Send feedback
IAM permissions for Cloud Storage
bookmark_border bookmark
Stay organized with collections
Save and categorize content based on your preferences.
The following tables list the Identity and Access Management (IAM)
permissions that are associated with Cloud Storage. IAM
permissions are grouped into roles , and you
assign roles to users and groups .
Bucket permissions
Bucket permission name
Description
storage.buckets.createCreate new buckets in a project.
storage.buckets.createTagBindingCreate a new tag binding to a bucket.
storage.buckets.deleteDelete buckets.
storage.buckets.deleteTagBindingDelete the tag binding on a bucket.
storage.buckets.enableObjectRetentionEnable object retention configurations on a bucket.
storage.buckets.exemptFromIpFilterExempts the user or service account from IP filtering rules for bucket-level operations.
storage.buckets.getRead bucket metadata, including listing or reading the Pub/Sub notification configurations on a bucket. This permission alone does not allow you to read IAM policies or IP filtering rules.
storage.buckets.getIamPolicyRead bucket IAM policies.
storage.buckets.getIpFilterLists or reads the IP filtering rules on a bucket.
storage.buckets.getObjectInsightsRead object metadata in inventory reports .
storage.buckets.listList buckets in a project including read bucket metadata. This permission alone does not allow you to list IAM policies or IP filtering rules.
storage.buckets.listEffectiveTagsList all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project.
storage.buckets.listTagBindingsList tags directly attached to a bucket.
storage.buckets.relocateRelocate buckets between geographic locations.
storage.buckets.restoreBulk restore objects that have been soft-deleted .
storage.buckets.setIamPolicyUpdate bucket IAM policies.
storage.buckets.setIpFilterSet IP filtering rules on a bucket.
storage.buckets.updateUpdate bucket metadata including adding or removing a Pub/Sub notification configuration on a bucket and reading bucket metadata when updating. This permission alone does not allow you to update IAM policies, IP filtering rules or read the IAM policies on a bucket during the update.
Folder permissions
Folder permission name
Description
storage.folders.createCreate a folder.
storage.folders.deleteDelete a folder.
storage.folders.getRead the metadata of a folder.
storage.folders.listList folders.
storage.folders.renameRename a folder.
Note: In order to rename folders, storage.folders.rename is required
on the source bucket and storage.folders.create is required on the destination
bucket. Managed folder permissions
Managed folder permission name
Description
storage.managedFolders.createCreate a managed folder.
storage.managedFolders.deleteDelete a managed folder.
storage.managedFolders.getRead a managed folder.
storage.managedFolders.getIamPolicyRead managed folder IAM policies.
storage.managedFolders.listList the managed folders in a bucket or folder.
storage.managedFolders.setIamPolicyUpdate managed folder IAM policies.
Storage Intelligence permissions
Storage Intelligence permission name
Description
storage.intelligenceConfigs.updateConfigure Storage Intelligence on a project, a folder, or an organization.
storage.intelligenceConfigs.getReads the Storage Intelligence configuration on a project, a folder, or an organization.
Object permissions
Note: The storage.objects.getIamPolicy and storage.objects.setIamPolicy
permissions don't apply to buckets with uniform bucket-level access enabled.
Object permission name
Description
storage.objects.createAdd new objects to a bucket.
storage.objects.deleteDelete objects.
storage.objects.getRead object data and metadata, excluding ACLs.
storage.objects.getIamPolicyRead object ACLs, returned as IAM policies.
storage.objects.listList objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.moveMove an object within a bucket with hierarchical namespace enabled.
storage.objects.overrideUnlockedRetentionUse the x-goog-bypass-governance-retention header or the overrideUnlockedRetention query parameter when working with object retention configurations .
storage.objects.restoreRestore objects that have been soft-deleted .
storage.objects.setIamPolicyUpdate object ACLs.
storage.objects.setRetentionAdd or update retentions for objects.
storage.objects.updateUpdate object metadata, excluding ACLs. Also read object metadata, excluding ACLs, when updating.
Note: In order to replace existing objects, both storage.objects.create
and storage.objects.delete permissions are required. Long-running operations permissions
Long-running operation permission name
Description
storage.bucketOperations.cancelCancel a long-running operation.
storage.bucketOperations.getGet a long-running operation.
storage.bucketOperations.listList long-running operations.
HMAC key permissions
Note: HMAC key permissions apply at the project level only.
HMAC key permission name
Description
storage.hmacKeys.createCreate new HMAC keys for service accounts in a project.
storage.hmacKeys.deleteDelete existing HMAC keys.
storage.hmacKeys.getRead HMAC key metadata.
storage.hmacKeys.listList the metadata of HMAC keys in a project.
storage.hmacKeys.updateUpdate HMAC key status.
Multipart upload permissions
Multipart upload permission name
Description
storage.multipartUploads.createUpload objects in multiple parts.
storage.multipartUploads.abortAbort multipart upload sessions.
storage.multipartUploads.listPartsList the uploaded object parts in a multipart upload session.
storage.multipartUploads.listList the multipart upload sessions in a bucket.
Note: In order to create or upload parts, you must have both the
storage.objects.create and storage.multipartUploads.create permissions. Storage Insights inventory report permissions
Inventory report permission name
Description
storageinsights.reportConfigs.createCreate inventory report configurations.
storageinsights.reportConfigs.deleteDelete inventory report configurations.
storageinsights.reportConfigs.getRetrieve inventory report configurations.
storageinsights.reportConfigs.listList inventory report configurations.
storageinsights.reportConfigs.updateModify inventory report configurations.
storageinsights.reportDetails.getRetrieve inventory reports.
storageinsights.reportDetails.listList inventory reports.
Dataset permission name
Description
storageinsights.datasetConfigs.createCreate dataset configurations.
storageinsights.datasetConfigs.deleteDelete dataset configurations.
storageinsights.datasetConfigs.linkDatasetCreate linked datasets in BigQuery that contain the output of Storage Insights datasets.
storageinsights.datasetConfigs.unlinkDatasetRemove linked datasets from BigQuery that contain the output of Storage Insights datasets.
storageinsights.datasetConfigs.updateModify dataset configurations.
storageinsights.datasetConfigs.getGet dataset configurations.
storageinsights.datasetConfigs.listList dataset configurations.
What's next
Send feedback
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-03-21 UTC.
Need to tell us more?
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-21 UTC."],[],[]]
