The following page discusses the Identity and Access Management (IAM) permissions required to perform various actions on Google Cloud Storage buckets and objects when using the Cloud Platform Console.
Common permissions required for using the Cloud Platform Console
Certain permissions are broadly necessary in order to use the Cloud Platform Console:
-
All actions involving buckets require
resourcemanager.projects.getandstorage.buckets.listpermissions at the project level.These permissions allow you to access the buckets page of the Console Browser where you create, view, and update buckets.
-
All actions involving objects require
storage.objects.listpermission at the project or bucket level.This permission allows you to access object pages of the Console Browser where you upload, view, and modify objects.
Permissions required for specific actions
| Action | Required IAM Permissions (in addition to those listed above) |
|---|---|
| Create a bucket | storage.buckets.create |
| List or filter buckets | No additional permissions |
| View or edit the website configuration of a bucket (if enabled) | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| Change bucket labels or default storage class | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| Set or update object lifecycle policies | storage.buckets.get |
storage.buckets.update |
|
storage.buckets.setIamPolicy |
|
| View object lifecycle policies | storage.buckets.get |
| Change bucket permissions | storage.buckets.get |
storage.buckets.getIamPolicy |
|
storage.buckets.setIamPolicy |
|
storage.buckets.update |
|
| Delete an empty bucket | storage.buckets.delete |
| Delete a non-empty bucket | storage.buckets.delete |
storage.objects.delete |
|
storage.objects.list |
|
| Upload an object | storage.objects.create |
| View or download an object | storage.objects.get |
| List objects in a bucket | No additional permissions |
| Rename an object | storage.objects.create |
storage.objects.delete |
|
storage.objects.get |
|
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
| Copy an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2 (for the source object) |
|
storage.objects.setIamPolicy2 (for the destination bucket) |
|
| Move an object | storage.objects.create (for the destination bucket) |
storage.objects.delete1 (for the destination bucket) |
|
storage.objects.delete (for the source bucket) |
|
storage.objects.get (for the source object) |
|
storage.objects.getIamPolicy2 (for the source object) |
|
storage.objects.setIamPolicy2 (for the destination bucket) |
|
| Share an object | storage.objects.get |
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
storage.objects.update |
|
| Edit an object's permissions | storage.objects.get |
storage.objects.getIamPolicy |
|
storage.objects.setIamPolicy |
|
storage.objects.update |
|
| Edit an object's metadata | storage.objects.get |
storage.objects.getIamPolicy |
|
storage.objects.update |
|
| Delete an object | storage.objects.delete |
1This permission is only required when the copied/moved object has the same name as an object that already exists in the bucket.
2This permission is only required when keeping the permissions currently applied to the source object.
