IAM permissions for XML requests

The following table lists the Identity and Access Management (IAM) permissions required to run each Google Cloud Storage XML method on a given resource.

Method Resource Subresource Required IAM Permissions1
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls storage.buckets.get
storage.buckets.getIamPolicy
GET bucket Non-ACL metadata storage.buckets.get
GET object storage.objects.get
GET object acls storage.objects.get
storage.objects.getIamPolicy
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
PUT bucket storage.buckets.create
PUT bucket acls storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
PUT bucket Non-ACL metadata storage.buckets.update
PUT object storage.objects.create2
PUT object compose storage.objects.create for the destination bucket
storage.objects.get for the source bucket
PUT object acls storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

1 If you use the x-goog-user-project header or userProject query string parameter in your request, you must have serviceusage.services.use permission for the project ID that you specify, in addition to the normal IAM permissions required to make the request.

2 If the x-goog-copy-source header is present, the requester also requires storage.objects.get permission on the bucket from which the object is copied.

Send feedback about...

Cloud Storage Documentation