Standard roles
The following table describes Cloud Identity and Access Management (Cloud IAM) roles that are associated with Cloud Storage and lists bucket and object permissions that are contained in each role. These roles can be applied either to entire projects or specific buckets.
| Role | Description | Permissions |
|---|---|---|
roles/storage.objectCreator |
Allows users to create objects. Does not give permission to view, delete, or overwrite objects. | resourcemanager.projects.getresourcemanager.projects.liststorage.objects.create |
roles/storage.objectViewer |
Grants access to view objects and their metadata,
excluding ACLs. Can also list the objects in a bucket. |
resourcemanager.projects.getresourcemanager.projects.liststorage.objects.getstorage.objects.list |
roles/storage.objectAdmin |
Grants full control over objects, including listing, creating, viewing, and deleting objects. | resourcemanager.projects.getresourcemanager.projects.liststorage.objects.* |
roles/storage.admin |
Grants full control of buckets and objects. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. |
firebase.projects.getresourcemanager.projects.getresourcemanager.projects.liststorage.buckets.*storage.objects.* |
Primitive roles
The following table describes primitive roles and the Cloud Storage permissions that these roles contain. Primitive roles cannot be added at the bucket-level.
| Role | Description | Permissions |
|---|---|---|
role/viewer |
Grants permission to list buckets as well as view bucket metadata, excluding ACLs, when listing. | storage.buckets.list |
role/editor |
Grants permission to create, list, and delete buckets. Also grants permission to view bucket metadata, excluding ACLs, when listing. | storage.buckets.createstorage.buckets.deletestorage.buckets.list |
role/owner |
Grants permission to create, list, and delete buckets. Also grants permission to view bucket metadata, excluding ACLs, when listing. | storage.buckets.createstorage.buckets.deletestorage.buckets.list |
Legacy roles
The following table lists Cloud IAM roles that are equivalent to Access Control List (ACL) permissions. These Cloud IAM roles can only be applied to a bucket, not a project.
| Role | Description | Permissions |
|---|---|---|
roles/storage.legacyObjectReader |
Grants permission to view objects and their metadata, excluding ACLs. | storage.objects.get |
roles/storage.legacyObjectOwner |
Grants permission to view and edit objects and their metadata, including ACLs. | storage.objects.getstorage.objects.updatestorage.objects.setIamPolicystorage.objects.getIamPolicy |
roles/storage.legacyBucketReader |
Grants permission to list a bucket's contents and read
bucket metadata, excluding Cloud IAM policies. Also grants
permission to read object metadata, excluding Cloud IAM
policies, when listing objects.
Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information. |
storage.buckets.getstorage.objects.list |
roles/storage.legacyBucketWriter |
Grants permission to create, overwrite, and delete
objects; list objects in a bucket and read object metadata, excluding
Cloud IAM policies, when listing; and read bucket metadata,
excluding Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information. |
storage.buckets.getstorage.objects.liststorage.objects.createstorage.objects.delete |
roles/storage.legacyBucketOwner |
Grants permission to create, overwrite, and delete
objects; list objects in a bucket and read object metadata, excluding
Cloud IAM policies, when listing; and read and edit bucket
metadata, including Cloud IAM policies.
Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information. |
storage.buckets.getstorage.buckets.updatestorage.buckets.setIamPolicystorage.buckets.getIamPolicystorage.objects.liststorage.objects.createstorage.objects.delete |
Custom roles
You may wish to define your own roles which contain bundles of permissions that you specify. To support this, Cloud IAM offers custom roles.
What's next
Learn how to control access to buckets and objects using Cloud IAM permissions.
For a reference describing each Cloud IAM permission for Cloud Storage, see Cloud Storage Cloud IAM Permissions.
For references of which Cloud IAM permissions allow users to perform actions with different Cloud Storage tools, see Cloud IAM with the Cloud Console, Cloud IAM with gsutil, Cloud IAM with JSON, and Cloud IAM with XML.
For a reference of other Google Cloud Platform roles, see Understanding Roles.
¿Necesitas ayuda? Visita nuestra