Access control using IAM roles and permissions

Overview

Storage Transfer Service uses Identity and Access Management (IAM) permissions and roles to control who can access Storage Transfer Service resources. The two main types of resources available in Storage Transfer Service are jobs and operations. In the IAM policy hierarchy, jobs are child resources of projects, and operations are child resources of jobs.

To grant access to a resource, you assign one or more roles to a user, group, or a service account.

Roles and permissions

Predefined roles comparison matrix

You can assign the following Storage Transfer Service predefined roles:

Capability roles/admin admin user viewer
List/get jobs
Create jobs
Update jobs
Delete jobs
List/get transfer operations
Pause/resume transfer operations
Read Google service account details that are used by Storage Transfer Service to access Cloud Storage buckets.

Permissions

You can assign the following Storage Transfer Service permissions:

Permission Description
storagetransfer.projects.getServiceAccount Can read the GoogleServiceAccount used by the Storage Transfer Service to access Cloud Storage buckets.
storagetransfer.jobs.create Create new transfer jobs.
storagetransfer.jobs.patch Can update transfer job configurations without deleting them.
storagetransfer.jobs.get Can retrieve specfic jobs.
storagetransfer.jobs.delete Can delete existing transfer jobs.

Transfer jobs are deleted by calling the patch function. However, users must have this permission when deleting transfer jobs to avoid permission errors.
storagetransfer.jobs.list Can list all transfer jobs.
storagetransfer.operations.get Can get details of transfer operations.
storagetransfer.operations.list Can list all transfer job operations.
storagetransfer.operations.cancel Can cancel transfer operations.
storagetransfer.operations.pause Can pause transfer operations.
storagetransfer.operations.resume Can resume paused transfer operations.

When creating custom roles, the best practice is to create roles using predefined roles, so the right combination of permissions are included together.

Predefined roles details

The following table describes in detail the predefined roles for Storage Transfer Service:

Role Description Included Permissions

roles/storagetransfer.
admin

Provides all Storage Transfer Service permissions, including deleting jobs.

Rationale: This is the highest-level role with the broadest responsibilities, the superuser who supports their colleagues as they perform transfers. This is most suitable for people that will administer transfers, such as IT admins.

All permissions granted

roles/storagetransfer.
user

Provides permissions for the user to create, get, update, and list transfer jobs within the project. However, they can't delete their own jobs.

Rationale: This role allows the separation of creating and maintaining jobs from deleting jobs. This role is best suited for users who are required to execute transfer as part of their job function, such as an employee. This role doesn't allow transfer to be deleted, so that auditors or security personnel can view a fully preserved record of past transfers.

  • storagetransfer.projects.getServiceAccount
  • storagetransfer.jobs.create
  • storagetransfer.jobs.patch
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list
  • storagetransfer.operations.pause
  • storagetransfer.operations.resume

roles/storagetransfer.
viewer

Permissions to list and get jobs and transfer operations within the project. The user can't schedule, update, or delete jobs.

Rationale: The viewer role is intended for read-only access to view transfer jobs and operations. This role allows separating the report and auditing tasks from creating and maintaining jobs. This role is most suitable for users or internal teams that audit transfer usage, such as security, compliance, or business unit leaders.

  • storagetransfer.projects.getServiceAccount
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage Transfer Service Documentation