Cloud IAM permissions for Cloud Storage

The following tables list the Cloud Identity and Access Management (Cloud IAM) permissions that are associated with Cloud Storage.

Bucket permissions

Bucket permission name Description
storage.buckets.create Create new buckets in a project.
storage.buckets.delete Delete buckets.
storage.buckets.get Read bucket metadata, excluding Cloud IAM policies.
storage.buckets.getIamPolicy Read bucket Cloud IAM policies.
storage.buckets.list List buckets in a project. Also read bucket metadata, excluding Cloud IAM policies, when listing.
storage.buckets.setIamPolicy Update bucket Cloud IAM policies.
storage.buckets.update Update bucket metadata, excluding Cloud IAM policies.

Object permissions

Object permission name Description
storage.objects.create Add new objects to a bucket.
storage.objects.delete Delete objects.
storage.objects.get Read object data and metadata, excluding ACLs.
storage.objects.getIamPolicy Read object ACLs, returned as Cloud IAM policies.
storage.objects.list List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.setIamPolicy Update object ACLs.
storage.objects.update Update object metadata, excluding ACLs.

HMAC key permissions

HMAC key permission name Description
storage.hmacKeys.create Create new HMAC keys for service accounts in a project.
storage.hmacKeys.delete Delete existing HMAC keys.
storage.hmacKeys.get Read HMAC key metadata.
storage.hmacKeys.list List the metadata of HMAC keys in a project.
storage.hmacKeys.update Update HMAC key status.

What's next