Is the Cache-Control metadata header supposed to be respected in a Google Cloud Storage bucket with a bucket-level IAM policy?

3
votes

I'm trying to see if I can have a Google Cloud Storage bucket, using a Bucket Policy Only for simplified permissions (in this case, everything is publicly readable), while also serving files with a Cache-Control response header for good performance.

I actually already have this working, but I'm asking this question, because I want to validate whether this should actually be working, or if it's some kind of fluke that might stop working.

The reason I'm wary is that the Object metadata docs on using Cache-Control states that

Cache-Control only applies when accessing objects that [...] Are not stored in a bucket that has Bucket Policy Only enabled

Likewise, the Bucket Policy Only docs state that

Once enabled, the following ACL functionality ceases: [...] Public caching is not supported.

This contradicts a few tests I did. I have buckets that are publicly readable, and by default, files were served with cache-control: private, max-age=0, but when I set a Cache-Control value in the metadata manually, that was respected.

Here's an example, which demonstrates that the Cache-Control headers I've set are in fact respected:

# Show that Bucket Policy Only is enabled
$ gsutil bucketpolicyonly get gs://bucketname
Bucket Policy Only setting for gs://bucketname:
  Enabled: True
  LockedTime: 2019-11-21 02:30:26.811000+00:00

# Create and upload a dummy file
$ touch test-file
$ gsutil cp test-file gs://bucketname/test-file
Copying file://test-file [Content-Type=application/octet-stream]...
/ [1 files][    0.0 B/    0.0 B]
Operation completed over 1 objects.

# Show default cache-control headers on the public file
$ curl -vso /dev/null 2>&1 https://storage.googleapis.com/bucketname/test-file | grep cache-control
< cache-control: private, max-age=0

# Set cache-control headers and show that they are in fact returned
$ gsutil setmeta -h "cache-control: public, max-age=7200" gs://bucketname/test-file
Setting metadata on gs://bucketname/test-file...
/ [1 objects]
Operation completed over 1 objects.
$ curl -vso /dev/null 2>&1 https://storage.googleapis.com/bucketname/test-file | grep cache-control
< cache-control: public, max-age=7200

Are the docs wrong, in which case I can just expect this to work out, or is this actually a bug, that I shouldn't depend on in the long run?

1
google-cloud-platformgoogle-cloud-storage
Show the policy applied to the bucket, the HTTP headers returned from an HTTP request and object metadata for an example bucket object. Edit your question with this information. - John Hanley
@JohnHanley I've updated the question with a demo - jon_wu
I will try to reproduce this. - John Hanley
I have updated my answer with new information from Google. - John Hanley

1 Answers

3
votes

I believe this is a documentation error. I recommend opening a Cloud Storage Issue here: https://cloud.google.com/support/docs/issue-trackers

Setting cache-control for an entire bucket makes no sense. cache-control for objects should be set at the individual object level and not for an entire bucket. The default value is private, max-age=0 which would prevent caching if you could not change it. Plus you cannot set cache-control on a bucket, so if bucketonlypolicy is for an entire bucket, there is no way to set it.

[EDIT 9/3/19] Google has updated the documentation. The following pages have been updated as a result of this question.

https://cloud.google.com/storage/docs/bucket-policy-only#restrictions

https://cloud.google.com/storage/docs/metadata#cache-control

The value of Cache-Control is set to private by default for publicly accessible objects in Bucket Policy Only-enabled buckets, unless you explicitly set the value to public.

[END Update]