File system transfer permissions

Use the Google Cloud project administrator, a user with resourcemanager.projects.setIamPolicy privileges, to grant Identity and Access Management (IAM) permissions or roles to the appropriate users and service accounts.

The Google Cloud project administrator account is only required to grant permissions to users and service accounts. It isn't required to start transfer jobs.

For more information on granting IAM roles, see Granting, changing, and revoking access to resources.

If you're interested in creating custom roles for Storage Transfer Service, see Understanding IAM custom roles.

Administrator accounts

Storage Transfer Service administrator accounts are superuser accounts supporting colleagues that perform transfers. Admins manage transfer agents, set bandwidth usage limits, and can delete transfer jobs.

To set up an administrator account, assign the following IAM permissions and roles:

Role / Permission What it does Notes
resourcemanager.projects.getIamPolicy This permission is used to confirm that the Google-managed service account has the required permissions for a transfer. To grant this permission, grant the Role Viewer (roles/iam.roleViewer) predefined role, or create a custom role with this single permission and grant the custom role.
Storage Transfer Admin (roles/storagetransfer.admin) Enables administrative actions in the transfer project, such as project set up and agent monitoring. For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles.

User accounts

Storage Transfer Service user accounts can be used to create and execute transfers. These accounts typically don't have access to delete transfer jobs.

To set up a user account, assign the following permissions and roles to the account:

Role / Permission What it does Notes
resourcemanager.projects.getIamPolicy Used to confirm that the Google-managed service account has the required Pub/Sub permissions for a transfer. To grant this permission, grant the Role Viewer (roles/iam.roleViewer) predefined role, or create a custom role with this single permission and grant the custom role.
Storage Transfer User (roles/storagetransfer.user) Enables the user to create, get, update, and list transfers. For a detailed listing of permissions granted, see Storage Transfer Service Predefined roles.
Storage Object Admin (roles/storage.objectAdmin) Enables the user to create, update, and delete Cloud Storage objects as part of a transfer. Must be granted for every Cloud Storage bucket this account uses in transfers.

For a detailed listing of permissions granted, see Cloud Storage Predefined roles.

Service account

Storage Transfer Service uses a Google-managed service account to move your data. This service account is automatically created the first time you create a transfer job, create an agent pool, call googleServiceAccounts.get, or visit the job creation page in the Google Cloud console.

The service account's format is typically project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com. To determine your specific PROJECT_NUMBER, use the googleServiceAccounts.get API call.

To allow the Storage Transfer Service service account access to resources needed to complete transfers, assign the following roles, or equivalent permissions, to the service account:

Role / Permission What it does Notes
Storage Object Creator (roles/storage.objectCreator) Enables Storage Transfer Service to create transfer logs in the Cloud Storage bucket connected to this transfer. Grant to all Cloud Storage buckets used in a transfer. If appropriate for your situation, you can grant the role on a project level to the project that Storage Transfer Service is running from.

For a detailed listing of the permissions these roles grant, see Cloud Storage Predefined roles.
Storage Object Viewer (roles/storage.objectViewer) Enables Storage Transfer Service to determine if a file has already been transferred to or from Cloud Storage.
Pub/Sub Editor (roles/pubsub.editor) Enables Storage Transfer Service to automatically create and modify Pub/Sub topics to communicate from Google Cloud to transfer agents. Apply the role on a project level to the project that Storage Transfer Service is running from.

For a detailed listing of the permissions this role grants, see Pub/Sub Roles.
Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) Enables Storage Transfer Service to read Cloud Storage bucket metadata.

Grant to each Cloud Storage bucket used in a transfer.

Cloud Storage legacy roles can only be granted at the bucket level.

Transfer agents

Storage Transfer Service transfer agents can be run with either the user's account, or with a service account.

To set up a transfer agent service account or user account running the transfer agents, assign the following role:

Role / Permission What it does Notes
Storage Transfer Agent (roles/storage.transferAgent) Gives transfer agents the Storage Transfer Service and Pub/Sub permissions required to complete a transfer. Grant this role to the user or service account being used by agents.

For a detailed listing of the permissions this role grants, see Access Control with IAM.

Source and destination permissions

You must also ensure that the agent account has the correct permissions to access the source data and to write to the destination.

File system to Cloud Storage

If your transfer's destination is a Cloud Storage bucket, the transfer agent needs the following permissions on the destination bucket. See Add a principal to a bucket-level policy for instructions.

Permission Description
storage.objects.create Allows the agent account to write Cloud Storage objects during transfer.
storage.objects.get Allows the agent account to read object data and metadata.
storage.objects.delete Required if your transfer is configured to overwrite or delete objects in the sink; for example, if overwriteObjectsAlreadyExistingInSink or deleteObjectsUniqueInSink are set in your transfer's transferOptions configuration.

To grant these permissions, grant the following role:

Or, create a custom role with the specific permissions and grant the custom role.

Cloud Storage to file system

If your transfer's source is a Cloud Storage bucket, the transfer agent needs the following permission on the source bucket.

Permission Description
storage.objects.get Allows the agent account to read object data and metadata.

To grant this permission, grant the following role:

Or, create a custom role with the single permission and grant the custom role.

File system to file system

If your transfer is between two file systems, the transfer agent needs the following permissions on the intermediate bucket.

Permission Description
storage.objects.create Allows the agent account to write Cloud Storage objects during transfer.
storage.objects.get Allows the agent account to read object data and metadata.
storage.objects.delete Required if your transfer is configured to delete objects in the intermediate bucket after the transfer is complete.

To grant these permissions, grant the following role:

Or, create a custom role with the specific permissions and grant the custom role.