IAM permissions for Storage Transfer Service methods

The following table lists the minimum permissions required to run each Storage Transfer Service method.

Resource Method Required Permissions
googleServiceAccount get storagetransfer.projects.getServiceAccount
transferJobs create Both of the following are required:

  • storagetransfer.jobs.create
  • storagetransfer.jobs.getserviceaccount

transferjobs get storagetransfer.jobs.get
transferjobs list storagetransfer.jobs.list
transferjobs patch For deletion updates: storagetransfer.jobs.delete
For non-deletion updates: storagetransfer.jobs.update
transferoperations cancel storagetransfer.operations.cancel
transferOperations get storagetransfer.operations.get
transferOperations list storagetransfer.operations.list
transferOperations pause storagetransfer.operations.pause
transferOperations resume storagetransfer.operations.resume

Source permissions

Cloud Storage

The Storage Transfer Service uses the project-[$PROJECT_NUMBER]@storage-transfer-service.iam.gserviceaccount.com service account to move data from a Cloud Storage source bucket. The service account must have the following permissions for the source bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.list Allows the service account to list objects in the bucket. Always required.
storage.objects.get Allows the service account to read objects in the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

The roles/storage.objectViewer and roles/storage.legacyBucketReader roles together contain the permissions that are always required. The roles/storage.legacyBucketWriter role contains the storage.objects.delete permissions. The service account used to perform the transfer must be assigned the desired roles.

For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Amazon S3

In order to use the Storage Transfer Service to move data from an Amazon S3

bucket, you must have an AWS Identity and Access Management user account that has certain permissions for the bucket:

Permission Description Use
s3:ListBucket Allows the Storage Transfer Service to list objects in the bucket. Always required.
s3:GetObject Allows the Storage Transfer Service to read objects in the bucket. Always required.
s3:GetBucketLocation Allows the Storage Transfer Service to get the location of the bucket. Always required.
s3:DeleteObject Allows the Storage Transfer Service to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

URL list

If your data source is a URL list, ensure that each object in the URL list is publicly accessible.

Sink permissions

The Storage Transfer Service uses a service account to move data into a Cloud Storage sink bucket. The service account must have certain permissions for the sink bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.create Allows the service account to add objects to the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink or deleteObjectsUniqueInSink to true.
storage.objects.list Allows the service account to list objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink to false or deleteObjectsUniqueInSink to true.

All of these permissions are contained in the roles/storage.legacyBucketWriter role, which you can assign to the service account. For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Oliko tästä sivusta apua? Kerro mielipiteesi

Palautteen aihe:

Tämä sivu
Cloud Storage Transfer Service Documentation