Skip to content

Fix GCP Cloud Storage Bucket Cors Errors

DodaTech Updated 2026-06-26 2 min read

When working with GCP Cloud Storage, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with bucket cors and shows the exact fix.

A Common Mistake

Configuring CORS on a storage bucket but using incorrect origin or method values, causing browser-based applications to fail with CORS errors.

The incorrect command:

gsutil cors set cors.json gs://my-bucket
# cors.json:
# [{"origin": ["*"], "responseHeader": ["*"], "method": ["GET", "POST"], "maxAgeSeconds": 3600}]

Error output:

Setting CORS configuration on gs://my-bucket...
Browser console shows:
Access to fetch at 'https://storage.googleapis.com/my-bucket/data.json' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The wildcard origin '*' does not work with credentials (cookies, authorization headers).

The Correct Approach

The right way to configure bucket cors in GCP Cloud Storage:

gsutil cors set cors.json gs://my-bucket
# cors.json:
# [{"origin": ["https://app.example.com", "https://staging.app.example.com"], "responseHeader": ["Content-Type", "x-goog-meta-custom"], "method": ["GET", "HEAD", "OPTIONS"], "maxAgeSeconds": 86400}]

Successful result:

Setting CORS configuration on gs://my-bucket...
CORS is now configured for the specific application origins. Browser requests from app.example.com are allowed with GET/HEAD/OPTIONS methods.

How to Prevent This

Specify explicit origins instead of wildcards. Include OPTIONS in methods for preflight requests. Set maxAgeSeconds to 86400 to reduce preflight requests. Test CORS with curl -H "Origin: https://app.example.com" -H "Access-Control-Request-Method: GET" -X OPTIONS -v https://storage.googleapis.com/my-bucket/data.json. Use gsutil cors get gs://bucket to verify.

FAQ

Why does my bucket cors configuration fail in GCP Cloud Storage?

Configuration failures in GCP Cloud Storage usually stem from one of these causes: missing IAM permissions, incorrect parameter syntax, unfulfilled prerequisites, or incorrect API versions. Always run commands with --help first to verify parameter names and formats. Check Cloud Audit Logs for detailed error traces. The error message typically contains a link to the relevant documentation section.

How do I debug bucket cors issues in GCP Cloud Storage?

Start by enabling Cloud Logging for your service. Use gcloud logging read to query error logs. For IAM issues, use the Policy Analyzer tool. For networking issues, use gcloud compute firewall-rules list and VPC flow logs. For function/run issues, check the container logs with gcloud logging tail. Always validate your configuration with dry-run flags before applying to production.

What are the best practices for bucket cors in GCP Cloud Storage?

Use infrastructure-as-code (Terraform, Deployment Manager) for all configurations. Test changes in a non-production project first. Set up billing alerts to catch unexpected cost increases. Enable Cloud Audit Logs for all admin activities. Follow the principle of least privilege for IAM. Regularly review and update your configurations. Document all manual changes for compliance audits.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro