You grant access to Filestore operations by granting Identity and Access Management (IAM) roles to users.
IAM permissions only control access to Filestore operations, like creating a Filestore instance. To control access to operations on the file share, like read or execute, use POSIX file permissions.
Use Filestore roles
To grant Filestore permissions to users, use the
Filestore Editor (roles/file.editor) and Filestore
Viewer (roles/file.viewer) roles. If you prefer, you can also use
basic roles for this purpose.
Use the following table to see the Filestore permissions associated with Filestore roles.
| Permission | Action | Filestore Editor | Filestore Viewer |
| file.locations.get | Get information about a location supported by this service. | ✓ | ✓ |
| file.locations.list | List information about the supported locations for this service. | ✓ | ✓ |
| file.instances.create | Create a Filestore instance. | ✓ | |
| file.instances.update | Update a Filestore instance. | ✓ | |
| file.instances.delete | Delete a Filestore instance. | ✓ | |
| file.instances.get | Get details about a specific Filestore instance. | ✓ | ✓ |
| file.instances.list | List the Filestore instances in the project. | ✓ | ✓ |
| file.operations.get | Get the status of a Filestore instance operation. | ✓ | ✓ |
| file.operations.list | List Filestore instance operations. | ✓ | ✓ |
| file.operations.cancel | Cancel a Filestore instance operation. | ✓ | |
| file.operations.delete | Delete a Filestore instance operation. | ✓ | |
| file.backups.create | Create a Filestore backup. | ✓ | |
| file.backups.update | Update a Filestore backup. | ✓ | |
| file.backups.delete | Delete a Filestore backup. | ✓ | |
| file.backups.get | Get details about a specific Filestore backup. | ✓ | ✓ |
| file.backups.list | List the Filestore backups in the project. | ✓ | ✓ |
| file.snapshots.create | Create a Filestore snapshot. | ✓ | |
| file.snapshots.update | Update a Filestore snapshot. | ✓ | |
| file.snapshots.delete | Delete a Filestore snapshot. | ✓ | |
| file.snapshots.get | Get details about a specific Filestore snapshot. | ✓ | ✓ |
| file.snapshots.list | List the Filestore snapshot in the project. | ✓ | ✓ |
Using basic roles
Filestore permissions are also associated with the IAM basic roles of owner, editor, and viewer. To grant Filestore permissions to users, you can use these roles in addition to the Filestore roles.
Use the following table to see the Filestore permissions associated with basic roles.
| Permission | Action | Project Owner | Project Editor | Project Viewer |
| file.locations.get | Get information about a location supported by this service. | ✓ | ✓ | ✓ |
| file.locations.list | List information about the supported locations for this service. | ✓ | ✓ | ✓ |
| file.instances.create | Create a Filestore instance. | ✓ | ✓ | |
| file.instances.update | Update a Filestore instance. | ✓ | ✓ | |
| file.instances.delete | Delete a Filestore instance. | ✓ | ✓ | |
| file.instances.get | Get details about a specific Filestore instance. | ✓ | ✓ | ✓ |
| file.instances.list | List the Filestore instances in the project. | ✓ | ✓ | ✓ |
| file.operations.get | Get the status of a Filestore instance operation. | ✓ | ✓ | ✓ |
| file.operations.list | List Filestore instance operations. | ✓ | ✓ | ✓ |
| file.operations.cancel | Cancel a Filestore instance operation. | ✓ | ✓ | |
| file.operations.delete | Delete a Filestore instance operation. | ✓ | ✓ | |
| file.backups.create | Create a Filestore backup. | ✓ | ✓ | file.backups.update | Update a Filestore backup. | ✓ | ✓ |
| file.backups.delete | Delete a Filestore backup. | ✓ | ✓ | |
| file.backups.get | Get details about a specific Filestore backup. | ✓ | ✓ | ✓ |
| file.backups.list | List the Filestore backups in the project. | ✓ | ✓ | ✓ | file.snapshots.create | Create a Filestore snapshot. | ✓ | ✓ | file.snapshots.update | Update a Filestore snapshot. | ✓ | ✓ |
| file.snapshots.delete | Delete a Filestore snapshot. | ✓ | ✓ | |
| file.snapshots.get | Get details about a specific Filestore snapshot. | ✓ | ✓ | ✓ |
| file.snapshots.list | List the Filestore snapshot in the project. | ✓ | ✓ | ✓ |
Custom roles
If the predefined IAM roles don't meet your needs, you can define a custom role
with permissions that you specify using IAM's
custom roles.
When you create custom roles for Filestore, make sure that you
include both resourcemanager.projects.get and resourcemanager.projects.list
so that the role has permission to query project resources.
Related roles
Other roles may be required for access to other Google Cloud services. For example, if you want to view or monitor metrics related to Filestore instance performance, you'll need access to the following roles:
- Monitoring Viewer
- Monitoring Editor
To see how to grant access to these roles and others, see Grant access to Cloud Monitoring.
Next steps
Try one of the Filestore quickstarts:
- Using the Google Cloud console
- Using the Google Cloud CLI