Cloud IAM roles for Cloud Storage

Predefined roles

The following table describes Cloud Identity and Access Management (Cloud IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific buckets.

Role Description Permissions
Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or overwrite objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
Storage Object Viewer (roles/storage.objectViewer) Grants access to view objects and their metadata, excluding ACLs.

Can also list the objects in a bucket.

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
Storage Object Admin (roles/storage.objectAdmin) Grants full control over objects, including listing, creating, viewing, and deleting objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
Storage HMAC Key Admin (roles/storage.hmacKeyAdmin) Full control over HMAC keys in a project. This role can only be applied to a project. storage.hmacKeys.*
Storage Admin (roles/storage.admin) Grants full control of buckets and objects.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*

Primitive roles

Primitive roles are roles that existed prior to Cloud IAM. These roles have unique characteristics:

  • Primitive roles can only be granted for an entire project, not for individual buckets within the project. Like other roles that you grant for a project, primitive roles apply to all buckets and objects in the project.

  • Primitive roles contain additional permissions for other Google Cloud services that are not covered in this section. See primitive roles for a general discussion of the permissions that primitive roles grant.

  • In some cases, primitive roles can be used as if they were groups, which causes any member that has the primitive role to get additional access for some resources.

    • A primitive role can be used as if it were a group when granting roles for buckets.

    • A primitive role can be used as if it were a group when setting ACLs on objects.

    For a discussion of additional access that members of primitive roles typically gain due to this behavior, see modifiable behavior.

Intrinsic permissions

The following table describes the Cloud Storage permissions that are always associated with each primitive role.

Role Description Cloud Storage Permissions
Viewer (roles/viewer) Grants permission to list buckets in the project; view bucket metadata when listing (excluding ACLs); and list and get HMAC keys in the project. storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list
Editor (roles/editor) Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project. storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*
Owner (roles/owner)

Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project.

Within Google Cloud more generally, members with this role can perform administrative tasks such as changing members' roles for the project or changing billing.

storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*

Modifiable behavior

Members granted a primitive role often have additional access beyond the intrinsic permissions associated with the primitive role. This is because primitive roles can themselves be given access to buckets and objects. The following table describes the additional Cloud Storage access typically associated with each primitive role. You can modify or remove this additional access.

Role Additional access gained by members who have the role
Viewer (roles/viewer)
  • Granted the roles/storage.legacyBucketReader role for each bucket in the project.
  • Granted READER permission in the default object Access Control List for each bucket in the project.
  • Granted the roles/storage.legacyObjectReader role for any bucket in the project created with uniform bucket-level access enabled.
Editor (roles/editor)
  • Granted the roles/storage.legacyBucketOwner role for each bucket in the project.
  • Granted OWNER permission in the default object Access Control List for each bucket in the project.
  • Granted the roles/storage.legacyObjectOwner role for any bucket in the project created with uniform bucket-level access enabled.
Owner (roles/owner)
  • Granted the roles/storage.legacyBucketOwner role for each bucket in the project.
  • Granted OWNER permission in the default object Access Control List for each bucket in the project.
  • Granted the roles/storage.legacyObjectOwner role for any bucket in the project created with uniform bucket-level access enabled.

Predefined legacy roles

The following table lists Cloud IAM roles that are equivalent to Access Control List (ACL) permissions. You can grant legacy roles only for individual buckets, not for projects.

Role Description Permissions
Storage Legacy Object Reader (roles/storage.legacyObjectReader) Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
Storage Legacy Object Owner (roles/storage.legacyObjectOwner) Grants permission to view and edit objects and their metadata, including ACLs. storage.objects.get
storage.objects.update
storage.objects.setIamPolicy
storage.objects.getIamPolicy
Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata when listing objects (excluding Cloud IAM policies).

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
Storage Legacy Bucket Writer (roles/storage.legacyBucketWriter) Grants permission to create, overwrite, and delete objects; list objects in a bucket; read object metadata when listing (excluding Cloud IAM policies); and read bucket metadata, excluding Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
storage.objects.create
storage.objects.delete
Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner) Grants permission to create, overwrite, and delete objects; list objects in a bucket; read object metadata when listing (excluding Cloud IAM policies); and read and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
storage.buckets.getIamPolicy
storage.objects.list
storage.objects.create
storage.objects.delete

Custom roles

You may wish to define your own roles which contain bundles of permissions that you specify. To support this, Cloud IAM offers custom roles.

What's next