IAM permissions for XML requests

The following table lists the Identity and Access Management (IAM) permissions required to run each Cloud Storage XML method on a given resource.

Method Resource Subresource Required IAM Permissions1
DELETE bucket storage.buckets.delete
DELETE object storage.objects.delete
DELETE object uploadId storage.multipartUploads.abort
GET storage.buckets.list
GET bucket storage.objects.list
GET bucket acls3 storage.buckets.get
storage.buckets.getIamPolicy
GET bucket Non-ACL metadata storage.buckets.get
GET bucket uploads storage.multipartUploads.list
GET object storage.objects.get
GET object acls3 storage.objects.get
storage.objects.getIamPolicy
GET object encryption storage.objects.get
GET object retention storage.objects.get
GET object uploadId storage.multipartUploads.listParts
HEAD bucket storage.buckets.get
HEAD object storage.objects.get
POST object storage.objects.create
storage.objects.delete4
storage.objects.setRetention5
POST object uploadId storage.multipartUploads.create
storage.objects.create
storage.objects.delete4
POST object uploads storage.multipartUploads.create
storage.objects.create
storage.objects.setRetention5
PUT bucket storage.buckets.create
storage.buckets.enableObjectRetention6
PUT bucket acls3 storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
PUT bucket Non-ACL metadata storage.buckets.update
PUT7 object storage.objects.create
storage.objects.get2
storage.objects.delete4
storage.objects.setRetention5
PUT object acls3 storage.objects.get
storage.objects.getIamPolicy
storage.objects.setIamPolicy
storage.objects.update
PUT object compose storage.objects.create
storage.objects.get
storage.objects.delete4
storage.objects.setRetention5
PUT object retention storage.objects.setRetention
storage.objects.update
storage.objects.overrideUnlockedRetention8
PUT object uploadId storage.multipartUploads.create
storage.objects.create

1 If you use the x-goog-user-project header or userProject query string parameter in your request, you must have serviceusage.services.use permission for the project ID that you specify, in addition to the normal IAM permissions required to make the request.

2 This permission is required for the source bucket when the request includes the x-goog-copy-source header.

3 This subresource does not apply to buckets with uniform bucket-level access enabled.

4 This permission is only required when the inserted object has the same name as an object that already exists in the bucket.

5 This permission is only required when the request includes the x-goog-object-lock-mode and x-goog-object-lock-retain-until-date headers.

6 This permission is only required when the request includes a x-goog-bucket-object-lock-enabled header set to true.

7 No permissions are required to make PUT requests associated with a resumable upload.

8 This permission is only required when the request includes a x-goog-bypass-governance-retention header set to true.

What's next