This is true of both bucket and blob.

It is a bit nuanced since the ACLs can be in both the bucket resource / object resource but can also be retried retrieved directly via storage.objectAccessControls.get, etc.

(ADDED by DJH): This is even more contrived since the ACL specific API methods also require an entity. (This especially frustrates @tseaver.)