IAM permissions for Cloud Storage
Stay organized with collections
Save and categorize content based on your preferences.
The following tables list the
Identity and Access Management (IAM)
permissions that are associated with Cloud Storage. IAM
permissions are
grouped into roles
, and you
assign roles to users and groups
.
Bucket permissions
Bucket permission name
|
Description
|
storage.buckets.create
|
Create new buckets in a project.
|
storage.buckets.createTagBinding
|
Create a new tag binding to a bucket.
|
storage.buckets.delete
|
Delete buckets.
|
storage.buckets.deleteTagBinding
|
Delete the tag binding on a bucket.
|
storage.buckets.enableObjectRetention
|
Enable
object retention configurations
on a bucket.
|
storage.buckets.get
|
Read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket.
|
storage.buckets.getIamPolicy
|
Read bucket IAM policies.
|
storage.buckets.getObjectInsights
|
Read object metadata in
inventory reports
.
|
storage.buckets.list
|
List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing.
|
storage.buckets.listEffectiveTags
|
List all tags associated with a bucket, including tags
inherited
from higher in the resource hierarchy, such as from the bucket's project.
|
storage.buckets.listTagBindings
|
List tags directly attached to a bucket.
|
storage.buckets.restore
|
Bulk restore objects that have been
soft-deleted
.
|
storage.buckets.setIamPolicy
|
Update bucket IAM policies.
|
storage.buckets.update
|
Update bucket metadata, excluding IAM policies, and add or remove a Pub/Sub notification configuration on a bucket. Also read bucket metadata, excluding IAM policies, when updating.
|
Managed folder permissions
Managed folder permission name
|
Description
|
storage.managedFolders.create
|
Create a managed folder.
|
storage.managedFolders.delete
|
Delete a managed folder.
|
storage.managedFolders.get
|
Read a managed folder.
|
storage.managedFolders.getIamPolicy
|
Read managed folder IAM policies.
|
storage.managedFolders.list
|
List the managed folders in a bucket or folder.
|
storage.managedFolders.setIamPolicy
|
Update managed folder IAM policies.
|
Object permissions
Object permission name
|
Description
|
storage.objects.create
|
Add new objects to a bucket.
|
storage.objects.delete
|
Delete objects.
|
storage.objects.get
|
Read object data and metadata, excluding ACLs.
|
storage.objects.getIamPolicy
|
Read object ACLs, returned as IAM policies.
|
storage.objects.list
|
List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
|
storage.objects.overrideUnlockedRetention
|
Use the
x-goog-bypass-governance-retention
header or the
overrideUnlockedRetention
query parameter when working with
object retention configurations
.
|
storage.objects.restore
|
Restore objects that have been
soft-deleted
.
|
storage.objects.setIamPolicy
|
Update object ACLs.
|
storage.objects.setRetention
|
Add or update
retentions
for objects.
|
storage.objects.update
|
Update object metadata, excluding ACLs. Also read object metadata, excluding ACLs, when updating.
|
HMAC key permissions
HMAC key permission name
|
Description
|
storage.hmacKeys.create
|
Create new HMAC keys for service accounts in a project.
|
storage.hmacKeys.delete
|
Delete existing HMAC keys.
|
storage.hmacKeys.get
|
Read HMAC key metadata.
|
storage.hmacKeys.list
|
List the metadata of HMAC keys in a project.
|
storage.hmacKeys.update
|
Update HMAC key status.
|
Multipart upload permissions
Multipart upload permission name
|
Description
|
storage.multipartUploads.create
|
Upload objects in multiple parts.
|
storage.multipartUploads.abort
|
Abort multipart upload sessions.
|
storage.multipartUploads.listParts
|
List the uploaded object parts in a multipart upload session.
|
storage.multipartUploads.list
|
List the multipart upload sessions in a bucket.
|
Storage Insights inventory report permissions
Inventory report permission name
|
Description
|
storageinsights.reportConfigs.create
|
Create inventory report configurations.
|
storageinsights.reportConfigs.delete
|
Delete inventory report configurations.
|
storageinsights.reportConfigs.get
|
Retrieve inventory report configurations.
|
storageinsights.reportConfigs.list
|
List inventory report configurations.
|
storageinsights.reportConfigs.update
|
Modify inventory report configurations.
|
storageinsights.reportDetails.get
|
Retrieve inventory reports.
|
storageinsights.reportDetails.list
|
List inventory reports.
|
What's next
Except as otherwise noted, the content of this page is licensed under the
Creative Commons Attribution 4.0 License
, and code samples are licensed under the
Apache 2.0 License
. For details, see the
Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-05-30 UTC.
[{
"type": "thumb-down",
"id": "hardToUnderstand",
"label":"Hard to understand"
},{
"type": "thumb-down",
"id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code"
},{
"type": "thumb-down",
"id": "missingTheInformationSamplesINeed",
"label":"Missing the information/samples I need"
},{
"type": "thumb-down",
"id": "otherDown",
"label":"Other"
}]
[{
"type": "thumb-up",
"id": "easyToUnderstand",
"label":"Easy to understand"
},{
"type": "thumb-up",
"id": "solvedMyProblem",
"label":"Solved my problem"
},{
"type": "thumb-up",
"id": "otherUp",
"label":"Other"
}]