
      
  For more information, see the
  Cloud Storage Ruby API
    reference documentation.
  
     
      To authenticate to Cloud Storage, set up Application Default Credentials.
      For more information, see
      
        Set up authentication for client libraries.
      
    C++
  
  
    
    C#
  
  
    
    Go
  
  
    
    Java
  
  
    
    Node.js
  
  
    
    PHP
  
  
    
    Python
  
  
    
    Ruby
  
  
    
    
REST APIs
JSON API
- Have gcloud CLI installed and initialized, which lets you generate an access token for the - Authorizationheader.
- Use - cURLto call the JSON API with a- GETBucket request:- curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME?fields=cors" - Where - BUCKET_NAMEis the name of the bucket whose CORS configuration you want to view. For example,- my-bucket.
XML API
- Have gcloud CLI installed and initialized, which lets you generate an access token for the - Authorizationheader.
- Use - cURLto call the XML API with a- GETBucket request scoped to- ?cors:- curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://storage.googleapis.com/BUCKET_NAME?cors" - Where - BUCKET_NAMEis the name of the bucket whose CORS configuration you want to view. For example,- my-bucket.
What's next
- Explore CORS configuration examples, including an example that removes the CORS configuration on a bucket.
- Learn more about CORS.
- Learn how to troubleshoot CORS requests.