IAM permissions for the Google Cloud Platform Console

The following page discusses the Identity and Access Management (IAM) permissions required to perform various actions on Google Cloud Storage buckets and objects when using the Cloud Platform Console.

Common permissions required for using the Cloud Platform Console

Certain permissions are broadly necessary in order to use the Cloud Platform Console:

  • All actions involving buckets require resourcemanager.projects.get and storage.buckets.list permissions at the project level.

    These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.

  • All actions involving objects require storage.objects.list permission at the project or bucket level.

    This permission allows you to access object pages of the Console Browser where you upload, view, and modify objects.

Permissions required for specific actions

Action Required IAM Permissions (in addition to those listed above)
Create a bucket storage.buckets.create
List or filter buckets No additional permissions
View or edit the website configuration of a bucket (if enabled) storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
Change bucket labels or default storage class storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
Set or update object lifecycle policies storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
View object lifecycle policies storage.buckets.get
Change bucket permissions storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Delete an empty bucket storage.buckets.delete
Delete a non-empty bucket storage.buckets.delete
storage.objects.delete
storage.objects.list
Upload an object storage.objects.create
View or download an object storage.objects.get
List objects in a bucket No additional permissions
Rename an object storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
Copy an object storage.objects.create (for the destination bucket)
storage.objects.delete1 (for the destination bucket)
storage.objects.get (for the source object)
storage.objects.getIamPolicy2 (for the source object)
storage.objects.setIamPolicy2 (for the destination bucket)
Move an object storage.objects.create (for the destination bucket)
storage.objects.delete1 (for the destination bucket)
storage.objects.delete (for the source bucket)
storage.objects.get (for the source object)
storage.objects.getIamPolicy2 (for the source object)
storage.objects.setIamPolicy2 (for the destination bucket)
Share an object storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
Edit an object's permissions storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
Edit an object's metadata storage.objects.get
storage.objects.getIamPolicy
storage.objects.update
Delete an object storage.objects.delete

1This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.

2This permission is only required when keeping the permissions currently applied to the source object.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Storage Documentation