The following tables list the Identity and Access Management (IAM) permissions that are associated with Cloud Storage. IAM permissions are grouped into roles, and you assign roles to users and groups.
Bucket permissions
| Bucket permission name | Description |
|---|---|
storage.buckets.create |
Create new buckets in a project. |
storage.buckets.createTagBinding |
Create a new tag binding to a bucket. |
storage.buckets.delete |
Delete buckets. |
storage.buckets.deleteTagBinding |
Delete the tag binding on a bucket. |
storage.buckets.get |
Read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket. |
storage.buckets.getIamPolicy |
Read bucket IAM policies. |
storage.buckets.getObjectInsights |
Read object metadata in inventory reports. |
storage.buckets.list |
List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing. |
storage.buckets.listEffectiveTags |
List all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project. |
storage.buckets.listTagBindings |
List tags directly attached to a bucket. |
storage.buckets.setIamPolicy |
Update bucket IAM policies. |
storage.buckets.update |
Update bucket metadata, excluding IAM policies, and add or remove a Pub/Sub notification configuration on a bucket. |
Object permissions
| Object permission name | Description |
|---|---|
storage.objects.create |
Add new objects to a bucket. |
storage.objects.delete |
Delete objects. |
storage.objects.get |
Read object data and metadata, excluding ACLs. |
storage.objects.getIamPolicy |
Read object ACLs, returned as IAM policies. |
storage.objects.list |
List objects in a bucket. Also read object metadata, excluding ACLs, when listing. |
storage.objects.setIamPolicy |
Update object ACLs. |
storage.objects.update |
Update object metadata, excluding ACLs. |
HMAC key permissions
| HMAC key permission name | Description |
|---|---|
storage.hmacKeys.create |
Create new HMAC keys for service accounts in a project. |
storage.hmacKeys.delete |
Delete existing HMAC keys. |
storage.hmacKeys.get |
Read HMAC key metadata. |
storage.hmacKeys.list |
List the metadata of HMAC keys in a project. |
storage.hmacKeys.update |
Update HMAC key status. |
Multipart upload permissions
| Multipart upload permission name | Description |
|---|---|
storage.multipartUploads.create |
Upload objects in multiple parts. |
storage.multipartUploads.abort |
Abort multipart upload sessions. |
storage.multipartUploads.listParts |
List the uploaded object parts in a multipart upload session. |
storage.multipartUploads.list |
List the multipart upload sessions in a bucket. |
Storage Insights inventory report permissions
| Inventory report permission name | Description |
|---|---|
storageinsights.reportConfigs.create |
Create inventory report configurations. |
storageinsights.reportConfigs.delete |
Delete inventory report configurations. |
storageinsights.reportConfigs.get |
Retrieve inventory report configurations. |
storageinsights.reportConfigs.list |
List inventory report configurations. |
storageinsights.reportConfigs.update |
Modify inventory report configurations. |
storageinsights.reportDetails.get |
Retrieve inventory reports. |
storageinsights.reportDetails.list |
List inventory reports. |
What's next
Learn about which IAM permissions are contained in each Cloud Storage IAM role.
Assign IAM roles at the project and bucket level.
Learn about which IAM permissions allow users to perform actions with the Cloud console, with gsutil, with the JSON API, and with the XML API.
For a list of other Google Cloud permissions, see Support Level for Permissions in Custom Roles.