IAM permissions for XML requests

The following table lists the Identity and Access Management (IAM) permissions required to run each Google Cloud Storage XML method on a given resource.

Method Resource Subresource Required IAM Permissions
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls storage.buckets.get
storage.buckets.getIamPolicy
GET bucket Non-ACL metadata storage.buckets.get
GET object storage.objects.get
GET object acls storage.objects.get
storage.objects.getIamPolicy
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
PUT bucket storage.buckets.create
PUT bucket acls storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
PUT bucket Non-ACL metadata storage.buckets.update
PUT object storage.objects.create1
PUT object compose storage.objects.create for the destination bucket
storage.objects.get for the source bucket
PUT object acls storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update

1 If the x-goog-copy-source header is present, the requester also requires storage.objects.get permission on the bucket from which the object is copied.

Send feedback about...

Cloud Storage Documentation