Cloud Storage IAM Roles

Standard roles

The following table describes Identity and Access Management (IAM) roles that are associated with Google Cloud Storage and lists bucket and object permissions that are contained in each role. Unless otherwise noted, the roles can be applied either to entire projects or specific buckets.

Role Description Permissions
roles/storage.objectCreator Can create new objects.

Does not grant permission to view, delete or overwrite objects.

storage.objects.create
roles/storage.objectViewer Can view objects and their metadata, except for ACLs.

Can also list the objects in a bucket.

storage.objects.get
storage.objects.list
roles/storage.objectAdmin Full control over objects, including listing, creating, viewing, and deleting objects.

Does not grant permission to read or edit bucket metadata.

storage.objects.*
roles/storage.admin When applied to a project: Full control over all buckets and objects in the project.

When applied to a bucket: Full control over the specified bucket and objects within it.

storage.buckets.*
storage.objects.*
Viewer Can list buckets. Can also view bucket metadata, excluding ACLs, when listing.

This role can only be applied to a project.

storage.buckets.list
Editor Can create, list, and delete buckets. Can also view bucket metadata, excluding ACLs, when listing.

This role can only be applied to a project.

storage.buckets.create
storage.buckets.delete
storage.buckets.list
Owner Can create, list, and delete buckets. Can also view bucket metadata, excluding ACLs, when listing.

This role can only be applied to a project.

storage.buckets.create
storage.buckets.delete
storage.buckets.list

Legacy roles

The following table lists IAM roles that are equivalent to Access Control List (ACL) permissions. These IAM roles can only be applied to a bucket, not a project.

Role Description Permissions
roles/storage.legacyObjectReader Can view objects and their metadata, excluding ACLs. storage.objects.get
roles/storage.legacyObjectOwner Has the storage.legacyObjectReader role.

Can also view and edit the metadata of objects in the bucket, including ACLs, which are returned as IAM policies.

storage.objects.get
storage.objects.update
storage.objects.setIamPolicy
storage.objects.getIamPolicy
roles/storage.legacyBucketReader Can list a bucket's contents and read bucket metadata, excluding IAM policies. Can also read object metadata, excluding IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
roles/storage.legacyBucketWriter Has the storage.legacyBucketReader role.

Can also create, overwrite, and delete objects in a bucket.

Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
storage.objects.create
storage.objects.delete
roles/storage.legacyBucketOwner Has the storage.legacyBucketWriter role.

Can also read bucket IAM policies and edit bucket metadata, including IAM policies.

Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.

storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
storage.buckets.getIamPolicy
storage.objects.list
storage.objects.create
storage.objects.delete

Custom roles

You may wish to define your own roles which contain bundles of permissions that you specify. To support this, IAM offers custom roles.

Send feedback about...

Cloud Storage Documentation