The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage JSON method on a given resource. IAM permissions are bundled together to make roles. You grant roles to users and groups.
For additional methods that only apply to buckets with Uniform bucket-level access disabled, see the ACL methods table.
Resource | Method | Required IAM Permissions1 |
---|---|---|
Buckets |
delete |
storage.buckets.delete |
Buckets |
get |
storage.buckets.get storage.buckets.getIamPolicy 2 |
Buckets |
getIamPolicy |
storage.buckets.getIamPolicy |
Buckets |
insert |
storage.buckets.create |
Buckets |
list |
storage.buckets.list storage.buckets.getIamPolicy 2 |
Buckets |
listChannels |
storage.buckets.get |
Buckets |
lockRetentionPolicy |
storage.buckets.update |
Buckets |
patch |
storage.buckets.update storage.buckets.getIamPolicy 3storage.buckets.setIamPolicy 5 |
Buckets |
setIamPolicy |
storage.buckets.setIamPolicy |
Buckets |
testIamPermissions |
None |
Buckets |
update |
storage.buckets.setIamPolicy 5storage.buckets.update |
Channels |
stop |
None |
Notifications |
delete |
storage.buckets.update |
Notifications |
get |
storage.buckets.get |
Notifications |
insert |
storage.buckets.update |
Notifications |
list |
storage.buckets.get |
Objects |
compose |
storage.objects.create storage.objects.delete4 storage.objects.get |
Objects |
copy |
storage.objects.create storage.objects.delete storage.objects.get |
Objects |
delete |
storage.objects.delete |
Objects |
get |
storage.objects.get storage.objects.getIamPolicy 2,6 |
Objects |
insert |
storage.objects.create storage.objects.delete 4 |
Objects |
list |
storage.objects.list storage.objects.getIamPolicy 2,6 |
Objects |
patch |
storage.objects.get storage.objects.getIamPolicy 3,6storage.objects.update storage.objects.setIamPolicy 3,6 |
Objects |
rewrite |
storage.objects.create storage.objects.delete storage.objects.get |
Objects |
update |
storage.objects.setIamPolicy 6storage.objects.update |
Objects |
watchAll |
storage.buckets.update |
Projects.hmacKeys |
create |
storage.hmacKeys.create |
Projects.hmacKeys |
delete |
storage.hmacKeys.delete |
Projects.hmacKeys |
get |
storage.hmacKeys.get |
Projects.hmacKeys |
list |
storage.hmacKeys.list |
Projects.hmacKeys |
update |
storage.hmacKeys.update |
Projects.serviceAccount |
get |
resourceManager.projects.get |
ReportConfigs |
delete |
storageinsights.reportConfigs.delete |
ReportConfigs |
get |
storageinsights.reportConfigs.get |
ReportConfigs |
list |
storageinsights.reportConfigs.list |
ReportConfigs |
insert |
storageinsights.reportConfigs.create |
ReportConfigs |
update |
storageinsights.reportConfigs.update |
ReportDetails |
get |
storageinsights.reportDetails.get |
ReportDetails |
list |
storageinsights.reportDetails.list |
1 If you use the userProject
parameter or the
x-goog-user-project
header in your request, you must have
serviceusage.services.use
permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
2 This permission is only required if you want to include ACLs
or IAM policies as part of a full
projection. If you don't have
this permission and request a full
projection, you receive only a partial
projection.
3 This permission is only required if you want to include ACLs or IAM policies as part of the response.
4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.
5 This permission is required if you want to include ACLs, IAM policies, or changes to the public access prevention setting as part of the request.
6 This permission does not apply to buckets with uniform bucket-level access enabled.
ACL-related methods
The following table lists the IAM permissions required to run JSON methods that apply specifically to the management of ACLs. These methods only apply to buckets that have Uniform bucket-level access disabled.
Resource | Method | Required IAM Permissions1 |
---|---|---|
BucketAccessControls |
delete |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
BucketAccessControls |
get |
storage.buckets.get storage.buckets.getIamPolicy |
BucketAccessControls |
insert |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
BucketAccessControls |
list |
storage.buckets.get storage.buckets.getIamPolicy |
BucketAccessControls |
patch |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
BucketAccessControls |
update |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
DefaultObjectAccessControls |
delete |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
DefaultObjectAccessControls |
get |
storage.buckets.get storage.buckets.getIamPolicy |
DefaultObjectAccessControls |
insert |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
DefaultObjectAccessControls |
list |
storage.buckets.get storage.buckets.getIamPolicy |
DefaultObjectAccessControls |
patch |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
DefaultObjectAccessControls |
update |
storage.buckets.get storage.buckets.getIamPolicy storage.buckets.setIamPolicy storage.buckets.update |
ObjectAccessControls |
delete |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
ObjectAccessControls |
get |
storage.objects.get storage.objects.getIamPolicy |
ObjectAccessControls |
insert |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
ObjectAccessControls |
list |
storage.objects.get storage.objects.getIamPolicy |
ObjectAccessControls |
patch |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
ObjectAccessControls |
update |
storage.objects.get storage.objects.getIamPolicy storage.objects.setIamPolicy storage.objects.update |
1 If you use the userProject
parameter or the
x-goog-user-project
header in your request, you must have
serviceusage.services.use
permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
What's next
For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.
Assign IAM roles at the project and bucket level.