The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage JSON method on a given resource. IAM permissions are bundled together to make roles. You grant roles to users and groups.
For additional methods that only apply to buckets with Uniform bucket-level access disabled, see the ACL methods table.
| Resource | Method | Required IAM Permissions1 |
|---|---|---|
AnywhereCache |
create |
storage.anywhereCaches.create |
AnywhereCache |
disable |
storage.anywhereCaches.disable |
AnywhereCache |
get |
storage.anywhereCaches.get |
AnywhereCache |
list |
storage.anywhereCaches.list |
AnywhereCache |
pause |
storage.anywhereCaches.pause |
AnywhereCache |
resume |
storage.anywhereCaches.resume |
AnywhereCache |
update |
storage.anywhereCaches.update |
Buckets |
delete |
storage.buckets.delete |
Buckets |
get |
storage.buckets.getstorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.get18 |
Buckets |
getIamPolicy |
storage.buckets.getIamPolicy |
Buckets |
insert |
storage.buckets.createstorage.buckets.enableObjectRetention3storage.buckets.setIpFilter14 |
Buckets |
list |
storage.buckets.liststorage.buckets.getIamPolicy2storage.buckets.getIpFilter13storage.anywhereCaches.list |
Buckets |
listChannels |
storage.buckets.get |
Buckets |
lockRetentionPolicy |
storage.buckets.update |
Buckets |
patch |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13 |
Buckets |
relocate |
storage.buckets.relocate |
Buckets |
setIamPolicy |
storage.buckets.setIamPolicy |
Buckets |
testIamPermissions |
None |
Buckets |
update |
storage.buckets.updatestorage.buckets.getIamPolicy4storage.buckets.setIamPolicy5storage.buckets.setIpFilter14storage.buckets.getIpFilter13storage.anywhereCaches.update |
DatasetConfigs |
delete |
storageinsights.datasetConfigs.delete |
DatasetConfigs |
get |
storageinsights.datasetConfigs.get |
DatasetConfigs |
insert |
storageinsights.datasetConfigs.create |
DatasetConfigs |
list |
storageinsights.datasetConfigs.list |
DatasetConfigs |
linkDataset |
storageinsights.datasetConfigs.linkDataset |
DatasetConfigs |
unlinkDataset |
storageinsights.datasetConfigs.unlinkDataset |
DatasetConfigs |
patch |
storageinsights.datasetConfigs.update |
Channels |
stop |
None |
Folders |
get |
storage.folders.get |
Folders |
insert |
storage.folders.create |
Folders |
list |
storage.folders.list |
Folders |
rename |
storage.folders.renamestorage.folders.create |
Folders |
delete |
storage.folders.delete |
IntelligenceConfig |
getIntelligenceConfig |
storage.intelligenceConfigs.get |
IntelligenceConfig |
updateIntelligenceConfig |
storage.intelligenceConfigs.update |
Jobs |
create |
storagebatchoperations.jobs.create |
Jobs |
get |
storagebatchoperations.jobs.getstoragebatchoperations.operations.get |
Jobs |
list |
storagebatchoperations.jobs.liststoragebatchoperations.operations.list |
Jobs |
cancel |
storagebatchoperations.jobs.cancelstoragebatchoperations.operations.cancel |
Jobs |
delete |
storagebatchoperations.jobs.delete |
ManagedFolders |
delete |
storage.managedfolders.deletestorage.managedfolders.setIamPolicy10 |
ManagedFolders |
get |
storage.managedfolders.get |
ManagedFolders |
getIamPolicy |
storage.managedfolders.getIamPolicy |
ManagedFolders |
insert |
storage.managedfolders.create |
ManagedFolders |
list |
storage.managedfolders.list |
ManagedFolders |
update |
storage.managedfolders.update |
ManagedFolders |
setIamPolicy |
storage.managedfolders.setIamPolicy |
Notifications |
delete |
storage.buckets.update |
Notifications |
get |
storage.buckets.get |
Notifications |
insert |
storage.buckets.update |
Notifications |
list |
storage.buckets.get |
Objects |
bulkRestore |
storage.buckets.restorestorage.objects.createstorage.objects.delete11storage.objects.restorestorage.objects.setIamPolicy6,12 |
Objects |
compose |
storage.objects.getstorage.objects.createstorage.objects.delete7storage.objects.getIamPolicy2,6storage.objects.setRetention8 |
Objects |
copy |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetention |
Objects |
delete |
storage.objects.delete |
Objects |
get |
storage.objects.getstorage.objects.getIamPolicy2,6 |
Objects |
insert |
storage.objects.createstorage.objects.delete7storage.objects.setRetention8 |
Objects |
list |
storage.objects.liststorage.objects.getIamPolicy2,6 |
Objects |
move |
storage.objects.move15storage.objects.delete15storage.objects.get15storage.objects.createstorage.objects.delete16storage.folders.create17 |
Objects |
patch |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4,6storage.objects.setIamPolicy5,6 |
Objects |
restore |
storage.objects.createstorage.objects.delete7storage.objects.restorestorage.objects.getIamPolicy2,6storage.objects.setIamPolicy6,12 |
Objects |
rewrite |
storage.objects.getstorage.objects.createstorage.objects.deletestorage.objects.setRetention |
Objects |
update |
storage.objects.updatestorage.objects.setRetention8storage.objects.overrideUnlockedRetention9storage.objects.getIamPolicy4,6storage.objects.setIamPolicy5,6 |
Objects |
watchAll |
storage.buckets.update |
Projects.hmacKeys |
create |
storage.hmacKeys.create |
Projects.hmacKeys |
delete |
storage.hmacKeys.delete |
Projects.hmacKeys |
get |
storage.hmacKeys.get |
Projects.hmacKeys |
list |
storage.hmacKeys.list |
Projects.hmacKeys |
update |
storage.hmacKeys.update |
Projects.serviceAccount |
get |
resourceManager.projects.get |
ReportConfigs |
delete |
storageinsights.reportConfigs.delete |
ReportConfigs |
get |
storageinsights.reportConfigs.get |
ReportConfigs |
list |
storageinsights.reportConfigs.list |
ReportConfigs |
insert |
storageinsights.reportConfigs.create |
ReportConfigs |
update |
storageinsights.reportConfigs.update |
ReportDetails |
get |
storageinsights.reportDetails.get |
ReportDetails |
list |
storageinsights.reportDetails.list |
1 If you use the userProject parameter or the
x-goog-user-project header in your request, you must have
serviceusage.services.use permission for the project ID that you specify, in
addition to the normal IAM permissions required to make the
request.
2 This permission is only required if you want to include ACLs
or IAM policies as part of a full projection. If you don't have
this permission and request a full projection, you receive only a partial
projection.
3 This permission is only required when the request includes the
enableObjectRetention query parameter.
4 This permission is only required if you want to include ACLs as part of the response.
5 This permission is required if you want to include ACLs or changes to the public access prevention setting as part of the request.
6 This permission does not apply to buckets with uniform bucket-level access enabled.
7 This permission is only required if the request causes an object with the same name to be overwritten.
8 This permission is required when the request body includes the
retention property or when making an
UPDATE
request for an object that has an existing retention configuration.
9 This permission is only required when the request includes the
query parameter overrideUnlockedRetention=true.
10 This permission is only required when the request includes the
query parameter allowNonEmpty=true.
11 This permission is only required when the request includes the
query parameter allowOverwrite=true and the request causes an object with the
same name to be overwritten.
12 This permission is only required when the request includes the
query parameter copySourceAcl=true.
13 This permission is only required if you want to include bucket IP
filtering rules as part of a full projection. If you don't have this
permission and request a full projection, you receive only a partial
projection. If you want to exclude bucket IP filtering rules in your response,
you can request a noAcl projection.
14 This permission is only required if you want to create, list, delete, and update bucket IP filtering rules.
15 To move an object within a bucket with hierarchical namespace enabled, you either need storage.objects.delete and storage.objects.get permissions, or storage.objects.move permission if you want to move it without granting read or delete access to the object.
16 This permission is required only if you want to replace an object.
17 This permission is required only if you want to automatically create any missing parent folders.
18 This permission is only required if you want to return caches created with Anywhere Cache.
ACL-related methods
The following table lists the IAM permissions required to run JSON methods that apply specifically to the management of ACLs. These methods only apply to buckets that have Uniform bucket-level access disabled.
| Resource | Method | Required IAM Permissions1 |
|---|---|---|
BucketAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
ObjectAccessControls |
delete |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
get |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
insert |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
list |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
patch |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
update |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
1 If you use the userProject parameter or the
x-goog-user-project header in your request, you must have
serviceusage.services.use permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
What's next
For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.
Assign IAM roles at the project and bucket level.