diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go
index bab633a2..507b5f14 100644
--- a/httpd/httpd_test.go
+++ b/httpd/httpd_test.go
@@ -2637,6 +2637,7 @@ func TestUserHiddenFields(t *testing.T) {
 	u2.FsConfig.Provider = sdk.GCSFilesystemProvider
 	u2.FsConfig.GCSConfig.Bucket = "test"
 	u2.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret("fake credentials")
+	u2.FsConfig.GCSConfig.ACL = "bucketOwnerRead"
 	user2, _, err := httpdtest.AddUser(u2, http.StatusCreated)
 	assert.NoError(t, err)
 
@@ -2804,6 +2805,7 @@ func TestUserHiddenFields(t *testing.T) {
 
 	// update the GCS user and check that the credentials are preserved
 	user2.FsConfig.GCSConfig.Credentials = kms.NewEmptySecret()
+	user2.FsConfig.GCSConfig.ACL = "private"
 	_, _, err = httpdtest.UpdateUser(user2, http.StatusOK, "")
 	assert.NoError(t, err)
 
@@ -13385,6 +13387,7 @@ func TestWebUserGCSMock(t *testing.T) {
 	user.FsConfig.GCSConfig.Bucket = "test"
 	user.FsConfig.GCSConfig.KeyPrefix = "somedir/subdir/"
 	user.FsConfig.GCSConfig.StorageClass = "standard"
+	user.FsConfig.GCSConfig.ACL = "publicReadWrite"
 	form := make(url.Values)
 	form.Set(csrfFormToken, csrfToken)
 	form.Set("username", user.Username)
@@ -13405,6 +13408,7 @@ func TestWebUserGCSMock(t *testing.T) {
 	form.Set("fs_provider", "2")
 	form.Set("gcs_bucket", user.FsConfig.GCSConfig.Bucket)
 	form.Set("gcs_storage_class", user.FsConfig.GCSConfig.StorageClass)
+	form.Set("gcs_acl", user.FsConfig.GCSConfig.ACL)
 	form.Set("gcs_key_prefix", user.FsConfig.GCSConfig.KeyPrefix)
 	form.Set("pattern_path0", "/dir1")
 	form.Set("patterns0", "*.jpg,*.png")
@@ -13441,6 +13445,7 @@ func TestWebUserGCSMock(t *testing.T) {
 	assert.Equal(t, user.FsConfig.Provider, updateUser.FsConfig.Provider)
 	assert.Equal(t, user.FsConfig.GCSConfig.Bucket, updateUser.FsConfig.GCSConfig.Bucket)
 	assert.Equal(t, user.FsConfig.GCSConfig.StorageClass, updateUser.FsConfig.GCSConfig.StorageClass)
+	assert.Equal(t, user.FsConfig.GCSConfig.ACL, updateUser.FsConfig.GCSConfig.ACL)
 	assert.Equal(t, user.FsConfig.GCSConfig.KeyPrefix, updateUser.FsConfig.GCSConfig.KeyPrefix)
 	if assert.Len(t, updateUser.Filters.FilePatterns, 1) {
 		assert.Equal(t, "/dir1", updateUser.Filters.FilePatterns[0].Path)
diff --git a/httpd/schema/openapi.yaml b/httpd/schema/openapi.yaml
index 4b74ee17..a4d628d7 100644
--- a/httpd/schema/openapi.yaml
+++ b/httpd/schema/openapi.yaml
@@ -4234,6 +4234,9 @@ components:
               * `1` - enabled, we try to use the Application Default Credentials (ADC) strategy to find your application's credentials
         storage_class:
           type: string
+        acl:
+          type: string
+          description: 'The ACL to apply to uploaded objects. Leave empty to use the default ACL. For more information and available ACLs, refer to the JSON API here: https://cloud.google.com/storage/docs/access-control/lists#predefined-acl'
         key_prefix:
           type: string
           description: 'key_prefix is similar to a chroot directory for a local filesystem. If specified the user will only see contents that starts with this prefix and so you can restrict access to a specific virtual folder. The prefix, if not empty, must not start with "/" and must end with "/". If empty the whole bucket contents will be available'
diff --git a/httpd/webadmin.go b/httpd/webadmin.go
index 73b668ab..d294147f 100644
--- a/httpd/webadmin.go
+++ b/httpd/webadmin.go
@@ -859,6 +859,7 @@ func getGCSConfig(r *http.Request) (vfs.GCSFsConfig, error) {
 
 	config.Bucket = r.Form.Get("gcs_bucket")
 	config.StorageClass = r.Form.Get("gcs_storage_class")
+	config.ACL = r.Form.Get("gcs_acl")
 	config.KeyPrefix = r.Form.Get("gcs_key_prefix")
 	autoCredentials := r.Form.Get("gcs_auto_credentials")
 	if autoCredentials != "" {
diff --git a/httpdtest/httpdtest.go b/httpdtest/httpdtest.go
index d15a7071..8386acbd 100644
--- a/httpdtest/httpdtest.go
+++ b/httpdtest/httpdtest.go
@@ -1299,6 +1299,9 @@ func compareGCSConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error {
 	if expected.GCSConfig.StorageClass != actual.GCSConfig.StorageClass {
 		return errors.New("GCS storage class mismatch")
 	}
+	if expected.GCSConfig.ACL != actual.GCSConfig.ACL {
+		return errors.New("GCS ACL mismatch")
+	}
 	if expected.GCSConfig.KeyPrefix != actual.GCSConfig.KeyPrefix &&
 		expected.GCSConfig.KeyPrefix+"/" != actual.GCSConfig.KeyPrefix {
 		return errors.New("GCS key prefix mismatch")
diff --git a/sdk/filesystem.go b/sdk/filesystem.go
index a6ff61dd..229f2d08 100644
--- a/sdk/filesystem.go
+++ b/sdk/filesystem.go
@@ -144,6 +144,10 @@ type GCSFsConfig struct {
 	// 0 explicit, 1 automatic
 	AutomaticCredentials int    `json:"automatic_credentials,omitempty"`
 	StorageClass         string `json:"storage_class,omitempty"`
+	// The ACL to apply to uploaded objects. Leave empty to use the default ACL.
+	// For more information and available ACLs, refer to the JSON API here:
+	// https://cloud.google.com/storage/docs/access-control/lists#predefined-acl
+	ACL string `json:"acl,omitempty"`
 }
 
 // AzBlobFsConfig defines the configuration for Azure Blob Storage based filesystem
diff --git a/templates/webadmin/fsconfig.html b/templates/webadmin/fsconfig.html
index dd3096c5..b7aff5df 100644
--- a/templates/webadmin/fsconfig.html
+++ b/templates/webadmin/fsconfig.html
@@ -109,7 +109,7 @@
                 </small>
             </div>
             <div class="col-sm-2"></div>
-            <label for="idS3KeyPrefix" class="col-sm-2 col-form-label">ACL</label>
+            <label for="idS3ACL" class="col-sm-2 col-form-label">ACL</label>
             <div class="col-sm-3">
                 <input type="text" class="form-control" id="idS3ACL" name="s3_acl" placeholder=""
                     value="{{.S3Config.ACL}}" maxlength="255" aria-describedby="S3ACLHelpBlock">
@@ -174,13 +174,22 @@
 
         <div class="form-group row fsconfig fsconfig-gcsfs">
             <label for="idGCSKeyPrefix" class="col-sm-2 col-form-label">Key Prefix</label>
-            <div class="col-sm-10">
+            <div class="col-sm-3">
                 <input type="text" class="form-control" id="idGCSKeyPrefix" name="gcs_key_prefix" placeholder=""
                     value="{{.GCSConfig.KeyPrefix}}" maxlength="255" aria-describedby="GCSKeyPrefixHelpBlock">
                 <small id="GCSKeyPrefixHelpBlock" class="form-text text-muted">
                     Similar to a chroot for local filesystem. Cannot start with "/". Example: "somedir/subdir/".
                 </small>
             </div>
+            <div class="col-sm-2"></div>
+            <label for="idGCSACL" class="col-sm-2 col-form-label">ACL</label>
+            <div class="col-sm-3">
+                <input type="text" class="form-control" id="idGCSACL" name="gcs_acl" placeholder=""
+                    value="{{.GCSConfig.ACL}}" maxlength="255" aria-describedby="GCSACLHelpBlock">
+                <small id="GCSACLHelpBlock" class="form-text text-muted">
+                    ACL for uploaded objects. For more info refer to the JSON API <a href="https://cloud.google.com/storage/docs/access-control/lists#predefined-acl" target="_blank">here</a>
+                </small>
+            </div>
         </div>
 
         <div class="form-group row fsconfig fsconfig-azblobfs">
diff --git a/vfs/filesystem.go b/vfs/filesystem.go
index 1daf94a1..0947a6c4 100644
--- a/vfs/filesystem.go
+++ b/vfs/filesystem.go
@@ -252,6 +252,7 @@ func (f *Filesystem) GetACopy() Filesystem {
 				Credentials:          f.GCSConfig.Credentials.Clone(),
 				AutomaticCredentials: f.GCSConfig.AutomaticCredentials,
 				StorageClass:         f.GCSConfig.StorageClass,
+				ACL:                  f.GCSConfig.ACL,
 				KeyPrefix:            f.GCSConfig.KeyPrefix,
 			},
 		},
diff --git a/vfs/gcsfs.go b/vfs/gcsfs.go
index 342ef662..9f7d02b5 100644
--- a/vfs/gcsfs.go
+++ b/vfs/gcsfs.go
@@ -185,6 +185,9 @@ func (fs *GCSFs) Create(name string, flag int) (File, *PipeWriter, func(), error
 	if fs.config.StorageClass != "" {
 		objectWriter.ObjectAttrs.StorageClass = fs.config.StorageClass
 	}
+	if fs.config.ACL != "" {
+		objectWriter.PredefinedACL = fs.config.ACL
+	}
 	go func() {
 		defer cancelFn()
 
@@ -195,7 +198,8 @@ func (fs *GCSFs) Create(name string, flag int) (File, *PipeWriter, func(), error
 		}
 		r.CloseWithError(err) //nolint:errcheck
 		p.Done(err)
-		fsLog(fs, logger.LevelDebug, "upload completed, path: %#v, readed bytes: %v, err: %v", name, n, err)
+		fsLog(fs, logger.LevelDebug, "upload completed, path: %#v, acl: %#v, readed bytes: %v, err: %v",
+			name, fs.config.ACL, n, err)
 		metric.GCSTransferCompleted(n, 0, err)
 	}()
 	return nil, p, cancelFn, nil
@@ -234,6 +238,9 @@ func (fs *GCSFs) Rename(source, target string) error {
 	if fs.config.StorageClass != "" {
 		copier.StorageClass = fs.config.StorageClass
 	}
+	if fs.config.ACL != "" {
+		copier.PredefinedACL = fs.config.ACL
+	}
 	var contentType string
 	if fi.IsDir() {
 		contentType = dirMimeType
diff --git a/vfs/vfs.go b/vfs/vfs.go
index 5433338a..a15982d5 100644
--- a/vfs/vfs.go
+++ b/vfs/vfs.go
@@ -300,6 +300,9 @@ func (c *GCSFsConfig) isEqual(other *GCSFsConfig) bool {
 	if c.StorageClass != other.StorageClass {
 		return false
 	}
+	if c.ACL != other.ACL {
+		return false
+	}
 	if c.Credentials == nil {
 		c.Credentials = kms.NewEmptySecret()
 	}
@@ -339,6 +342,7 @@ func (c *GCSFsConfig) Validate(credentialsFilePath string) error {
 		}
 	}
 	c.StorageClass = strings.TrimSpace(c.StorageClass)
+	c.ACL = strings.TrimSpace(c.ACL)
 	return nil
 }