The following page discusses the Identity and Access Management (IAM) permissions required to perform various actions on Cloud Storage buckets and objects when using the GCP Console.
Common permissions required for using the GCP Console
Certain permissions are broadly necessary in order to use the GCP Console:
All actions involving buckets require
resourcemanager.projects.getandstorage.buckets.listpermissions at the project level.These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.
All actions involving objects require
storage.objects.listpermission at the project or bucket level.This permission allows you to access object pages of the Console Browser where you upload, view, and modify objects.
All actions that include a billing project in the request require
serviceusage.services.usepermission for the project that's specified.This permissions ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.
Permissions required for specific actions
| Action | Required IAM Permissions (in addition to those listed above) |
|---|---|
| Create a bucket | storage.buckets.create |
| List or filter buckets | No additional permissions |
| Access the Overview tab of a bucket | storage.buckets.get |
| View or edit the website configuration of a bucket (if enabled) | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| Change bucket labels or default storage class | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| Enable the Requester Pays feature | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| Disable the Requester Pays feature | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
resourcemanager.projects.createBillingAssignment3 |
|
| Set or update object lifecycle policies | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| View object lifecycle policies | storage.buckets.get |
| Set or remove a bucket's default Cloud Key Management Service key | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| >View a bucket's default Cloud Key Management Service key | storage.buckets.get |
| Change bucket permissions | storage.buckets.get |
storage.buckets.getIamPolicy |
|
storage.buckets.setIamPolicy |
|
storage.buckets.update |
|
| Delete an empty bucket | storage.buckets.delete |
storage.objects.list |
|
| Delete a non-empty bucket | storage.buckets.delete |
storage.objects.delete |
|
storage.objects.list |
|
| Upload an object | storage.objects.create |
| View or download an object | storage.objects.get |
| List objects in a bucket | No additional permissions |
| Use the public access column to determine how an object is publicly accessible. | storage.objects.getIamPolicy |
| Rename an object | storage.objects.create |
storage.objects.delete |
|
storage.objects.get |
|
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
| Copy an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2 (for the source object) |
|
storage.objects.setIamPolicy2 (for the destination bucket) |
|
| Move an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.delete (for the source bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2 (for the source object) |
|
storage.objects.setIamPolicy2 (for the destination bucket) |
|
| Share an object | storage.objects.get |
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
storage.objects.update |
|
| Edit an object's permissions | storage.objects.get |
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
storage.objects.update |
|
| Edit an object's metadata | storage.objects.get |
storage.objects.update |
|
| Delete an object | storage.objects.delete |
1This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.
2This permission is only required when keeping the permissions currently applied to the source object.
3This permission is only required if you do not include a billing project in your request. See Requester Pays Use and access requirements for more information.
What's next
- For a list of roles and the permissions they contain, see Cloud Storage IAM Roles.
Need help? Visit our