IAM permissions for the Google Cloud Platform Console

The following page discusses the Identity and Access Management (IAM) permissions required to perform various actions on Cloud Storage buckets and objects when using the GCP Console.

Common permissions required for using the GCP Console

Certain permissions are broadly necessary in order to use the GCP Console:

• All actions involving buckets require resourcemanager.projects.get and storage.buckets.list permissions at the project level.

  These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.

• All actions involving objects require storage.objects.list permission at the project or bucket level.

  This permission allows you to access object pages of the Console Browser where you upload, view, and modify objects.

• All actions that include a billing project in the request require serviceusage.services.use permission for the project that's specified.

  This permissions ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.

Permissions required for specific actions

Action	Required IAM Permissions (in addition to those listed above)
Create a bucket	storage.buckets.create
List or filter buckets	No additional permissions
Access the Overview tab of a bucket	storage.buckets.get
View or edit the website configuration of a bucket (if enabled)	storage.buckets.get
	storage.buckets.update
	storage.buckets.setIamPolicy
Change bucket labels or default storage class	storage.buckets.get
	storage.buckets.update
	storage.buckets.setIamPolicy
Enable or disable the Requester Pays feature	storage.buckets.get
	storage.buckets.update
	storage.buckets.setIamPolicy
Set or update object lifecycle policies	storage.buckets.get
	storage.buckets.update
	storage.buckets.setIamPolicy
View object lifecycle policies	storage.buckets.get
Set, view, or remove a bucket's default Cloud Key Management Service key	storage.buckets.get
	storage.buckets.update
	storage.buckets.setIamPolicy
Change bucket permissions	storage.buckets.get
	storage.buckets.getIamPolicy
	storage.buckets.setIamPolicy
	storage.buckets.update
Delete an empty bucket	storage.buckets.delete
	storage.objects.list
Delete a non-empty bucket	storage.buckets.delete
	storage.objects.delete
	storage.objects.list
Upload an object	storage.objects.create
View or download an object	storage.objects.get
List objects in a bucket	No additional permissions
Use the public access column to determine how an object is publicly accessible.	storage.objects.getIamPolicy
Rename an object	storage.objects.create
	storage.objects.delete
	storage.objects.get
	storage.objects.getIamPolicy
	storage.objects.setIamPolicy
Copy an object	storage.objects.create (for the destination bucket)
	storage.objects.delete1 (for the destination bucket)
	storage.objects.get (for the source object)
	storage.objects.getIamPolicy2 (for the source object)
	storage.objects.setIamPolicy2 (for the destination bucket)
Move an object	storage.objects.create (for the destination bucket)
	storage.objects.delete1 (for the destination bucket)
	storage.objects.delete (for the source bucket)
	storage.objects.get (for the source object)
	storage.objects.getIamPolicy2 (for the source object)
	storage.objects.setIamPolicy2 (for the destination bucket)
Share an object	storage.objects.get
	storage.objects.getIamPolicy
	storage.objects.setIamPolicy
	storage.objects.update
Edit an object's permissions	storage.objects.get
	storage.objects.getIamPolicy
	storage.objects.setIamPolicy
	storage.objects.update
Edit an object's metadata	storage.objects.get
	storage.objects.update
Delete an object	storage.objects.delete

¹This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.

²This permission is only required when keeping the permissions currently applied to the source object.