IAM permissions for Cloud Storage

The following tables list the Identity and Access Management (IAM) permissions that are associated with Cloud Storage. IAM permissions are grouped into roles, and you assign roles to users and groups.

Bucket permissions

Bucket permission name	Description
storage.buckets.create	Create new buckets in a project.
storage.buckets.delete	Delete buckets.
storage.buckets.get	Read bucket metadata, excluding IAM policies.
storage.buckets.getIamPolicy	Read bucket IAM policies.
storage.buckets.list	List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing.
storage.buckets.setIamPolicy	Update bucket IAM policies.
storage.buckets.update	Update bucket metadata, excluding IAM policies.

Object permissions

Object permission name	Description
storage.objects.create	Add new objects to a bucket.
storage.objects.delete	Delete objects.
storage.objects.get	Read object data and metadata, excluding ACLs.
storage.objects.getIamPolicy	Read object ACLs, returned as IAM policies.
storage.objects.list	List objects in a bucket. Also read object metadata, excluding ACLs, when listing.
storage.objects.setIamPolicy	Update object ACLs.
storage.objects.update	Update object metadata, excluding ACLs.

HMAC key permissions

HMAC key permission name	Description
storage.hmacKeys.create	Create new HMAC keys for service accounts in a project.
storage.hmacKeys.delete	Delete existing HMAC keys.
storage.hmacKeys.get	Read HMAC key metadata.
storage.hmacKeys.list	List the metadata of HMAC keys in a project.
storage.hmacKeys.update	Update HMAC key status.

What's next

• Use IAM permissions to control access to buckets and objects.

• Learn about which IAM permissions are contained in each Cloud Storage IAM role.

• Learn about which IAM permissions allow users to perform actions with the Cloud Console, with gsutil, with the JSON API, and with the XML API.

• For a list of other Google Cloud permissions, see Support Level for Permissions in Custom Roles.