IAM permissions for Cloud Storage

The following tables list the Identity and Access Management (IAM) permissions that are associated with Cloud Storage. IAM permissions are grouped into roles, and you assign roles to users and groups.

Bucket permissions

Bucket permission name Description
storage.buckets.create Create new buckets in a project.
storage.buckets.createTagBinding Create a new tag binding to a bucket.
storage.buckets.delete Delete buckets.
storage.buckets.deleteTagBinding Delete the tag binding on a bucket.
storage.buckets.enableObjectRetention Enable object retention configurations on a bucket.
storage.buckets.exemptFromIpFilter Exempts the user or service account from IP filtering rules for bucket-level operations.
storage.buckets.get Read bucket metadata, including listing or reading the Pub/Sub notification configurations on a bucket. This permission alone does not allow you to read IAM policies or IP filtering rules.
storage.buckets.getIamPolicy Read bucket IAM policies.
storage.buckets.getIpFilter Lists or reads the IP filtering rules on a bucket.
storage.buckets.getObjectInsights Read object metadata in inventory reports.
storage.buckets.list List buckets in a project including read bucket metadata. This permission alone does not allow you to list IAM policies or IP filtering rules.
storage.buckets.listEffectiveTags List all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project.
storage.buckets.listTagBindings List tags directly attached to a bucket.
storage.buckets.restore Bulk restore objects that have been soft-deleted.
storage.buckets.setIamPolicy Update bucket IAM policies.
storage.buckets.setIpFilter Set IP filtering rules on a bucket.
storage.buckets.update Update bucket metadata including adding or removing a Pub/Sub notification configuration on a bucket and reading bucket metadata when updating. This permission alone does not allow you to update IAM policies, IP filtering rules or read the IAM policies on a bucket during the update.

Folder permissions

Folder permission name Description
storage.folders.create Create a folder.
storage.folders.delete Delete a folder.
storage.folders.get Read the metadata of a folder.
storage.folders.list List folders.
storage.folders.rename Rename a folder.

Managed folder permissions

Managed folder permission name Description
storage.managedFolders.create Create a managed folder.
storage.managedFolders.delete Delete a managed folder.
storage.managedFolders.get Read a managed folder.
storage.managedFolders.getIamPolicy Read managed folder IAM policies.
storage.managedFolders.list List the managed folders in a bucket or folder.
storage.managedFolders.setIamPolicy Update managed folder IAM policies.

Object permissions

Object permission name Description
storage.objects.create Add new objects to a bucket.
storage.objects.delete Delete objects.
storage.objects.get Read object data and metadata, excluding ACLs.
storage.objects.getIamPolicy Read object ACLs, returned as IAM policies.
storage.objects.list List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.overrideUnlockedRetention Use the x-goog-bypass-governance-retention header or the overrideUnlockedRetention query parameter when working with object retention configurations.
storage.objects.restore Restore objects that have been soft-deleted.
storage.objects.setIamPolicy Update object ACLs.
storage.objects.setRetention Add or update retentions for objects.
storage.objects.update Update object metadata, excluding ACLs. Also read object metadata, excluding ACLs, when updating.

Long-running operations permissions

Long-running operation permission name Description
storage.bucketOperations.cancel Cancel a long-running operation.
storage.bucketOperations.get Get a long-running operation.
storage.bucketOperations.list List long-running operations.

HMAC key permissions

HMAC key permission name Description
storage.hmacKeys.create Create new HMAC keys for service accounts in a project.
storage.hmacKeys.delete Delete existing HMAC keys.
storage.hmacKeys.get Read HMAC key metadata.
storage.hmacKeys.list List the metadata of HMAC keys in a project.
storage.hmacKeys.update Update HMAC key status.

Multipart upload permissions

Multipart upload permission name Description
storage.multipartUploads.create Upload objects in multiple parts.
storage.multipartUploads.abort Abort multipart upload sessions.
storage.multipartUploads.listParts List the uploaded object parts in a multipart upload session.
storage.multipartUploads.list List the multipart upload sessions in a bucket.

Storage Insights inventory report permissions

Inventory report permission name Description
storageinsights.reportConfigs.create Create inventory report configurations.
storageinsights.reportConfigs.delete Delete inventory report configurations.
storageinsights.reportConfigs.get Retrieve inventory report configurations.
storageinsights.reportConfigs.list List inventory report configurations.
storageinsights.reportConfigs.update Modify inventory report configurations.
storageinsights.reportDetails.get Retrieve inventory reports.
storageinsights.reportDetails.list List inventory reports.

What's next