IAM permissions for Storage Transfer Service methods

The following table lists the minimum permissions required to run each Storage Transfer Service method.

Resource Method Required Permissions
googleServiceAccount get storagetransfer.projects.getServiceAccount
transferJobs create Both of the following are required:

  • storagetransfer.jobs.create
  • storagetransfer.projects.getServiceAccount

transferjobs get storagetransfer.jobs.get
transferjobs list storagetransfer.jobs.list
transferjobs patch For deletion updates: storagetransfer.jobs.delete
For non-deletion updates: storagetransfer.jobs.update
transferoperations cancel storagetransfer.operations.cancel
transferOperations get storagetransfer.operations.get
transferOperations list storagetransfer.operations.list
transferOperations pause storagetransfer.operations.pause
transferOperations resume storagetransfer.operations.resume

Source permissions

Cloud Storage

Storage Transfer Service uses a Google-managed service account to move data from a Cloud Storage source bucket, which is created the first time that you call googleServiceAccounts.get.

The service account's format is typically project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com. To find your service account's format, use the googleServiceAccounts.get API call.

The service account must have the following permissions for the source bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.list Allows the service account to list objects in the bucket. Always required.
storage.objects.get Allows the service account to read objects in the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

The roles/storage.objectViewer and roles/storage.legacyBucketReader roles together contain the permissions that are always required. The roles/storage.legacyBucketWriter role contains the storage.objects.delete permissions. The service account used to perform the transfer must be assigned the desired roles.

For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Amazon S3

In order to use the Storage Transfer Service to move data from an Amazon S3 bucket, you must have an AWS Identity and Access Management user account that has certain permissions for the bucket:

Permission Description Use
s3:ListBucket Allows the Storage Transfer Service to list objects in the bucket. Always required.
s3:GetObject Allows the Storage Transfer Service to read objects in the bucket. Always required.
s3:GetBucketLocation Allows the Storage Transfer Service to get the location of the bucket. Always required.
s3:DeleteObject Allows the Storage Transfer Service to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

Microsoft Azure Blob Storage

To use Storage Transfer Service to move data from an Microsoft Azure Storage account or container to Cloud Storage, you must have an Microsoft Azure Storage user account with the following permissions applied to the account:

Permission Description Use
List Blobs Allows Storage Transfer Service to list blobs in a container. Always required.
Get Blob Allows Storage Transfer Service to get the contents, system-defined metadata, and user-defined metadata of a blob. Always required.
Get Blob Properties Allows Storage Transfer Service to get system-defined and user-defined metadata of a blob. Always required.
Get Account Information Allows Storage Transfer Service to determine the type of storage account in use.

Required if you are transferring from Azure Data Lake Storage (ADLS) Gen 2.

Delete Blob Allows Storage Transfer Service to mark a blob for deletion. Required if you set deleteObjectsFromSourceAfterTransfer to true.

URL list

If your data source is a URL list, ensure that each object in the URL list is publicly accessible.

Sink permissions

Storage Transfer Service uses a Google-managed service account to move data from a Cloud Storage source bucket, which is created the first time you call googleServiceAccounts.get.

The service account's format is typically project-PROJECT_NUMBER@storage-transfer-service.iam.gserviceaccount.com. To find your service account's format, use the googleServiceAccounts.get API call.

The service account must have the following permissions for the destination bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.create Allows the service account to add objects to the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink or deleteObjectsUniqueInSink to true.
storage.objects.list Allows the service account to list objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink to false or deleteObjectsUniqueInSink to true.

All of these permissions are contained in the roles/storage.legacyBucketWriter role, which you can assign to the service account. For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Pub/Sub permissions

If you plan to use Pub/Sub for transfers, Grant the service account the IAM role roles/pubsub.publisher for the desired Pub/Sub topic.