Cloud IAM permissions for JSON methods

The following table lists the Cloud Identity and Access Management (Cloud IAM) permissions required to run each Cloud Storage JSON method on a given resource.

Resource Method Required Cloud IAM Permissions1
BucketAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Buckets delete storage.buckets.delete
Buckets get storage.buckets.get
storage.buckets.getIamPolicy2
Buckets getIamPolicy storage.buckets.getIamPolicy
Buckets insert storage.buckets.create
Buckets list storage.buckets.list
storage.buckets.getIamPolicy2
Buckets lockRetentionPolicy storage.buckets.update
Buckets patch storage.buckets.update
storage.buckets.getIamPolicy3
storage.buckets.setIamPolicy5
Buckets setIamPolicy storage.buckets.setIamPolicy
Buckets testIamPermissions None
Buckets update storage.buckets.setIamPolicy
storage.buckets.update
Channels stop None
DefaultObjectAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Notifications delete storage.buckets.update
Notifications get storage.buckets.get
Notifications insert storage.buckets.update
Notifications list storage.buckets.get
ObjectAccessControls delete storage.objects.get
storage.objects.getIamPolicy6
storage.objects.setIamPolicy6
storage.objects.update
ObjectAccessControls get storage.objects.get
storage.objects.getIamPolicy6
ObjectAccessControls insert storage.objects.get
storage.objects.getIamPolicy6
storage.objects.setIamPolicy6
storage.objects.update
ObjectAccessControls list storage.objects.get
storage.objects.getIamPolicy6
ObjectAccessControls patch storage.objects.get
storage.objects.getIamPolicy6
storage.objects.setIamPolicy6
storage.objects.update
ObjectAccessControls update storage.objects.get
storage.objects.getIamPolicy6
storage.objects.setIamPolicy6
storage.objects.update
Objects compose storage.objects.create
storage.objects.delete4
storage.objects.get
Objects copy storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)4
storage.objects.get (for the source bucket)
Objects delete storage.objects.delete
Objects get storage.objects.get
storage.objects.getIamPolicy2,6
Objects insert storage.objects.create
storage.objects.delete4
Objects list storage.objects.list
storage.objects.getIamPolicy2,6
Objects patch storage.objects.get
storage.objects.getIamPolicy6
storage.objects.update
storage.objects.setIamPolicy3,6
Objects rewrite storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)4
storage.objects.get (for the source bucket)
Objects update storage.objects.setIamPolicy6
storage.objects.update
Objects watchAll storage.buckets.update
Projects.serviceAccount get resourceManager.projects.get

1 If you use the userProject parameter or the x-goog-user-project header in your request, you must have serviceusage.services.use permission for the project ID that you specify, in addition to the normal Cloud IAM permissions required to make the request.

2 This permission is only required if you want to include ACLs or Cloud IAM policies as part of a full projection. If you don't have this permission and request a full projection, you receive only a partial projection.

3 This permission is only required if you want to include ACLs or Cloud IAM policies as part of the response.

4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.

5 This permission is required if you want to include ACLs or Cloud IAM policies as part of the request.

6 This permission does not apply to buckets with Bucket Policy Only enabled.

What's next

هل كانت هذه الصفحة مفيدة؟ يرجى تقييم أدائنا:

إرسال تعليقات حول...

هل تحتاج إلى مساعدة؟ انتقل إلى صفحة الدعم.