Skip to content

feat(storage): add Cloud Storage bucket IP filtering samples #2218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
salilg-eng wants to merge 1 commit into from
Closed

feat(storage): add Cloud Storage bucket IP filtering samples #2218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions storage/src/delete_ip_filtering_rules.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
<?php
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

/**
* For instructions on how to run the full sample:
*
* @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
*/

namespace Google\Cloud\Samples\Storage;

# [START storage_delete_ip_filtering_rules]
use Google\Cloud\Storage\StorageClient;

/**
* Delete IP filtering rules from a bucket.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
*/
function delete_ip_filtering_rules(string $bucketName): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);

$info = $bucket->info();
if (!isset($info['ipFilter'])) {
printf('No IP Filter configuration found for bucket %s.' . PHP_EOL, $bucketName);
return;
}

$ipFilter = $info['ipFilter'];
if (isset($ipFilter['publicNetworkSource']['allowedIpCidrRanges'])) {
$ranges = $ipFilter['publicNetworkSource']['allowedIpCidrRanges'];
$ranges = array_filter($ranges, function ($range) {
return $range !== '1.2.3.0/24';
});
$ipFilter['publicNetworkSource']['allowedIpCidrRanges'] = array_values($ranges);
}

$bucket->update(['ipFilter' => $ipFilter]);

printf('Specific IP filtering rules deleted for bucket %s' . PHP_EOL, $bucketName);
Comment on lines +47 to +57

@gemini-code-assist gemini-code-assist Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

If the IP range '1.2.3.0/24' is not present in the allowed ranges, or if allowedIpCidrRanges is not set, calling $bucket->update() is redundant and wastes an API call.

We can optimize this by tracking whether any changes were actually made, and only calling $bucket->update() if $updated is true.

    $updated = false;
    if (isset($ipFilter['publicNetworkSource']['allowedIpCidrRanges'])) {
        $ranges = $ipFilter['publicNetworkSource']['allowedIpCidrRanges'];
        $filteredRanges = array_filter($ranges, function ($range) {
            return $range !== '1.2.3.0/24';
        });
        if (count($ranges) !== count($filteredRanges)) {
            $ipFilter['publicNetworkSource']['allowedIpCidrRanges'] = array_values($filteredRanges);
            $updated = true;
        }
    }

    if ($updated) {
        $bucket->update(['ipFilter' => $ipFilter]);
        printf('Specific IP filtering rules deleted for bucket %s' . PHP_EOL, $bucketName);
    } else {
        printf('No matching IP filtering rules found to delete for bucket %s.' . PHP_EOL, $bucketName);
    }

}
# [END storage_delete_ip_filtering_rules]

// The following 2 lines are only needed to run the samples
require_once __DIR__ . '/../../testing/sample_helpers.php';
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
52 changes: 52 additions & 0 deletions storage/src/disable_ip_filtering.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<?php
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

/**
* For instructions on how to run the full sample:
*
* @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
*/

namespace Google\Cloud\Samples\Storage;

# [START storage_disable_ip_filtering]
use Google\Cloud\Storage\StorageClient;

/**
* Disable IP filtering on a bucket.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
*/
function disable_ip_filtering(string $bucketName): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);

$bucket->update([
'ipFilter' => [
'mode' => 'Disabled'
]
]);

printf('Disabled IP filtering Rules for bucket %s' . PHP_EOL, $bucketName);
}
# [END storage_disable_ip_filtering]

// The following 2 lines are only needed to run the samples
require_once __DIR__ . '/../../testing/sample_helpers.php';
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
67 changes: 67 additions & 0 deletions storage/src/enable_ip_filtering.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
<?php
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

/**
* For instructions on how to run the full sample:
*
* @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
*/

namespace Google\Cloud\Samples\Storage;

# [START storage_enable_ip_filtering]
use Google\Cloud\Storage\StorageClient;

/**
* Enable IP filtering on a bucket.
*
* @param string $projectId The ID of your Google Cloud project.
* (e.g. 'my-project-id')
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
*/
function enable_ip_filtering(string $projectId, string $bucketName): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);

$ipFilter = [
'mode' => 'Enabled',

@gemini-code-assist gemini-code-assist Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In the PR description, you mentioned: 'I set the mode to Disabled by default in the snippet (with an accompanying comment)'. However, in the actual code, the mode is set to 'Enabled'.

Because the test runner's IP is not in the allowed range (1.2.3.0/24), setting the mode to 'Enabled' will immediately lock out the test runner. This causes the subsequent $bucket->reload() on line 1295 of the test to throw a 403 error, which is caught by the catch block, effectively skipping almost all of the lifecycle assertions (get, disable, list, delete).

Please update the mode to 'Disabled' in the snippet as intended, and update the corresponding test assertions in storageTest.php (lines 1297 and 1305) to expect 'Disabled' instead of 'Enabled'.

        // Set to 'Enabled' to enforce the IP filters.
        // We use 'Disabled' here to prevent locking out the test runner.
        'mode' => 'Disabled',

'allowAllServiceAgentAccess' => true,
'publicNetworkSource' => [
'allowedIpCidrRanges' => ['1.2.3.0/24']
],
'vpcNetworkSources' => [
[
'network' => sprintf('projects/%s/global/networks/default', $projectId),
'allowedIpCidrRanges' => ['10.0.0.0/24']
]
]
];

$info = $bucket->update(['ipFilter' => $ipFilter]);

printf(
'Enabled IP filtering Rules for the Bucket: %s' . PHP_EOL,
$bucketName
);
}
# [END storage_enable_ip_filtering]

// The following 2 lines are only needed to run the samples
require_once __DIR__ . '/../../testing/sample_helpers.php';
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
77 changes: 77 additions & 0 deletions storage/src/get_ip_filtering.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
<?php
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

/**
* For instructions on how to run the full sample:
*
* @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
*/

namespace Google\Cloud\Samples\Storage;

# [START storage_get_ip_filtering]
use Google\Cloud\Storage\StorageClient;

/**
* Retrieve the IP filtering rules for the bucket.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
*/
function get_ip_filtering(string $bucketName): void
{
$storage = new StorageClient();
$bucket = $storage->bucket($bucketName);

$info = $bucket->info();

if (!isset($info['ipFilter'])) {
printf('Bucket %s has no IP Filter configured.' . PHP_EOL, $bucketName);
return;
}

$ipFilter = $info['ipFilter'];

printf('IP Filter Configuration for the Bucket %s:' . PHP_EOL, $bucketName);
printf('Mode: %s' . PHP_EOL, $ipFilter['mode']);

printf('Allow All Service Agent Access: %s' . PHP_EOL, var_export($ipFilter['allowAllServiceAgentAccess'], true));

@gemini-code-assist gemini-code-assist Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The key allowAllServiceAgentAccess might not be present in the $ipFilter array if it is not set or returned by the API. Accessing an undefined array key will trigger a PHP warning (which can be promoted to an exception in strict environments).

Using the null coalescing operator ?? provides a safe fallback.

    printf('Allow All Service Agent Access: %s' . PHP_EOL, var_export($ipFilter['allowAllServiceAgentAccess'] ?? false, true));


if (isset($ipFilter['publicNetworkSource']['allowedIpCidrRanges'])) {
printf('Allowed Public CIDR Ranges:' . PHP_EOL);
foreach ($ipFilter['publicNetworkSource']['allowedIpCidrRanges'] as $range) {
printf('- %s' . PHP_EOL, $range);
}
}

printf('Allow Cross Organization VPCs Access: %s' . PHP_EOL, var_export($ipFilter['allowCrossOrgVpcs'], true));

@gemini-code-assist gemini-code-assist Bot Jun 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The key allowCrossOrgVpcs might not be present in the $ipFilter array if it is not set or returned by the API. Accessing an undefined array key will trigger a PHP warning.

Using the null coalescing operator ?? provides a safe fallback.

    printf('Allow Cross Organization VPCs Access: %s' . PHP_EOL, var_export($ipFilter['allowCrossOrgVpcs'] ?? false, true));


if (isset($ipFilter['vpcNetworkSources'])) {
printf('Allowed VPC Network:' . PHP_EOL);
foreach ($ipFilter['vpcNetworkSources'] as $vpcNetwork) {
printf('- Network: %s' . PHP_EOL, $vpcNetwork['network']);
if (isset($vpcNetwork['allowedIpCidrRanges'])) {
printf('Allowed VPC CIDR Ranges: %s' . PHP_EOL, implode(', ', $vpcNetwork['allowedIpCidrRanges']));
}
}
}
}
# [END storage_get_ip_filtering]

// The following 2 lines are only needed to run the samples
require_once __DIR__ . '/../../testing/sample_helpers.php';
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
53 changes: 53 additions & 0 deletions storage/src/list_buckets_ip_filtering.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
<?php
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

/**
* For instructions on how to run the full sample:
*
* @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/storage/README.md
*/

namespace Google\Cloud\Samples\Storage;

# [START storage_list_buckets_ip_filtering]
use Google\Cloud\Storage\StorageClient;

/**
* Lists all buckets including their IP filtering status.
*
* @param string $projectId The ID of your Google Cloud project.
* (e.g. 'my-project-id')
*/
function list_buckets_ip_filtering(string $projectId): void
{
$storage = new StorageClient([
'projectId' => $projectId
]);

printf('Buckets:' . PHP_EOL);
foreach ($storage->buckets() as $bucket) {
$info = $bucket->info();
$mode = $info['ipFilter']['mode'] ?? 'Not Configured';

printf('Bucket Name: %s, IP Filtering Mode: %s' . PHP_EOL, $bucket->name(), $mode);
}
}
# [END storage_list_buckets_ip_filtering]

// The following 2 lines are only needed to run the samples
require_once __DIR__ . '/../../testing/sample_helpers.php';
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
Loading