IAM permissions for the Google Cloud console

The following page discusses the Identity and Access Management (IAM) permissions required to perform actions within the Cloud Storage portion of the Google Cloud console. IAM permissions are bundled together to make roles, and you grant roles to users and groups.

Common permissions required for using the Google Cloud console

Certain permissions are broadly necessary in order to use the Google Cloud console:

  • All actions involving buckets should include resourcemanager.projects.get and storage.buckets.list permissions at the project level.

    These permissions allow you to access the Buckets page, where you create, view, and update buckets.

  • All actions that include a billing project in the request require serviceusage.services.use permission for the project that's specified.

    This permission ensures you are authorized to bill the project you specify. Including a billing project is used, for example, when accessing a bucket with Requester Pays enabled.

Permissions required for specific actions

Action Required IAM Permissions (in addition to those listed above)
Create a bucket storage.buckets.create storage.buckets.enableObjectRetention1
Attach a tag to a bucket storage.buckets.createTagBinding
List or filter buckets No additional permissions
List tags directly attached to a bucket storage.buckets.listTagBindings
List both inherited tags and tags directly attached to a bucket storage.buckets.listEffectiveTags
View the following bucket information:
  • Location, replication status, and default storage class
  • Protection settings
  • Bucket labels
  • Object lifecycle policies
  • Public access prevention status
  • Uniform bucket-level access status
  • Autoclass status
  • Website configuration
storage.buckets.get
Change the following bucket settings:
  • Protection settings
  • Default storage class
  • Bucket labels
  • Object lifecycle policies
  • Uniform bucket-level access status
  • Autoclass status
  • Website configuration
storage.buckets.get
storage.buckets.update
Enable the Requester Pays feature storage.buckets.get
storage.buckets.update
Disable the Requester Pays feature storage.buckets.get
storage.buckets.update
resourcemanager.projects.createBillingAssignment3
Change the public access prevention setting storage.buckets.get
storage.buckets.setIamPolicy
storage.buckets.update
Change bucket permissions storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Delete an empty bucket storage.buckets.delete
storage.objects.list
Delete a non-empty bucket storage.buckets.delete
storage.objects.delete
storage.objects.list
Detach a tag from a bucket storage.buckets.deleteTagBinding
Create a folder storage.folders.create
Get the metadata of a folder storage.folders.get
List folders storage.folders.list
Rename folders storage.folders.rename (for the source bucket)
storage.folders.create (for the destination bucket)
Delete folders storage.folders.delete
Upload an object or folder of objects storage.objects.create
storage.objects.delete2
storage.objects.setRetention4
View the details for an object5 storage.objects.get
storage.objects.list
View the version history of an object storage.objects.get
storage.objects.list
Download an object5 or folder of objects storage.objects.get
storage.objects.list
List objects in a bucket, including noncurrent objects and soft-deleted objects storage.objects.list
Determine if an object is publicly accessible5 storage.buckets.getIamPolicy
storage.objects.list
storage.objects.getIamPolicy7
Rename an object or restore a noncurrent version of an object storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.getIamPolicy7
storage.objects.setIamPolicy7
Copy an object storage.objects.create (for the destination bucket)
storage.objects.delete2 (for the destination bucket)
storage.objects.get (for the source object)
storage.objects.list (for the source bucket and destination bucket)
storage.objects.getIamPolicy7,8 (for the source object)
storage.objects.setIamPolicy7,8 (for the destination bucket)
Move an object storage.objects.create (for the destination bucket)
storage.objects.delete2 (for the destination bucket)
storage.objects.delete (for the source bucket)
storage.objects.get (for the source object)
storage.objects.list (for the source bucket and destination bucket)
storage.objects.getIamPolicy7,8 (for the source object)
storage.objects.setIamPolicy7,8 (for the destination bucket)
View an object's access permissions5,6 storage.objects.get
storage.objects.list
storage.objects.getIamPolicy
Edit an object's access permissions5,6 storage.objects.get
storage.objects.list
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
Edit an object's metadata5 storage.objects.get
storage.objects.list
storage.objects.update
Add, change, or remove a retention configuration on an object5 storage.objects.get
storage.objects.list
storage.objects.update
storage.objects.setRetention
storage.objects.overrideUnlockedRetention9
Add or remove a hold on an object5 storage.objects.get
storage.objects.list
storage.objects.update
Delete an object5, a noncurrent version of an object, or a folder of objects storage.objects.delete
storage.objects.list
Restore a deleted object storage.objects.create
storage.objects.delete2
storage.objects.list
storage.objects.restore
Bulk restore deleted objects storage.objects.create
storage.objects.delete10
storage.objects.restore
storage.buckets.restore
storage.objects.setIamPolicy7,11
View the name of a project's Cloud Storage service agent resourcemanager.projects.get
View the service account HMAC keys for a project resourcemanager.projects.get
storage.hmacKeys.list
Create an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.create
Disable or re-enable an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.update
Delete an HMAC key for a service account resourcemanager.projects.get
storage.hmacKeys.list
storage.hmacKeys.delete
Create, view, or delete an HMAC key for the user account you are logged in as resourcemanager.projects.get

1This permission is only required when enabling a bucket to support object retention configurations.

2This permission is only required if an object with the same name already exists in the destination bucket.

3This permission is only required if you do not include a billing project in your request. See Requester Pays Use and access requirements for more information.

4This permission is only required when adding a retention configuration as part of uploading the object.

5This action does not require storage.objects.list if it's performed on the details page for the relevant object and you don't access the details page from the overall list of objects for the bucket.

6This action does not apply to buckets with uniform bucket-level access enabled.

7This permission does not apply to buckets with uniform bucket-level access enabled.

8This permission is only required when keeping the permissions currently applied to the source object.

9This permission is required when changing an existing retention configuration such that the configuration becomes locked, reduced, or removed.

10This permission is only required if an object with the same name already exists in the destination bucket and you select the Overwrite live objects option.

11 This permission is only required when selecting the Copy source access controls (ACLs) option.

What's next