IAM permissions for Storage Transfer Service methods

The following table lists the minimum project role required to run each Storage Transfer Service method.

Resource	Method	Minimum Project Role
`googleServiceAccount`	`get`	`Viewer`
`transferJobs`	`create`	`Editor`
`transferJobs`	`get`	`Viewer`
`transferJobs`	`list`	`Viewer`
`transferJobs`	`patch`	`Editor`
`transferOperations`	`cancel`	`Editor`
`transferOperations`	`get`	`Viewer`
`transferOperations`	`list`	`Viewer`
`transferOperations`	`pause`	`Editor`
`transferOperations`	`resume`	`Editor`

Source permissions

Cloud Storage

The Storage Transfer Service uses the project-[$PROJECT_NUMBER]@storage-transfer-service.iam.gserviceaccount.com service account to move data from a Cloud Storage source bucket. The service account must have the following permissions for the source bucket:

Permission	Description	Use
`storage.buckets.get`	Allows the service account to get the location of the bucket.	Always required.
`storage.objects.list`	Allows the service account to list objects in the bucket.	Always required.
`storage.objects.get`	Allows the service account to read objects in the bucket.	Always required.
`storage.objects.delete`	Allows the service account to delete objects in the bucket.	Required if you set `deleteObjectsFromSourceAfterTransfer` to `true`.

The roles/storage.objectViewer and roles/storage.legacyBucketReader roles together contain the permissions that are always required. The roles/storage.legacyBucketWriter role contains the storage.objects.delete permissions. The service account used to perform the transfer must be assigned the desired roles.

For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Amazon S3

In order to use the Storage Transfer Service to move data from an Amazon S3 bucket, you must have an AWS Identity and Access Management user account that has certain permissions for the bucket:

Permission	Description	Use
`s3:ListBucket`	Allows the Storage Transfer Service to list objects in the bucket.	Always required.
`s3:GetObject`	Allows the Storage Transfer Service to read objects in the bucket.	Always required.
`s3:GetBucketLocation`	Allows the Storage Transfer Service to get the location of the bucket.	Always required.
`s3:DeleteObject`	Allows the Storage Transfer Service to delete objects in the bucket.	Required if you set `deleteObjectsFromSourceAfterTransfer` to `true`.

URL list

If your data source is a URL list, ensure that each object in the URL list is publicly accessible.

Sink permissions

The Storage Transfer Service uses a service account to move data into a Cloud Storage sink bucket. The service account must have certain permissions for the sink bucket:

Permission	Description	Use
`storage.buckets.get`	Allows the service account to get the location of the bucket.	Always required.
`storage.objects.create`	Allows the service account to add objects to the bucket.	Always required.
`storage.objects.delete`	Allows the service account to delete objects in the bucket.	Required if you set `overwriteObjectsAlreadyExistingInSink` or `deleteObjectsUniqueInSink` to `true`.
`storage.objects.list`	Allows the service account to list objects in the bucket.	Required if you set `overwriteObjectsAlreadyExistingInSink` to `false` or `deleteObjectsUniqueInSink` to `true`.

All of these permissions are contained in the roles/storage.legacyBucketWriter role, which you can assign to the service account. For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.