IAM roles for Cloud Storage

Predefined roles

The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific buckets.

Role	Description	Permissions
Storage Object Creator (`roles/storage.objectCreator`)	Allows users to create objects. Does not give permission to view, delete, or replace objects.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.create` `storage.multipartUploads.create` `storage.multipartUploads.abort` `storage.multipartUploads.listParts`
Storage Object Viewer (`roles/storage.objectViewer`)	Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.get` `storage.objects.list`
Storage Object Admin (`roles/storage.objectAdmin`)	Grants full control over objects, including listing, creating, viewing, and deleting objects.	`resourcemanager.projects.get` `resourcemanager.projects.list` `storage.objects.*` `storage.multipartUploads.create` `storage.multipartUploads.abort` `storage.multipartUploads.listParts`
Storage HMAC Key Admin (`roles/storage.hmacKeyAdmin`)	Full control over HMAC keys in a project. This role can only be applied to a project.	`storage.hmacKeys.*`
Storage Admin (`roles/storage.admin`)	Grants full control of buckets and objects. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.	`firebase.projects.get` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.` `storage.objects.` `storage.multipartUploads.*`

Basic roles

Basic roles are roles that existed prior to IAM. These roles have unique characteristics:

Basic roles can only be granted for an entire project, not for individual buckets within the project. Like other roles that you grant for a project, basic roles apply to all buckets and objects in the project.
Basic roles contain additional permissions for other Google Cloud services that are not covered in this section. See basic roles for a general discussion of the permissions that basic roles grant.
Each basic role has a convenience value that lets you use the basic role as if it were a group. When used in this way, any principal that has the basic role is considered to be part of the group. Everyone in the group gets additional access for resources based on the access the convenience value has.
- Convenience values can be used when granting roles for buckets.
- Convenience values can be used when setting ACLs on objects.
Basic roles do not intrinsically give all of the access to Cloud Storage resources that their names imply. Instead, they give a portion of the expected access intrinsically and the rest of the expected access through the use of convenience values. Because convenience values can be manually added or removed like any other IAM principal, it is possible to revoke access that principals might otherwise expect to have.

For a discussion of additional access that principals with basic roles typically gain due to convenience values, see modifiable behavior.

Intrinsic permissions

The following table describes the Cloud Storage permissions that are always associated with each basic role.

Role Description Cloud Storage Permissions

Viewer (roles/viewer) Grants permission to list buckets in the project; view bucket metadata when listing (excluding ACLs); and list and get HMAC keys in the project. storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list

Editor (roles/editor) Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project. storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*

Role	Description	Cloud Storage Permissions
Viewer (`roles/viewer`)	Grants permission to list buckets in the project; view bucket metadata when listing (excluding ACLs); and list and get HMAC keys in the project.	`storage.buckets.list` `storage.hmacKeys.get` `storage.hmacKeys.list`
Editor (`roles/editor`)	Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project.	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.list` `storage.hmacKeys.*`
Owner (`roles/owner`)	Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project. Within Google Cloud more generally, principals with this role can perform administrative tasks such as changing principals' roles for the project or changing billing.	`storage.buckets.create` `storage.buckets.delete` `storage.buckets.list` `storage.hmacKeys.*`

Owner (roles/owner)

Grants permission to create, list, and delete buckets in the project; view bucket metadata when listing (excluding ACLs); and control HMAC keys in the project.

Within Google Cloud more generally, principals with this role can perform administrative tasks such as changing principals' roles for the project or changing billing.

storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*

Modifiable behavior

The following table describes the additional Cloud Storage access typically associated with each basic role due to convenience values. This additional access is granted at the time of bucket creation, but you can later edit your bucket IAM policies and your object ACLs to remove or change it.

Role	Additional access gained due to convenience values
Viewer (`roles/viewer`)	Granted the `roles/storage.legacyBucketReader` role for each bucket in the project. Granted `READER` permission in the default object Access Control List for each bucket in the project. If you enable uniform bucket-level access upon bucket creation, you are also granted `roles/storage.legacyObjectReader`
Editor (`roles/editor`)	Granted the `roles/storage.legacyBucketOwner` role for each bucket in the project. Granted `OWNER` permission in the default object Access Control List for each bucket in the project. If you enable uniform bucket-level access upon bucket creation,you are also granted the role `roles/storage.legacyObjectOwner`
Owner (`roles/owner`)	Granted the `roles/storage.legacyBucketOwner` role for each bucket in the project. Granted `OWNER` permission in the default object Access Control List for each bucket in the project. If you enable uniform bucket-level access upon bucket creation,you are also granted the role `roles/storage.legacyObjectOwner`

Predefined legacy roles

The following table lists IAM roles that are equivalent to Access Control List (ACL) permissions. You can grant legacy roles only for individual buckets, not for projects.

Role	Description	Permissions
Storage Legacy Object Reader (`roles/storage.legacyObjectReader`)	Grants permission to view objects and their metadata, excluding ACLs.	`storage.objects.get`
Storage Legacy Object Owner (`roles/storage.legacyObjectOwner`)	Grants permission to view and edit objects and their metadata, including ACLs.	`storage.objects.get` `storage.objects.update` `storage.objects.setIamPolicy` `storage.objects.getIamPolicy`
Storage Legacy Bucket Reader (`roles/storage.legacyBucketReader`)	Grants permission to list a bucket's contents and read bucket metadata, excluding IAM policies. Also grants permission to read object metadata when listing objects (excluding IAM policies). Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.	`storage.buckets.get` `storage.objects.list` `storage.multipartUploads.list`
Storage Legacy Bucket Writer (`roles/storage.legacyBucketWriter`)	Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read bucket metadata, excluding IAM policies. Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.	`storage.buckets.get` `storage.objects.list` `storage.objects.create` `storage.objects.delete` `storage.multipartUploads.create` `storage.multipartUploads.abort` `storage.multipartUploads.listParts`
Storage Legacy Bucket Owner (`roles/storage.legacyBucketOwner`)	Grants permission to create, replace, and delete objects; list objects in a bucket; read object metadata when listing (excluding IAM policies); and read and edit bucket metadata, including IAM policies. Use of this role is also reflected in the bucket's ACLs. See IAM relation to ACLs for more information.	`storage.buckets.get` `storage.buckets.update` `storage.buckets.setIamPolicy` `storage.buckets.getIamPolicy` `storage.objects.list` `storage.objects.create` `storage.objects.delete` `storage.multipartUploads.*`

Custom roles

You may wish to define your own roles which contain bundles of permissions that you specify. To support this, IAM offers custom roles.

What's next

Use IAM permissions to control access to buckets and objects.
Learn about each IAM permission for Cloud Storage.
Learn about which IAM permissions allow users to perform actions with the Cloud Console, with gsutil, with the JSON API, and with the XML API.
For a reference of other Google Cloud roles, see Understanding Roles.