Cloud IAM roles for Cloud Storage

Standard roles

The following table describes Cloud Identity and Access Management (Cloud IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific buckets.

Role Description Permissions
roles/storage.objectCreator Allows users to create objects. Does not give permission to view, delete, or overwrite objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.create
roles/storage.objectViewer Grants access to view objects and their metadata, excluding ACLs.

Can also list the objects in a bucket.

resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.get
storage.objects.list
roles/storage.objectAdmin Grants full control over objects, including listing, creating, viewing, and deleting objects. resourcemanager.projects.get
resourcemanager.projects.list
storage.objects.*
roles/storage.hmacKeyAdmin Full control over HMAC keys in a project. storage.hmacKeys.*
roles/storage.admin Grants full control of buckets and objects.

When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*

Primitive roles

The following table describes primitive roles and the Cloud Storage permissions that these roles contain. Primitive roles cannot be added at the bucket-level.

Role Description Permissions
role/viewer Grants permission to list buckets as well as view bucket metadata, excluding ACLs, when listing. Also grants permission to list and get HMAC keys in the project. storage.buckets.list
storage.hmacKeys.get
storage.hmacKeys.list
role/editor Grants permission to create, list, and delete buckets. Grants permission to view bucket metadata, excluding ACLs, when listing. Grants full control over HMAC keys in a project. storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*
role/owner Grants permission to create, list, and delete buckets. Also grants permission to view bucket metadata, excluding ACLs, when listing. Grants full control over HMAC keys in a project. storage.buckets.create
storage.buckets.delete
storage.buckets.list
storage.hmacKeys.*

Legacy roles

The following table lists Cloud IAM roles that are equivalent to Access Control List (ACL) permissions. These Cloud IAM roles can only be applied to a bucket, not a project.

Role Description Permissions
roles/storage.legacyObjectReader Grants permission to view objects and their metadata, excluding ACLs. storage.objects.get
roles/storage.legacyObjectOwner Grants permission to view and edit objects and their metadata, including ACLs. storage.objects.get
storage.objects.update
storage.objects.setIamPolicy
storage.objects.getIamPolicy
roles/storage.legacyBucketReader Grants permission to list a bucket's contents and read bucket metadata, excluding Cloud IAM policies. Also grants permission to read object metadata, excluding Cloud IAM policies, when listing objects.

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
roles/storage.legacyBucketWriter Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read bucket metadata, excluding Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.objects.list
storage.objects.create
storage.objects.delete
roles/storage.legacyBucketOwner Grants permission to create, overwrite, and delete objects; list objects in a bucket and read object metadata, excluding Cloud IAM policies, when listing; and read and edit bucket metadata, including Cloud IAM policies.

Use of this role is also reflected in the bucket's ACLs. See Cloud IAM relation to ACLs for more information.

storage.buckets.get
storage.buckets.update
storage.buckets.setIamPolicy
storage.buckets.getIamPolicy
storage.objects.list
storage.objects.create
storage.objects.delete

Custom roles

You may wish to define your own roles which contain bundles of permissions that you specify. To support this, Cloud IAM offers custom roles.

What's next

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Cloud Storage
Нужна помощь? Обратитесь в службу поддержки.