This page describes how to control access to buckets, managed folders, and objects using Identity and Access Management (IAM) permissions. IAM lets you control who has access to your buckets, managed folders, and objects.
To learn about other ways to control access to buckets, managed folders, and objects, read Overview of Access Control. To learn about controlling access to individual objects in your buckets, see Access Control Lists.
Use IAM with buckets
The following sections show how to complete basic IAM tasks on buckets.
Required roles
To get the permissions that you need to set and manage IAM
policies for a bucket, ask your administrator to grant you the Storage Admin
(roles/storage.admin
) IAM role for the bucket.
This role contains the following permissions, which are required to set and manage IAM policies for buckets:
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
storage.buckets.list
- This permission is only required if you plan on using the Google Cloud console to perform the tasks on this page.
You can also get these permissions with custom roles.
Add a principal to a bucket-level policy
For a list of roles associated with Cloud Storage, see IAM Roles. For information on entities to which you grant IAM roles, see Principal identifiers.
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket for which you want to grant a principal a role.
Select the Permissions tab near the top of the page.
Click the add_box Grant access button.
The Add principals dialog box appears.
In the New principals field, enter one or more identities that need access to your bucket.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Save.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the buckets add-iam-policy-binding
command:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE
Where:
BUCKET_NAME
is the name of the bucket you are granting the principal access to. For example,my-bucket
.PRINCIPAL_IDENTIFIER
identifies who you are granting bucket access to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.IAM_ROLE
is the IAM role you are granting to the principal. For example,roles/storage.objectViewer
.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Create a JSON file that contains the following information:
{ "bindings":[ { "role": "IAM_ROLE", "members":[ "PRINCIPAL_IDENTIFIER" ] } ] }
Where:
IAM_ROLE
is the IAM role you are granting. For example,roles/storage.objectViewer
.PRINCIPAL_IDENTIFIER
identifies who you are granting bucket access to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 2.OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket to which you want to give the principal access. For example,my-bucket
.
View the IAM policy for a bucket
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket whose policy you want to view.
In the Bucket details page, click the Permissions tab.
The IAM policy that applies to the bucket appears in the Permissions section.
(Optional) Use the Filter bar to filter your results.
If you search by principal, your results display each role that the principal is granted.
Command line
Use the buckets get-iam-policy
command:
gcloud storage buckets get-iam-policy gs://BUCKET_NAME
Where BUCKET_NAME
is the name of the bucket
whose IAM policy you want to view. For example,
my-bucket
.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer OAUTH2_TOKEN" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket whose IAM policy you want to view. For example,my-bucket
.
Remove a principal from a bucket-level policy
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket from which you want to remove a principal's role.
In the Bucket details page, click the Permissions tab.
The IAM policy that applies to the bucket appears in the Permissions section.
In the View by principals tab, select the checkbox for the principal you're removing.
Click the - Remove access button.
In the overlay window that appears, click Confirm.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the buckets remove-iam-policy-binding
command:
gcloud storage buckets remove-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE
Where:
BUCKET_NAME
is the name of the bucket you are revoking access to. For example,my-bucket
.PRINCIPAL_IDENTIFIER
identifies who you are revoking access from. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.IAM_ROLE
is the IAM role you are revoking. For example,roles/storage.objectViewer
.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Get the existing policy applied to your bucket. To do so, use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer OAUTH2_TOKEN" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket whose IAM policy you want to view. For example,my-bucket
.
Create a JSON file that contains the policy you retrieved in the previous step.
Edit the JSON file to remove the principal from the policy.
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 3.OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket from which you want to remove access. For example,my-bucket
.
Use IAM Conditions on buckets
The following sections show you how to add and remove IAM Conditions on your buckets. To view the IAM Conditions for your bucket, see Viewing the IAM policy for a bucket. For more information about using IAM Conditions with Cloud Storage, see Conditions.
You must enable uniform bucket-level access on the bucket before adding conditions.
Set a new condition on a bucket
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket that you want to add a new condition for.
In the Bucket details page, click the Permissions tab.
The IAM policy that applies to the bucket appears in the Permissions section.
Click + Grant access.
For New principals, fill out the principals to which you want to grant access to your bucket.
For each role to which you want to apply a condition:
Select a Role to grant the principals.
Click Add condition to open the Edit condition form.
Fill out the Title of the condition. The Description field is optional.
Use the Condition Builder to build your condition visually, or use the Condition Editor tab to enter the CEL expression.
Click Save to return to the Add principal form. To add multiple roles, click Add another role.
Click Save.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Create a JSON or YAML file that defines the condition, including the
title
of the condition, the attribute-based logicexpression
for the condition, and, optionally, adescription
for the condition.Note that Cloud Storage only supports the date/time, resource type, and resource name attributes in the
expression
.Use the
buckets add-iam-policy-binding
command with the--condition-from-file
flag:
gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE --condition-from-file=CONDITION_FILE
Where:
BUCKET_NAME
is the name of the bucket you are granting the principal access to. For example,my-bucket
.PRINCIPAL_IDENTIFIER
identifies who the condition applies to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.IAM_ROLE
is the IAM role you are granting to the principal. For example,roles/storage.objectViewer
.CONDITION_FILE
is the file you created in the previous step.
Alternatively, you can include the condition directly in the command
with the --condition
flag instead of the --condition-from-file
flag.
Client libraries
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use a
GET getIamPolicy
request to save the bucket's IAM policy to a temporary JSON file:curl \ 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam' \ --header 'Authorization: Bearer OAUTH2_TOKEN' > tmp-policy.json
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.
Edit the
tmp-policy.json
file in a text editor to add new conditions to the bindings in the IAM policy:{ "version": VERSION, "bindings": [ { "role": "IAM_ROLE", "members": [ "PRINCIPAL_IDENTIFIER" ], "condition": { "title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION" } } ], "etag": "ETAG" }
Where:
VERSION
is the IAM policy version, which is required to be 3 for buckets with IAM Conditions.IAM_ROLE
is the role to which the condition applies. For example,roles/storage.objectViewer
.PRINCIPAL_IDENTIFIER
identifies who the condition applies to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.TITLE
is the title of the condition. For example,expires in 2019
.DESCRIPTION
is an optional description of the condition. For example,Permission revoked on New Year's
.EXPRESSION
is an attribute-based logic expression. For example,request.time < timestamp(\"2019-01-01T00:00:00Z\")
. For more examples of expressions, see the Conditions attribute reference. Note that Cloud Storage only supports the date/time, resource type, and resource name attributes.
Do not modify
ETAG
.Use a
PUT setIamPolicy
request to set the modified IAM policy on the bucket:curl -X PUT --data-binary @tmp-policy.json \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.
Remove a condition from a bucket
Console
- In the Google Cloud console, go to the Cloud Storage Buckets page.
In the list of buckets, click the name of the bucket that you want to remove a condition from.
In the Bucket details page, click the Permissions tab.
The IAM policy that applies to the bucket appears in the Permissions section.
Click the Edit icon (edit) for the principal associated with the condition.
In the Edit access overlay that appears, click the name of the condition you want to delete.
In the Edit condition overlay that appears, click Delete, then Confirm.
Click Save.
To learn how to get detailed error information about failed Cloud Storage operations in the Google Cloud console, see Troubleshooting.
Command line
Use the
buckets get-iam-policy
command to save the bucket's IAM policy to a temporary JSON file.gcloud storage buckets get-iam-policy gs://BUCKET_NAME > tmp-policy.json
Edit the
tmp-policy.json
file in a text editor to remove conditions from the IAM policy.Use
buckets set-iam-policy
to set the modified IAM policy on the bucket.gcloud storage buckets set-iam-policy gs://BUCKET_NAME tmp-policy.json
Code samples
For more information, see the
Cloud Storage C++ API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage C# API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Go API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Java API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Node.js API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage PHP API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Python API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
For more information, see the
Cloud Storage Ruby API
reference documentation.
To authenticate to Cloud Storage, set up Application Default Credentials.
For more information, see
Set up authentication for a local development environment.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use a
GET getIamPolicy
request to save the bucket's IAM policy to a temporary JSON file:curl \ 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam' \ --header 'Authorization: Bearer OAUTH2_TOKEN' > tmp-policy.json
Where:
BUCKET_NAME
is the name of the bucket you are granting access to. For example,my-bucket
.OAUTH2_TOKEN
is the access token you generated in Step 1.
Edit the
tmp-policy.json
file in a text editor to remove conditions from the IAM policy.Use a
PUT setIamPolicy
request to set the modified IAM policy on the bucket:curl -X PUT --data-binary @tmp-policy.json \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket whose IAM policy you want to modify. For example,my-bucket
.
Use IAM with managed folders
The following sections show how to complete basic IAM tasks on managed folders.
Required roles
To get the permissions that you need to set and manage IAM
policies for managed folders, ask your administrator
to grant you the Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner
)
IAM role for the bucket that contains the managed folders.
This role contain the following permissions, which are required to set and manage IAM policies for managed folders:
storage.managedfolders.getIamPolicy
storage.managedfolders.setIamPolicy
You can also get these permissions with custom roles.
For information about granting roles for buckets, see Use IAM with buckets.
Set an IAM policy on a managed folder
Command line
Create a JSON file that contains the following information:
{ "bindings":[ { "role": "IAM_ROLE", "members":[ "PRINCIPAL_IDENTIFIER" ] } ] }
Where:
IAM_ROLE
is the IAM role you are granting. For example,roles/storage.objectViewer
.PRINCIPAL_IDENTIFIER
identifies who you are granting managed folder access to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.
Use the
gcloud alpha storage managed-folders set-iam-policy
command:gcloud alpha storage managed-folders set-iam-policy gs://BUCKET_NAME/MANAGED_FOLDER_NAME POLICY_FILE
Where:
BUCKET_NAME
is the name of the bucket that contains the managed folder to which you want to apply the IAM policy. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder to which you want to apply the IAM policy. For example,my-managed-folder/
.POLICY_FILE
is the path to the JSON file you created in step 1.
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Create a JSON file that contains the following information:
{ "bindings":[ { "role": "IAM_ROLE", "members":[ "PRINCIPAL_IDENTIFIER" ] } ] }
Where:
IAM_ROLE
is the IAM role you are granting. For example,roles/storage.objectViewer
.PRINCIPAL_IDENTIFIER
identifies who you are granting managed folder access to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @POLICY_FILE \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"
Where:
POLICY_FILE
is the path to the JSON policy file that you created in Step 2.OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder to which you want to apply the IAM policy. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder to which you want to give the principal access. For example,my-managed-folder/
.
View the IAM policy for a managed folder
Command line
Use the
gcloud alpha storage managed-folder get-iam-policy
command:
gcloud alpha storage managed-folders get-iam-policy gs://BUCKET_NAME/MANAGED_FOLDER_NAME
Where:
BUCKET_NAME
is the name of the bucket that contains the managed folder whose IAM policy you want to view. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder whose IAM policy you want to view. For example,my-managed-folder/
.
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer OAUTH2_TOKEN" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder whose IAM policy you want to view. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder whose IAM policy you want to view. For example,my-managed-folder/
.
Remove a principal from a managed folder policy
Command line
Use the
gcloud alpha storage managed-folder remove-iam-policy-binding
command:
gcloud alpha storage managed-folders remove-iam-policy-binding gs://BUCKET_NAME/MANAGED_FOLDER_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE
Where:
BUCKET_NAME
is the name of the bucket that contains the managed folder you are revoking access to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder whose IAM policy you want to remove. For example,my-managed-folder/
.PRINCIPAL_IDENTIFIER
identifies who you are revoking access from. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.IAM_ROLE
is the IAM role you are revoking. For example,roles/storage.objectViewer
.
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Get the existing policy applied to your managed folder. To do so, use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer OAUTH2_TOKEN" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder you are revoking access to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder whose IAM policy you want to remove. For example,my-managed-folder/
.
Create a JSON file that contains the policy you retrieved in the previous step.
Edit the JSON file to remove the principal from the policy.
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @JSON_FILE_NAME \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAME/iam"
Where:
JSON_FILE_NAME
is the path for the file that you created in Step 3.OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder you are revoking access to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder whose IAM policy you want to remove. For example,my-managed-folder/
.
Use IAM Conditions on managed folders
The following sections show you how to add and remove IAM Conditions on your managed folders. To view the IAM Conditions for your managed folders, see Viewing the IAM policy for a managed folder. For more information about using IAM Conditions with Cloud Storage, see Conditions.
You must enable uniform bucket-level access on the bucket before adding conditions to managed folders.
Set a new condition on a managed folder
Command line
Create a JSON or YAML file that defines the condition, including the
title
of the condition, the attribute-based logicexpression
for the condition, and, optionally, adescription
for the condition.Note that Cloud Storage only supports the date/time, resource type, and resource name attributes in the
expression
.Use the
gcloud alpha storage managed-folders add-iam-policy-binding
command with the--condition-from-file
flag:
gcloud alpha storage managed-folders add-iam-policy-binding gs://BUCKET_NAME/MANAGED_FOLDER_NAME --member=PRINCIPAL_IDENTIFIER --role=IAM_ROLE --condition-from-file=CONDITION_FILE
Where:
BUCKET_NAME
is the name of the bucket that contains the managed folder to which you are granting the principal access. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of managed folder to which you are granting the principal access. For example,my-managed-folder/
.PRINCIPAL_IDENTIFIER
identifies who the condition applies to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.IAM_ROLE
is the IAM role you are granting to the principal. For example,roles/storage.objectViewer
.CONDITION_FILE
is the file you created in the previous step.
Alternatively, you can include the condition directly in the command
with the --condition
flag instead of the --condition-from-file
flag.
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use a
GET getIamPolicy
request to save the managed folder's IAM policy to a temporary JSON file:curl \ 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAMEiam' \ --header 'Authorization: Bearer OAUTH2_TOKEN' > tmp-policy.json
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder you want to set an IAM Condition on.MANAGED_FOLDER_NAME
is the name of the managed folder you want to set an IAM Condition on.
Edit the
tmp-policy.json
file in a text editor to add new conditions to the bindings in the IAM policy:{ "version": VERSION, "bindings": [ { "role": "IAM_ROLE", "members": [ "PRINCIPAL_IDENTIFIER" ], "condition": { "title": "TITLE", "description": "DESCRIPTION", "expression": "EXPRESSION" } } ], "etag": "ETAG" }
Where:
VERSION
is the IAM policy version, which is required to be 3 for managed folders with IAM Conditions.IAM_ROLE
is the role to which the condition applies. For example,roles/storage.objectViewer
.PRINCIPAL_IDENTIFIER
identifies who the condition applies to. For example,user:jane@gmail.com
. For a list of principal identifier formats, see Principal identifiers.TITLE
is the title of the condition. For example,expires in 2019
.DESCRIPTION
is an optional description of the condition. For example,Permission revoked on New Year's
.EXPRESSION
is an attribute-based logic expression. For example,request.time < timestamp(\"2019-01-01T00:00:00Z\")
. For more examples of expressions, see the Conditions attribute reference. Note that Cloud Storage only supports the date/time, resource type, and resource name attributes.
Do not modify
ETAG
.Use a
PUT setIamPolicy
request to set the modified IAM policy on the bucket:curl -X PUT --data-binary @tmp-policy.json \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFoldersMANAGED_FOLDER_NAME/iam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder you want to set an IAM Condition on.MANAGED_FOLDER_NAME
is the name of the managed folder you want to set an IAM Condition on.
Remove a condition from a managed folder
Command line
Use the
gcloud alpha storage managed-folders get-iam-policy
command to save the managed folder's IAM policy to a temporary JSON file.gcloud alpha storage managed-folders get-iam-policy gs://BUCKET_NAME/MANAGED_FOLDER_NAME > tmp-policy.json
Edit the
tmp-policy.json
file in a text editor to remove conditions from the IAM policy.Use the
gcloud alpha storage managed-folders set-iam-policy
command to set the modified IAM policy on the managed folder.gcloud alpha storage managed-folders set-iam-policy gs://BUCKET_NAME/MANAGED_FOLDER_NAME tmp-policy.json
REST APIs
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Use a
GET getIamPolicy
request to save the managed folder's IAM policy to a temporary JSON file:curl \ 'https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAMEiam' \ --header 'Authorization: Bearer OAUTH2_TOKEN' > tmp-policy.json
Where:
BUCKET_NAME
is the name of the bucket that contains the managed folder you are changing access to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder you are changing access to. For example,my-managed-folder/
.OAUTH2_TOKEN
is the access token you generated in Step 1.
Edit the
tmp-policy.json
file in a text editor to remove conditions from the IAM policy.Use a
PUT setIamPolicy
request to set the modified IAM policy on the managed folder:curl -X PUT --data-binary @tmp-policy.json \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/BUCKET_NAME/managedFolders/MANAGED_FOLDER_NAMEiam"
Where:
OAUTH2_TOKEN
is the access token you generated in Step 1.BUCKET_NAME
is the name of the bucket that contains the managed folder you are changing access to. For example,my-bucket
.MANAGED_FOLDER_NAME
is the name of the managed folder you are changing access to. For example,my-managed-folder/
.
Use IAM with projects
See Manage access to projects, managed folders, and organizations for guides about granting and revoking IAM roles at the project level and above.
Best practices
You should set the minimum permission possible that gives the principal the required access. For example, if a team member only needs to read objects stored in a bucket, select the Storage Object Viewer role. Similarly, if the team member needs full control of objects in the bucket (but not control of the bucket itself), select Storage Object Admin.
What's next
- Learn how to publicly share your data.
- See specific Sharing and collaboration examples.
- Learn about best practices when using IAM.
- Learn how to use role recommendations for buckets.
- To troubleshoot failed operations related to IAM roles and permissions, see Troubleshooting.