According to the documentation, the answer appears to be yes, I can.

However, when I send a PATCH request, the response from the server is a 405 Method Not Allowed With an Allow DELETE, GET, HEAD, OPTIONS, POST, PUT header in the response.

You may note that the documentation provides for using a POST method with the header X-Http-Method-Override: PATCH in case a proxy somewhere doesn’t like the PATCH method.

I have tried that with the exact same result – 405 Method Not Allowed.

Here are all the request headers:

:authority: storage.googleapis.com
:method: POST
:path: /cloud-storage-manager-test-bucket/alice.png?X-Goog-Algorithm=GOOG4-RSA-SHA256&X-Goog-Credential=sweetvine-testing-service-acco%40sweetvine-systems-infra.iam.gserviceaccount.com%2F20240424%2Fauto%2Fstorage%2Fgoog4_request&X-Goog-Date=20240424T213255Z&X-Goog-Expires=3600&X-Goog-Signedheaders=host&x-goog-signature=0a068071f7e2ad6d3b725fded2f0fac6916d5c9481a9ce5c165b3b79b98bc6315653bd7ff034863a3edbc85147af3eba0edb532ac233834914d4e782c72770b2c504f4f08738aac7b6a184126a7ac8f2cb4f381da7be59c1cbb8e3017fd1cc1bd23ae5497ec13267de6c119db438589828a1542b8c8ab295be0b0d68bb0fe421f69dc72024b3b2997dd496d4edab79ec1ccbb3265031e3e5727ff27b60a422307deda1b67dc58e7eab5848e577cb4ddc0dd583c1b2daf3ffba7b41aa41944bd440c971cbad59f15d5fa4b7af3c43956f001a27ea84ae017f916372995b909d7b0a1f0dbc70100657d5125d66646ccf674ae7f74faa05e9ad2b86886f21171403
:scheme: https
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Content-Length: 28
Content-Type: text/plain;charset=UTF-8
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/
Sec-Ch-Ua: "Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
X-Client-Data: <gibberish omitted>
Decoded: <ClientVariations omitted>
X-Http-Method-Override: PATCH

Interestingly enough, the console seems to be telling me that there was a CORS violation, but that appears to be nonsense, since the preflight request returned 200(OK)

For the sake of completeness, though, here are the preflight response headers:

Access-Control-Allow-Headers: x-http-method-override
Access-Control-Allow-Methods: GET,PUT,POST,PATCH,DELETE,HEAD,OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private, max-age=0
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Wed, 24 Apr 2024 21:32:55 GMT
Expires: Wed, 24 Apr 2024 21:32:55 GMT
Server: UploadServer
X-Guploader-Uploadid: <numbers and letters>

And, the payload of the PATCH request is some very simple JSON. For the purposes of testing I want to set the tag avatar to the value true:

{"metadata":{"avatar":true}}

It is very hard to believe that Google would publish docs that say “use PATCH” and then not allow PATCH. What else could this be, though. I’m not seeing it.