Graham created the issue

Not sure if this is an enhancement or defect, so I'll let you guys make the call...

Having read through the Google information on Access Control: https://developers.google.com/storage/docs/accesscontrol

My understanding is that if you don't specific any permissions on upload, then the object should inherit the 'default ACL' specified on the bucket. But this doesn't appear to be the case for uploads in Cyberduck.

To test, I turned off everything in the Cyberduck Preferences\Transfers\Permissions by unticking both upload and download.

Then when I check the ACL on an object that been uploaded with Cyberduck, the FULL_CONTROL permission is explicitly set for my Google Storage ID.

If I repeat the same process using Google's 'gsutil', the behaviour explained in their document happens. The object gets an ACL based on the bucket's default ACL. Which, if the bucket was created with the defaults, would be the canned ACL 'project-private', which is then expanded out into the relevant permissions.

Would it be possible to have Cyberduck respect the default behaviour for uploads when no explicit permissions are applied? I.e. the uploaded object should inherit the permissions from the default ACL.

Even better (but not absolutely required), would be a section in the Preferences for 'Google Cloud Storage', where the 'canned ACLs' could be selected. I.e. Things like, 'project-private', 'private', 'public-read', etc.

(All the 'canned ACLs' and their meaning can be found from running 'gsutil help acls' - but I'm sure you know that!)

Now that would be outstanding!