Use the Google Cloud project administrator, a user with
resourcemanager.projects.setIamPolicy privileges, to grant
Identity and Access Management (IAM) permissions or roles to the appropriate
users and service accounts.
The Google Cloud project administrator account is only required to grant permissions to users and service accounts. It isn't required to start transfer jobs.
For more information on granting IAM roles, see Granting, changing, and revoking access to resources.
If you're interested in creating custom roles for Storage Transfer Service, see Understanding IAM custom roles.
Administrator accounts
Storage Transfer Service administrator accounts are superuser accounts supporting colleagues that perform transfers. Admins manage transfer agents, set bandwidth usage limits, and can delete transfer jobs.
To set up an administrator account, assign the following IAM permissions and roles:
| Role / Permission | What it does | Notes |
|---|---|---|
resourcemanager.projects.getIamPolicy |
This permission is used to confirm that the Google-managed service account has the required permissions for a transfer. | To grant this permission, grant the
Role Viewer
(roles/iam.roleViewer) predefined role, or
create a custom role with
this single permission and grant the custom role. |
Storage Transfer Admin
(roles/storagetransfer.admin)
|
Enables administrative actions in the transfer project, such as project set up and agent monitoring. | For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles. |
User accounts
Storage Transfer Service user accounts can be used to create and execute transfers. These accounts typically don't have access to delete transfer jobs.
To set up a user account, assign the following permissions and roles to the account:
| Role / Permission | What it does | Notes |
|---|---|---|
resourcemanager.projects.getIamPolicy |
Used to confirm that the Google-managed service account has the required Pub/Sub permissions for a transfer. | To grant this permission, grant the
Role Viewer
(roles/iam.roleViewer) predefined role, or
create a custom role with
this single permission and grant the custom role. |
Storage Transfer User
(roles/storagetransfer.user)
|
Enables the user to create, get, update, and list transfers. | For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles. |
Storage Object Admin
(roles/storage.objectAdmin)
|
Enables the user to create, update, and delete Cloud Storage objects as part of a transfer. | Must be granted for every Cloud Storage bucket this account
uses in transfers.
For a detailed listing of permissions granted, see Cloud Storage Predefined roles. |
Service account
Storage Transfer Service uses a
Google-managed service
account to move your data. This service account is automatically created
the first time you create a transfer job, create an agent pool, call
googleServiceAccounts.get, or visit the job creation page in the
Google Cloud console.
The service account's format is typically
project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com.
To determine your specific PROJECT_NUMBER, use the
googleServiceAccounts.get API call.
To allow the Storage Transfer Service service account access to resources needed to complete transfers, assign the following roles, or equivalent permissions, to the service account:
| Role / Permission | What it does | Notes |
|---|---|---|
Storage Object Creator
(roles/storage.objectCreator)
|
Enables Storage Transfer Service to create transfer logs in the Cloud Storage bucket connected to this transfer. |
Grant to all Cloud Storage buckets used in a transfer. If
appropriate for your situation, you can grant the role on a
project level to the project that Storage Transfer Service is running from.
For a detailed listing of the permissions these roles grant, see Cloud Storage Predefined roles. |
Storage Object Viewer
(roles/storage.objectViewer)
|
Enables Storage Transfer Service to determine if a file has already been transferred to or from Cloud Storage. | |
Pub/Sub Editor
(roles/pubsub.editor)
|
Enables Storage Transfer Service to automatically create and modify Pub/Sub topics to communicate from Google Cloud to transfer agents. |
Apply the role on a project level to the project that
Storage Transfer Service is running from.
For a detailed listing of the permissions this role grants, see Pub/Sub Roles. |
Storage Legacy Bucket Reader
(roles/storage.legacyBucketReader)
|
Enables Storage Transfer Service to read Cloud Storage bucket metadata. |
Grant to each Cloud Storage bucket used in a transfer. Cloud Storage |
Transfer agents
Storage Transfer Service transfer agents can be run with either the user's account, or with a service account.
To set up a transfer agent service account or user account running the transfer agents, assign the following role:
| Role / Permission | What it does | Notes |
|---|---|---|
Storage Transfer Agent
(roles/storage.transferAgent)
|
Gives transfer agents the Storage Transfer Service and Pub/Sub permissions required to complete a transfer. |
Grant this role to the user or service account being used by agents.
For a detailed listing of the permissions this role grants, see Access Control with IAM. |
Source and destination permissions
You must also ensure that the agent account has the correct permissions to access the source data and to write to the destination.
File system to Cloud Storage
If your transfer's destination is a Cloud Storage bucket, the transfer agent needs the following permissions on the destination bucket. See Add a principal to a bucket-level policy for instructions.
| Permission | Description |
|---|---|
storage.objects.create |
Allows the agent account to write Cloud Storage objects during transfer. |
storage.objects.get |
Allows the agent account to read object data and metadata. |
storage.objects.delete |
Required if your transfer is configured to overwrite or delete objects
in the sink; for example, if
overwriteObjectsAlreadyExistingInSink
or deleteObjectsUniqueInSink are set in your transfer's
transferOptions configuration. |
To grant these permissions, grant the following role:
- Storage Object Admin (
roles/storage.objectAdmin)
Or, create a custom role with the specific permissions and grant the custom role.
Cloud Storage to file system
If your transfer's source is a Cloud Storage bucket, the transfer agent needs the following permission on the source bucket.
| Permission | Description |
|---|---|
storage.objects.get |
Allows the agent account to read object data and metadata. |
To grant this permission, grant the following role:
- Storage Object Viewer (
roles/storage.objectViewer)
Or, create a custom role with the single permission and grant the custom role.
File system to file system
If your transfer is between two file systems, the transfer agent needs the following permissions on the intermediate bucket.
| Permission | Description |
|---|---|
storage.objects.create |
Allows the agent account to write Cloud Storage objects during transfer. |
storage.objects.get |
Allows the agent account to read object data and metadata. |
storage.objects.delete |
Required if your transfer is configured to delete objects in the intermediate bucket after the transfer is complete. |
To grant these permissions, grant the following role:
- Storage Object Admin (
roles/storage.objectAdmin)
Or, create a custom role with the specific permissions and grant the custom role.