Access control with IAM

Storage Transfer Service uses Identity and Access Management (IAM) permissions and roles to control who can access Storage Transfer Service resources. The two main types of resources available in Storage Transfer Service are jobs and operations. In the IAM policy hierarchy, jobs are child resources of projects, and operations are child resources of jobs.

To grant access to a resource, you assign one or more permissions or roles to a user, group, or a service account.

Permissions

You can grant the following Storage Transfer Service permissions:

Transfer project permission

Permission Description
storagetransfer.projects.getServiceAccount Can read the GoogleServiceAccount used by the Storage Transfer Service to access Cloud Storage buckets.

Transfer job permissions

The following table describes permissions for Storage Transfer Service jobs:

Permission Description
storagetransfer.jobs.create Can create new transfer jobs.
storagetransfer.jobs.delete Can delete existing transfer jobs.

Transfer jobs are deleted by calling the patch function. However, users must have this permission when deleting transfer jobs to avoid permission errors.
storagetransfer.jobs.get Can retrieve specific jobs.
storagetransfer.jobs.list Can list all transfer jobs.
storagetransfer.jobs.patch Can update transfer job configurations without deleting them.

Transfer operations permissions

The following table describes permissions for Storage Transfer Service operations:

Permission Description
storagetransfer.operations.cancel Can cancel transfer operations.
storagetransfer.operations.get Can get details of transfer operations.
storagetransfer.operations.list Can list all transfer job operations.
storagetransfer.operations.pause Can pause transfer operations.
storagetransfer.operations.resume Can resume paused transfer operations.

Transfer agent pool permissions

The following table describes permissions for Transfer for on-premises transfer agent pools:

Permission Description
storagetransfer.agentpools.create Can create agent pools.
storagetransfer.agentpools.update Can update agent pools.
storagetransfer.agentpools.delete Can delete agent pools.
storagetransfer.agentpools.get Can get information on specific agent pools.
storagetransfer.agentpools.list Can list information for all agent pools in the project.

Storage Transfer Service roles

This section describes roles that you can set for Storage Transfer Service, and guidance for creating custom roles.

Storage Transfer Service predefined roles comparison

You can assign the following project role or Storage Transfer Service predefined roles:

Capability Editor (roles/editor) Storage Transfer (roles/storagetransfer.)
Admin (admin) User (user) Viewer (viewer)
List/get jobs
Create jobs
Update jobs
Delete jobs
List/get transfer operations
Pause/resume transfer operations
Read Google service account details that are used by Storage Transfer Service to access Cloud Storage buckets.

The Update jobs permission doesn't include permission to delete jobs.

For Transfer for on-premises, the Storage Transfer Admin (roles/storagetransfer.admin) role is required to:

  • List agents
  • Read the project's bandwidth limit
  • Set the project's bandwidth limit

Storage Transfer Service predefined roles details

The following table describes in detail the predefined roles for Storage Transfer Service:

Role Description Included Permissions
Storage Transfer Admin
(roles/storagetransfer.
admin
)

Provides all Storage Transfer Service permissions, including deleting jobs.

Rationale: This is the highest-level role with the broadest responsibilities, the superuser who supports their colleagues as they perform transfers. This is most suitable for people that will administer transfers, such as IT admins.

All permissions granted
Storage Transfer User
(roles/storagetransfer.
user
)

Provides permissions for the user to create, get, update, and list transfer jobs within the project. However, they can't delete their own jobs.

Rationale: This role allows the separation of creating and maintaining jobs from deleting jobs. This role is best suited for users who are required to execute transfers as part of their job function, such as an employee. This role doesn't allow transfer to be deleted, so that auditors or security personnel can view a fully preserved record of past transfers.

  • storagetransfer.projects.getServiceAccount
  • storagetransfer.jobs.create
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.jobs.patch
  • storagetransfer.operations.get
  • storagetransfer.operations.list
  • storagetransfer.operations.pause
  • storagetransfer.operations.resume
Storage Transfer Viewer
(roles/storagetransfer.
viewer
)

Permissions to list and get jobs and transfer operations within the project. The user can't schedule, update, or delete jobs.

Rationale: The viewer role is intended for read-only access to view transfer jobs and operations. This role allows separating the report and auditing tasks from creating and maintaining jobs. This role is most suitable for users or internal teams that audit transfer usage, such as security, compliance, or business unit leaders.

  • storagetransfer.projects.getServiceAccount
  • storagetransfer.jobs.get
  • storagetransfer.jobs.list
  • storagetransfer.operations.get
  • storagetransfer.operations.list

Transfer agent pool roles

This section describes roles that you can set for Transfer for on-premises agent pools.

Transfer agent pool roles comparison

You can assign the following Transfer for on-premises agent pool predefined roles:

Capability Storage Transfer AgentPool (roles/storagetransfer.agentpools.)
Admin (admin) User (user) Viewer (viewer)
List agent pools
Create agent pools
Update agent pools
Delete agent pools
Get agent pools

Transfer agent pool details

The following table describes in detail the predefined roles for On-premises transfer agent pools:

Storage Transfer AgentPool Admin
(roles/storagetransfer.agentpools.
admin
)

Provides all Transfer for on-premises agent pool permissions, including deleting agent pools.

Rationale: This is the highest-level role with the broadest agent pools permissions, for the superuser who supports setting up and managing agent pools for transfer users. This is most suitable for people that will administer transfers, such as IT admins.

  • storagetransfer.agentpools.create
  • storagetransfer.agentpools.update
  • storagetransfer.agentpools.delete
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
Storage Transfer AgentPool User
(roles/storagetransfer.agentpools.
user
)

Provides permissions for the user to create, update, get and list agent pools within the project. However, they can't delete their own agent pools.

Rationale: This role allows the separation of creating and maintaining agent pools from deleting agent pools. This role is best suited for users who are required to set up and monitor agent pools such as employees.

  • storagetransfer.agentpools.create
  • storagetransfer.agentpools.update
  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list
Storage Transfer AgentPool Viewer
(roles/storagetransfer.agentpools.
viewer
)

Provides permissions for the user to get and list agent pools within the project.

Rationale: This role allows the separation of viewing agent pools from maintaining or deleting agent pools. This role is best suited for users who are required to execute transfers as part of their job function, such as employees.

  • storagetransfer.agentpools.get
  • storagetransfer.agentpools.list

Custom roles

The best practice when creating custom roles is to create roles using predefined roles, so the right combination of permissions are included together.

The Cloud Console will not work properly if the custom role is missing required permissions. For example, some parts of the Cloud Console assume the role has read access to display an item before editing it, so a role with only write permissions will experience Cloud Console screens that don't work.

What's next