Cloud IAM permissions for the Google Cloud Platform Console

The following page discusses the Cloud Identity and Access Management (Cloud IAM) permissions required to perform various actions on Cloud Storage buckets and objects when using the GCP Console.

Common permissions required for using the GCP Console

Certain permissions are broadly necessary in order to use the GCP Console:

  • All actions involving buckets require resourcemanager.projects.get and storage.buckets.list permissions at the project level.

    These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.

  • Generally, actions involving objects require storage.objects.list permission at the project or bucket level.

    This permission is not required if you only access the details pages for specific objects and you never need to access the overall list of objects in a bucket.

  • All actions that include a billing project in the request require serviceusage.services.use permission for the project that's specified.

    This permission ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.

Permissions required for specific actions

Action Required Cloud IAM Permissions (in addition to those listed above)
Create a bucket storage.buckets.create
List or filter buckets No additional permissions
Access the Overview tab of a bucket storage.buckets.get
View or edit the website configuration of a bucket (if enabled) storage.buckets.get
storage.buckets.update
Change bucket labels, default storage class, or default event-based hold storage.buckets.get
storage.buckets.update
Enable the Requester Pays feature storage.buckets.get
storage.buckets.update
Disable the Requester Pays feature storage.buckets.get
storage.buckets.update
resourcemanager.projects.createBillingAssignment3
Set or update object lifecycle policies storage.buckets.get
storage.buckets.update
View object lifecycle policies storage.buckets.get
Set or remove a bucket's default Cloud Key Management Service key storage.buckets.get
storage.buckets.update
View a bucket's default Cloud Key Management Service key storage.buckets.get
Set, remove, or lock a bucket's retention policy storage.buckets.get
storage.buckets.update
View a bucket's retention policy storage.buckets.get
Set or remove Bucket Policy Only for a bucket storage.buckets.get
storage.buckets.update
View a bucket's Bucket Policy Only status storage.buckets.get
Change bucket permissions storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Delete an empty bucket storage.buckets.delete
storage.objects.list
Delete a non-empty bucket storage.buckets.delete
storage.objects.delete
storage.objects.list
Upload an object storage.objects.create
View the details page for an object5 storage.objects.get
Download an object5 storage.objects.get
List objects in a bucket No additional permissions
Determine if an object is publicly accessible5 storage.objects.getIamPolicy4
Rename an object storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy4
storage.objects.setIamPolicy4
Copy an object storage.objects.create (for the destination bucket)
storage.objects.delete1 (for the destination bucket)
storage.objects.get (for the source object)
storage.objects.getIamPolicy2,4 (for the source object)
storage.objects.setIamPolicy2,4 (for the destination bucket)
Move an object storage.objects.create (for the destination bucket)
storage.objects.delete1 (for the destination bucket)
storage.objects.delete (for the source bucket)
storage.objects.get (for the source object)
storage.objects.getIamPolicy2,4 (for the source object)
storage.objects.setIamPolicy2,4 (for the destination bucket)
View an object's access permissions5 storage.objects.get
storage.objects.getIamPolicy4
Edit an object's access permissions5 storage.objects.get
storage.objects.getIamPolicy4
storage.objects.setIamPolicy4
storage.objects.update
Edit an object's metadata storage.objects.get
storage.objects.update
Add or remove a hold on an object storage.objects.get
storage.objects.update
Delete an object5 storage.objects.delete
View the HMAC keys for a project resourcemanager.projects.get
storage.hmacKeys.list
Create an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.create
Disable or re-enable an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.update
Delete an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.delete

1This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.

2This permission is only required when keeping the permissions currently applied to the source object.

3This permission is only required if you do not include a billing project in your request. See Requester Pays Use and access requirements for more information.

4This permission does not apply to buckets with Bucket Policy Only enabled.

5This action does not require storage.objects.list if it's performed on the details page for the relevant object.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.