The following page discusses the Cloud Identity and Access Management (Cloud IAM) permissions required to perform various actions on Cloud Storage buckets and objects when using the GCP Console.
Common permissions required for using the GCP Console
Certain permissions are broadly necessary in order to use the GCP Console:
All actions involving buckets require
resourcemanager.projects.getandstorage.buckets.listpermissions at the project level.These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.
Generally, actions involving objects require
storage.objects.listpermission at the project or bucket level.This permission is not required if you only access the details pages for specific objects and you never need to access the overall list of objects in a bucket.
All actions that include a billing project in the request require
serviceusage.services.usepermission for the project that's specified.This permission ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.
Permissions required for specific actions
| Action | Required Cloud IAM Permissions (in addition to those listed above) |
|---|---|
| Create a bucket | storage.buckets.create |
| List or filter buckets | No additional permissions |
| Access the Overview tab of a bucket | storage.buckets.get |
| View or edit the website configuration of a bucket (if enabled) | storage.buckets.get |
storage.buckets.update |
|
| Change bucket labels, default storage class, or default event-based hold | storage.buckets.get |
storage.buckets.update |
|
| Enable the Requester Pays feature | storage.buckets.get |
storage.buckets.update |
|
| Disable the Requester Pays feature | storage.buckets.get |
storage.buckets.update |
|
resourcemanager.projects.createBillingAssignment3 |
|
| Set or update object lifecycle policies | storage.buckets.get |
storage.buckets.update |
|
| View object lifecycle policies | storage.buckets.get |
| Set or remove a bucket's default Cloud Key Management Service key | storage.buckets.get |
storage.buckets.update |
|
| View a bucket's default Cloud Key Management Service key | storage.buckets.get |
| Set, remove, or lock a bucket's retention policy | storage.buckets.get |
storage.buckets.update |
|
| View a bucket's retention policy | storage.buckets.get |
| Set or remove Bucket Policy Only for a bucket | storage.buckets.get |
storage.buckets.update |
|
| View a bucket's Bucket Policy Only status | storage.buckets.get |
| Change bucket permissions | storage.buckets.get |
storage.buckets.getIamPolicy |
|
storage.buckets.setIamPolicy |
|
storage.buckets.update |
|
| Delete an empty bucket | storage.buckets.delete |
storage.objects.list |
|
| Delete a non-empty bucket | storage.buckets.delete |
storage.objects.delete |
|
storage.objects.list |
|
| Upload an object | storage.objects.create |
| View the details page for an object5 | storage.objects.get |
| Download an object5 | storage.objects.get |
| List objects in a bucket | No additional permissions |
| Determine if an object is publicly accessible5 | storage.objects.getIamPolicy4 |
| Rename an object | storage.objects.create |
storage.objects.delete |
|
storage.objects.get |
|
storage.objects.getIamPolicy4 |
|
storage.objects.setIamPolicy4 |
|
| Copy an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2,4 (for the source object) |
|
storage.objects.setIamPolicy2,4 (for the destination bucket) |
|
| Move an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.delete (for the source bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2,4 (for the source object) |
|
storage.objects.setIamPolicy2,4 (for the destination bucket) |
|
| View an object's access permissions5 | storage.objects.get |
storage.objects.getIamPolicy4 |
|
| Edit an object's access permissions5 | storage.objects.get |
storage.objects.getIamPolicy4 |
|
storage.objects.setIamPolicy4 |
|
storage.objects.update |
|
| Edit an object's metadata | storage.objects.get |
storage.objects.update |
|
| Add or remove a hold on an object | storage.objects.get |
storage.objects.update |
|
| Delete an object5 | storage.objects.delete |
| View the HMAC keys for a project | resourcemanager.projects.get |
storage.hmacKeys.list |
|
| Create an HMAC key for a service account | resourcemanager.projects.get |
storage.hmacKeys.list |
|
storage.hmacKeys.create |
|
| Disable or re-enable an HMAC key for a service account | resourcemanager.projects.get |
storage.hmacKeys.list |
|
storage.hmacKeys.update |
|
| Delete an HMAC key for a service account | resourcemanager.projects.get |
storage.hmacKeys.list |
|
storage.hmacKeys.delete |
1This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.
2This permission is only required when keeping the permissions currently applied to the source object.
3This permission is only required if you do not include a billing project in your request. See Requester Pays Use and access requirements for more information.
4This permission does not apply to buckets with Bucket Policy Only enabled.
5This action does not require storage.objects.list
if it's performed on the details page for the relevant object.
What's next
- For a list of roles and the permissions they contain, see Cloud IAM Roles for Cloud Storage.
Need help? Visit our