Cloud Storage IAM Permissions

The following tables list the Identity and Access Management (IAM) permissions that are associated with Google Cloud Storage.

Bucket permissions

Bucket permission name Description
storage.buckets.create Create new buckets in a project.
storage.buckets.delete Delete buckets.
storage.buckets.get Read bucket metadata, excluding IAM policies.
storage.buckets.getIamPolicy Read bucket IAM policies.
storage.buckets.list List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing.
storage.buckets.setIamPolicy Update bucket IAM policies.
storage.buckets.update Update bucket metadata, excluding IAM policies.

Object permissions

Object permission name Description
storage.objects.create Add new objects to a bucket.
storage.objects.delete Delete objects.
storage.objects.get Read object data and metadata, excluding ACLs.
storage.objects.getIamPolicy Read object ACLs, returned as IAM policies.
storage.objects.list List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.setIamPolicy Update object ACLs.
storage.objects.update Update object metadata, excluding ACLs.

For a reference of which IAM permissions are contained in each IAM role, see Cloud Storage IAM Roles.

For references of which IAM permissions allow users to perform actions with different Cloud Storage tools, see IAM with the Cloud Console, IAM with gsutil, IAM with JSON, and IAM with XML.

Send feedback about...

Cloud Storage Documentation