IAM permissions for Storage Transfer Service methods

The following table lists the minimum project role required to run each Storage Transfer Service method.

Resource Method Minimum Project Role
googleServiceAccount get Viewer
transferJobs create Editor
transferJobs get Viewer
transferJobs list Viewer
transferJobs patch Editor
transferOperations cancel Editor
transferOperations get Viewer
transferOperations list Viewer
transferOperations pause Editor
transferOperations resume Editor

Source permissions

Cloud Storage

The Storage Transfer Service uses a service account to move data from a Cloud Storage source bucket. The service account must have certain permissions for the source bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.list Allows the service account to list objects in the bucket. Always required.
storage.objects.get Allows the service account to read objects in the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

The roles/storage.objectViewer and roles/storage.legacyBucketReader roles together contain the permissions that are always required. The roles/storage.legacyBucketWriter role contains the storage.objects.delete permissions. The service account used to perform the transfer must be assigned the desired roles.

For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Amazon S3

In order to use the Storage Transfer Service to move data from an Amazon S3 bucket, you must have an AWS Identity and Access Management user account that has certain permissions for the bucket:

Permission Description Use
s3:ListBucket Allows the Storage Transfer Service to list objects in the bucket. Always required.
s3:GetObject Allows the Storage Transfer Service to read objects in the bucket. Always required.
s3:GetBucketLocation Allows the Storage Transfer Service to get the location of the bucket. Always required.
s3:DeleteObject Allows the Storage Transfer Service to delete objects in the bucket. Required if you set deleteObjectsFromSourceAfterTransfer to true.

URL list

If your data source is a URL list, ensure that each object in the URL list is publicly accessible.

Sink permissions

The Storage Transfer Service uses a service account to move data into a Cloud Storage sink bucket. The service account must have certain permissions for the sink bucket:

Permission Description Use
storage.buckets.get Allows the service account to get the location of the bucket. Always required.
storage.objects.create Allows the service account to add objects to the bucket. Always required.
storage.objects.delete Allows the service account to delete objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink or deleteObjectsUniqueInSink to true.
storage.objects.list Allows the service account to list objects in the bucket. Required if you set overwriteObjectsAlreadyExistingInSink to false or deleteObjectsUniqueInSink to true.

All of these permissions are contained in the roles/storage.legacyBucketWriter role, which you can assign to the service account. For a complete list of Cloud Storage roles and the permissions they contain, see IAM roles.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage Documentation