IAM with JSON and XML

This page provides information on which IAM permissions enable a user to run each JSON or XML method on buckets or objects in Google Cloud Storage. Note that users can alternatively make requests on buckets and objects if they have sufficient permissions on the access control list (ACL) for the desired resource.

IAM permissions for JSON methods

The following table lists the IAM permissions that enable a user to run each JSON method on a given resource.

Resource Method Required IAM Permissions
BucketAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
BucketAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
BucketAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
Buckets delete storage.buckets.delete
Buckets get storage.buckets.get
storage.buckets.getIamPolicy1
Buckets insert storage.buckets.create
Buckets list storage.buckets.list
storage.buckets.getIamPolicy1
Buckets patch storage.buckets.update
storage.buckets.getIamPolicy2
storage.buckets.setIamPolicy2
Buckets update storage.buckets.setIamPolicy
storage.buckets.update
Channels stop None
DefaultObjectAccessControls delete storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls get storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls insert storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls list storage.buckets.get
storage.buckets.getIamPolicy
DefaultObjectAccessControls patch storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
DefaultObjectAccessControls update storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
ObjectAccessControls delete storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls get storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls insert storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls list storage.objects.get
storage.objects.getIamPolicy
ObjectAccessControls patch storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
ObjectAccessControls update storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
Objects compose storage.objects.create
storage.objects.get
Objects copy storage.objects.create
storage.objects.get
Objects delete storage.objects.delete
Objects get storage.objects.get
storage.objects.getIamPolicy1
Objects insert storage.objects.create
storage.objects.delete3
Objects list storage.objects.list
storage.objects.getIamPolicy1
Objects patch storage.objects.get
storage.objects.getIamPolicy
storage.objects.update
storage.objects.setIamPolicy2
Objects rewrite storage.objects.create
storage.objects.get
Objects update storage.objects.setIamPolicy
storage.objects.update
Objects watchAll storage.buckets.update

1 This permission is only required if you want to include ACLs as part of a full projection.

2 This permission is only required if you want to include ACLs as part of the request or response.

3 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.

IAM permissions for XML requests

The following table lists the IAM permissions that enable a user to run each XML method on a given resource.

Method Resource Subresource Required IAM Permissions
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls storage.buckets.get
storage.buckets.getIamPolicy
GET bucket Non-ACL metadata storage.objects.get
GET object storage.objects.get
GET object acls storage.objects.get
storage.objects.getIamPolicy
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
PUT bucket storage.buckets.create
PUT bucket acls storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
PUT bucket Non-ACL metadata storage.buckets.update
PUT object storage.objects.create1
PUT object compose storage.objects.create for the destination bucket
storage.buckets.get for the source bucket
PUT object acls storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

1 If the x-goog-copy-source header is present, the requester also requires storage.objects.get permission on the bucket from which the object is copied.

Send feedback about...

Cloud Storage Documentation