IAM permissions for Cloud Storage

The following tables list the Identity and Access Management (IAM) permissions that are associated with Cloud Storage. IAM permissions are grouped into roles, and you assign roles to users and groups.

Bucket permissions

Bucket permission name Description
storage.buckets.create Create new buckets in a project.
storage.buckets.createTagBinding Create a new tag binding to a bucket.
storage.buckets.delete Delete buckets.
storage.buckets.deleteTagBinding Delete the tag binding on a bucket.
storage.buckets.enableObjectRetention Enable object retention configurations on a bucket.
storage.buckets.get Read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket.
storage.buckets.getIamPolicy Read bucket IAM policies.
storage.buckets.getObjectInsights Read object metadata in inventory reports.
storage.buckets.list List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing.
storage.buckets.listEffectiveTags List all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project.
storage.buckets.listTagBindings List tags directly attached to a bucket.
storage.buckets.setIamPolicy Update bucket IAM policies.
storage.buckets.update Update bucket metadata, excluding IAM policies, and add or remove a Pub/Sub notification configuration on a bucket. Also read bucket metadata, excluding IAM policies, when updating.

Managed folder permissions

Managed folder permission name Description
storage.managedFolders.create Create a managed folder.
storage.managedFolders.delete Delete a managed folder.
storage.managedFolders.get Read a managed folder.
storage.managedFolders.getIamPolicy Read managed folder IAM policies.
storage.managedFolders.list List the managed folders in a bucket or folder.
storage.managedFolders.setIamPolicy Update managed folder IAM policies.

Object permissions

Object permission name Description
storage.objects.create Add new objects to a bucket.
storage.objects.delete Delete objects.
storage.objects.get Read object data and metadata, excluding ACLs.
storage.objects.getIamPolicy Read object ACLs, returned as IAM policies.
storage.objects.list List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.overrideUnlockedRetention Use the x-goog-bypass-governance-retention header or the overrideUnlockedRetention query parameter when working with object retention configurations.
storage.objects.setIamPolicy Update object ACLs.
storage.objects.setRetention Add or update retentions for objects.
storage.objects.update Update object metadata, excluding ACLs. Also read object metadata, excluding ACLs, when updating.

HMAC key permissions

HMAC key permission name Description
storage.hmacKeys.create Create new HMAC keys for service accounts in a project.
storage.hmacKeys.delete Delete existing HMAC keys.
storage.hmacKeys.get Read HMAC key metadata.
storage.hmacKeys.list List the metadata of HMAC keys in a project.
storage.hmacKeys.update Update HMAC key status.

Multipart upload permissions

Multipart upload permission name Description
storage.multipartUploads.create Upload objects in multiple parts.
storage.multipartUploads.abort Abort multipart upload sessions.
storage.multipartUploads.listParts List the uploaded object parts in a multipart upload session.
storage.multipartUploads.list List the multipart upload sessions in a bucket.

Storage Insights inventory report permissions

Inventory report permission name Description
storageinsights.reportConfigs.create Create inventory report configurations.
storageinsights.reportConfigs.delete Delete inventory report configurations.
storageinsights.reportConfigs.get Retrieve inventory report configurations.
storageinsights.reportConfigs.list List inventory report configurations.
storageinsights.reportConfigs.update Modify inventory report configurations.
storageinsights.reportDetails.get Retrieve inventory reports.
storageinsights.reportDetails.list List inventory reports.

What's next