Access Control at the Project Level


Google Cloud Identity and Access Management (IAM) allows you to control user and group access to buckets and objects at the project level. For example, you can specify that a user has full control of all the objects in your project, but cannot create, modify, or delete any buckets in your project. Using Cloud Storage IAM makes it easy to limit a user's or group's permissions without having to modify each bucket or object permission individually. To learn about ways to control access to individual buckets or objects, see the Overview of Access Control.

This document focuses on the IAM permissions relevant to Cloud Storage and the IAM roles that grant those permissions. For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Managing IAM Policies section.


Permissions allow users to perform specific actions on buckets or objects in Cloud Storage. For example, the storage.buckets.list permission allows a user to list the buckets in your project. You don't directly give users permissions; instead, you assign them roles, which have one or more permissions bundled within them.

The following tables list the IAM permissions that are associated with Cloud Storage:

Bucket permission name Description
storage.buckets.create Create new buckets in a project.
storage.buckets.delete Delete buckets.
storage.buckets.get Read bucket metadata, excluding ACLs.
storage.buckets.getIAMPolicy Read bucket ACLs.
storage.buckets.list List the buckets in a project.
storage.buckets.setIAMPolicy Update bucket ACLs.
storage.buckets.update Update bucket metadata, excluding ACLs.
Object permission name Description
storage.objects.create Add new objects to a bucket.
storage.objects.delete Delete objects.
storage.objects.get Read object data and metadata, excluding ACLs.
storage.objects.getIAMPolicy Read object ACLs.
storage.objects.list List objects in a bucket.
storage.objects.setIAMPolicy Update object ACLs.
storage.objects.update Update object metadata, excluding ACLs.

For a reference of which IAM permissions allow users to run JSON and XML methods on buckets and objects, see IAM with JSON and XML.


Roles are a bundle of one or more permissions. For example, roles/storage.objectViewer contains the permissions storage.objects.get and storage.objects.list. You assign roles to users or groups, which allows them to perform actions on the buckets and objects in your project.

The following table lists the Cloud Storage IAM roles, including a list of the permissions associated with each role:

Role Description Permissions
roles/storage.objectCreator Can create objects. Does not have permission to delete or overwrite objects. storage.objects.create
roles/storage.objectViewer Can view objects and their metadata, excluding ACLs. storage.objects.get
roles/storage.objectAdmin Has full control of objects. storage.objects.*
roles/storage.admin Has full control of objects and buckets. storage.buckets.*
Viewer Can list buckets. storage.buckets.list
Editor Can create, list, and delete buckets. storage.buckets.create
Owner Can create, list, and delete buckets. storage.buckets.create

Cloud Storage IAM management

You can get and set IAM policies using the Google Cloud Platform Console, the IAM API, or the gcloud command-line tool. See Granting, Changing, and Revoking Access to Project Members for detailed instructions.

What's next

Send feedback about...

Cloud Storage Documentation