The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage JSON method on a given resource. IAM permissions are bundled together to make roles. You grant roles to users and groups.
For additional methods that only apply to buckets with Uniform bucket-level access disabled, see the ACL methods table.
| Resource | Method | Required IAM Permissions1 |
|---|---|---|
Buckets |
delete |
storage.buckets.delete |
Buckets |
get |
storage.buckets.getstorage.buckets.getIamPolicy2 |
Buckets |
getIamPolicy |
storage.buckets.getIamPolicy |
Buckets |
insert |
storage.buckets.create |
Buckets |
list |
storage.buckets.liststorage.buckets.getIamPolicy2 |
Buckets |
listChannels |
storage.buckets.get |
Buckets |
lockRetentionPolicy |
storage.buckets.update |
Buckets |
patch |
storage.buckets.updatestorage.buckets.getIamPolicy3storage.buckets.setIamPolicy5 |
Buckets |
setIamPolicy |
storage.buckets.setIamPolicy |
Buckets |
testIamPermissions |
None |
Buckets |
update |
storage.buckets.setIamPolicy5storage.buckets.update |
Channels |
stop |
None |
Notifications |
delete |
storage.buckets.update |
Notifications |
get |
storage.buckets.get |
Notifications |
insert |
storage.buckets.update |
Notifications |
list |
storage.buckets.get |
Objects |
compose |
storage.objects.createstorage.objects.delete4storage.objects.get |
Objects |
copy |
storage.objects.createstorage.objects.deletestorage.objects.get |
Objects |
delete |
storage.objects.delete |
Objects |
get |
storage.objects.getstorage.objects.getIamPolicy2,6 |
Objects |
insert |
storage.objects.createstorage.objects.delete4 |
Objects |
list |
storage.objects.liststorage.objects.getIamPolicy2,6 |
Objects |
patch |
storage.objects.getstorage.objects.getIamPolicy3,6storage.objects.updatestorage.objects.setIamPolicy3,6 |
Objects |
rewrite |
storage.objects.createstorage.objects.deletestorage.objects.get |
Objects |
update |
storage.objects.setIamPolicy6storage.objects.update |
Objects |
watchAll |
storage.buckets.update |
Projects.hmacKeys |
create |
storage.hmacKeys.create |
Projects.hmacKeys |
delete |
storage.hmacKeys.delete |
Projects.hmacKeys |
get |
storage.hmacKeys.get |
Projects.hmacKeys |
list |
storage.hmacKeys.list |
Projects.hmacKeys |
update |
storage.hmacKeys.update |
Projects.serviceAccount |
get |
resourceManager.projects.get |
ReportConfigs |
delete |
storageinsights.reportConfigs.delete |
ReportConfigs |
get |
storageinsights.reportConfigs.get |
ReportConfigs |
list |
storageinsights.reportConfigs.list |
ReportConfigs |
insert |
storageinsights.reportConfigs.create |
ReportConfigs |
update |
storageinsights.reportConfigs.update |
ReportDetails |
get |
storageinsights.reportDetails.get |
ReportDetails |
list |
storageinsights.reportDetails.list |
1 If you use the userProject parameter or the
x-goog-user-project header in your request, you must have
serviceusage.services.use permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
2 This permission is only required if you want to include ACLs
or IAM policies as part of a full projection. If you don't have
this permission and request a full projection, you receive only a partial
projection.
3 This permission is only required if you want to include ACLs or IAM policies as part of the response.
4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.
5 This permission is required if you want to include ACLs, IAM policies, or changes to the public access prevention setting as part of the request.
6 This permission does not apply to buckets with uniform bucket-level access enabled.
ACL-related methods
The following table lists the IAM permissions required to run JSON methods that apply specifically to the management of ACLs. These methods only apply to buckets that have Uniform bucket-level access disabled.
| Resource | Method | Required IAM Permissions1 |
|---|---|---|
BucketAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
BucketAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
BucketAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
delete |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
get |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
insert |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
list |
storage.buckets.getstorage.buckets.getIamPolicy |
DefaultObjectAccessControls |
patch |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
DefaultObjectAccessControls |
update |
storage.buckets.getstorage.buckets.getIamPolicystorage.buckets.setIamPolicystorage.buckets.update |
ObjectAccessControls |
delete |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
get |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
insert |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
list |
storage.objects.getstorage.objects.getIamPolicy |
ObjectAccessControls |
patch |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
ObjectAccessControls |
update |
storage.objects.getstorage.objects.getIamPolicystorage.objects.setIamPolicystorage.objects.update |
1 If you use the userProject parameter or the
x-goog-user-project header in your request, you must have
serviceusage.services.use permission for the project ID that you specify,
in addition to the normal IAM permissions required to make the
request.
What's next
For a list of roles and the permissions they contain, see IAM Roles for Cloud Storage.
Assign IAM roles at the project and bucket level.