IAM permissions for the Google Cloud Console

The following page discusses the Identity and Access Management (IAM) permissions required to perform various actions on Cloud Storage buckets and objects when using the Cloud Console. IAM permissions are bundled together to make roles, and you assign roles to users and groups.

Common permissions required for using the Cloud Console

Certain permissions are broadly necessary in order to use the Cloud Console:

All actions involving buckets require resourcemanager.projects.get and storage.buckets.list permissions at the project level.

These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.
All actions that include a billing project in the request require serviceusage.services.use permission for the project that's specified.

This permission ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.

Permissions required for specific actions

Action	Required IAM Permissions (in addition to those listed above)
Create a bucket	`storage.buckets.create`
List or filter buckets	No additional permissions
View the following bucket information: Location, labels, and default storage class Object lifecycle policies Retention policy and lock status Public access prevention status Uniform bucket-level access status Default event-based hold setting Default Cloud Key Management Service key Website configuration	`storage.buckets.get`
Change the following bucket settings: Labels and default storage class Object lifecycle policies Retention policy, including locking the bucket Uniform bucket-level access status Default event-based hold status Default Cloud Key Management Service key Website configuration	`storage.buckets.get` `storage.buckets.update`
Enable the Requester Pays feature	`storage.buckets.get` `storage.buckets.update`
Disable the Requester Pays feature	`storage.buckets.get` `storage.buckets.update` `resourcemanager.projects.createBillingAssignment`³
Change the public access prevention setting	`storage.buckets.get` `storage.buckets.setIamPolicy` `storage.buckets.update`
Change bucket permissions	`storage.buckets.get` `storage.buckets.getIamPolicy` `storage.buckets.setIamPolicy` `storage.buckets.update`
Delete an empty bucket	`storage.buckets.delete` `storage.objects.list`
Delete a non-empty bucket	`storage.buckets.delete` `storage.objects.delete` `storage.objects.list`
Upload an object or folder of objects	`storage.objects.create` `storage.objects.delete`¹
View the details page for an object⁵	`storage.objects.get` `storage.objects.list`
Download an object⁵ or folder of objects	`storage.objects.get` `storage.objects.list`
List objects in a bucket	`storage.objects.list`
Determine if an object is publicly accessible⁵	`storage.buckets.getIamPolicy` `storage.objects.list` `storage.objects.getIamPolicy`⁴
Rename an object	`storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list` `storage.objects.getIamPolicy`⁴ `storage.objects.setIamPolicy`⁴
Copy an object	`storage.objects.create` (for the destination bucket) `storage.objects.delete`¹ (for the destination bucket) `storage.objects.get` (for the source object) `storage.objects.list` (for the source bucket and destination bucket) `storage.objects.getIamPolicy`^2,4 (for the source object) `storage.objects.setIamPolicy`^2,4 (for the destination bucket)
Move an object	`storage.objects.create` (for the destination bucket) `storage.objects.delete`¹ (for the destination bucket) `storage.objects.delete` (for the source bucket) `storage.objects.get` (for the source object) `storage.objects.list` (for the source bucket and destination bucket) `storage.objects.getIamPolicy`^2,4 (for the source object) `storage.objects.setIamPolicy`^2,4 (for the destination bucket)
View an object's access permissions^5,6	`storage.objects.get` `storage.objects.list` `storage.objects.getIamPolicy`
Edit an object's access permissions^5,6	`storage.objects.get` `storage.objects.list` `storage.objects.getIamPolicy` `storage.objects.setIamPolicy` `storage.objects.update`
Edit an object's metadata⁵	`storage.objects.get` `storage.objects.list` `storage.objects.update`
Add or remove a hold on an object⁵	`storage.objects.get` `storage.objects.list` `storage.objects.update`
Delete an object⁵ or folder of objects	`storage.objects.delete` `storage.objects.list`
View the HMAC keys for a project	`resourcemanager.projects.get` `storage.hmacKeys.list`
Create an HMAC key for a service account	`resourcemanager.projects.get` `storage.hmacKeys.list` `storage.hmacKeys.create`
Disable or re-enable an HMAC key for a service account	`resourcemanager.projects.get` `storage.hmacKeys.list` `storage.hmacKeys.update`
Delete an HMAC key for a service account	`resourcemanager.projects.get` `storage.hmacKeys.list` `storage.hmacKeys.delete`

¹This permission is only required if an object with the same name already exists in the destination bucket.

²This permission is only required when keeping the permissions currently applied to the source object.

³This permission is only required if you do not include a billing project in your request. See Requester Pays Use and access requirements for more information.

⁴This permission does not apply to buckets with uniform bucket-level access enabled.

⁵This action does not require storage.objects.list if it's performed on the details page for the relevant object and you don't access the details page from the overall list of objects for the bucket.

⁶This action does not apply to buckets with uniform bucket-level access enabled.

What's next

For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.
Assign IAM roles at the project and bucket level.