IAM permissions for JSON methods

The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage JSON method on a given resource. IAM permissions are bundled together to make roles. You grant roles to users and groups.

For additional methods that only apply to buckets with Uniform bucket-level access disabled, see the ACL methods table.

Resource Method Required IAM Permissions1
Buckets delete storage.buckets.delete
Buckets get storage.buckets.get
storage.buckets.getIamPolicy2
Buckets getIamPolicy storage.buckets.getIamPolicy
Buckets insert storage.buckets.create
storage.buckets.enableObjectRetention3
Buckets list storage.buckets.list
storage.buckets.getIamPolicy2
Buckets listChannels storage.buckets.get
Buckets lockRetentionPolicy storage.buckets.update
Buckets patch storage.buckets.update
storage.buckets.getIamPolicy4
storage.buckets.setIamPolicy5
Buckets setIamPolicy storage.buckets.setIamPolicy
Buckets testIamPermissions None
Buckets update storage.buckets.update
storage.buckets.getIamPolicy4
storage.buckets.setIamPolicy5
Channels stop None
ManagedFolders delete storage.managedfolders.delete
storage.managedfolders.setIamPolicy10
ManagedFolders get storage.managedfolders.get
ManagedFolders getIamPolicy storage.managedfolders.getIamPolicy
ManagedFolders insert storage.managedfolders.create
ManagedFolders list storage.managedfolders.list
ManagedFolders update storage.managedfolders.update
ManagedFolders setIamPolicy storage.managedfolders.setIamPolicy
Notifications delete storage.buckets.update
Notifications get storage.buckets.get
Notifications insert storage.buckets.update
Notifications list storage.buckets.get
Objects compose storage.objects.get
storage.objects.create
storage.objects.delete7
storage.objects.setRetention8
Objects copy storage.objects.get (for the source bucket)
storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)7
storage.objects.setRetention (for the destination bucket)8
Objects delete storage.objects.delete
Objects get storage.objects.get
storage.objects.getIamPolicy2,6
Objects insert storage.objects.create
storage.objects.delete7
storage.objects.setRetention8
Objects list storage.objects.list
storage.objects.getIamPolicy2,6
Objects patch storage.objects.update
storage.objects.setRetention8
storage.objects.overrideUnlockedRetention9
storage.objects.getIamPolicy4,6
storage.objects.setIamPolicy5,6
Objects rewrite storage.objects.get (for the source bucket)
storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)7
storage.objects.setRetention (for the destination bucket)8
Objects update storage.objects.update
storage.objects.setRetention8
storage.objects.overrideUnlockedRetention9
storage.objects.getIamPolicy4,6
storage.objects.setIamPolicy5,6
Objects watchAll storage.buckets.update
Projects.hmacKeys create storage.hmacKeys.create
Projects.hmacKeys delete storage.hmacKeys.delete
Projects.hmacKeys get storage.hmacKeys.get
Projects.hmacKeys list storage.hmacKeys.list
Projects.hmacKeys update storage.hmacKeys.update
Projects.serviceAccount get resourceManager.projects.get
ReportConfigs delete storageinsights.reportConfigs.delete
ReportConfigs get storageinsights.reportConfigs.get
ReportConfigs list storageinsights.reportConfigs.list
ReportConfigs insert storageinsights.reportConfigs.create
ReportConfigs update storageinsights.reportConfigs.update
ReportDetails get storageinsights.reportDetails.get
ReportDetails list storageinsights.reportDetails.list

1 If you use the userProject parameter or the x-goog-user-project header in your request, you must have serviceusage.services.use permission for the project ID that you specify, in addition to the normal IAM permissions required to make the request.

2 This permission is only required if you want to include ACLs or IAM policies as part of a full projection. If you don't have this permission and request a full projection, you receive only a partial projection.

3 This permission is only required when the request includes the enableObjectRetention query parameter.

4 This permission is only required if you want to include ACLs as part of the response.

5 This permission is required if you want to include ACLs or changes to the public access prevention setting as part of the request.

6 This permission does not apply to buckets with uniform bucket-level access enabled.

7 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.

8 This permission is required when the request body includes the retention property or when making an UPDATE request for an object that has an existing retention configuration.

9 This permission is only required when the request includes the query parameter overrideUnlockedRetention=true.

10 This permission is only required when the request includes the query parameter allowNonEmpty=true.

ACL-related methods

The following table lists the IAM permissions required to run JSON methods that apply specifically to the management of ACLs. These methods only apply to buckets that have Uniform bucket-level access disabled.

Resource Method Required IAM Permissions1
BucketAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
ObjectAccessControls delete storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls get storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls insert storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls list storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls patch storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls update storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

1 If you use the userProject parameter or the x-goog-user-project header in your request, you must have serviceusage.services.use permission for the project ID that you specify, in addition to the normal IAM permissions required to make the request.

What's next