This page describes how to control access to buckets and objects using Cloud Identity and Access Management (Cloud IAM) permissions. Cloud IAM allows you to control who has access to your buckets and objects. To learn more about Cloud IAM for Cloud Storage, see the Overview of Cloud IAM.
To learn about other ways to control access to buckets and objects, read Overview of Access Control. To learn about controlling access to individual objects in your buckets, see Access Control Lists.
Using Cloud IAM with buckets
The following sections show how to complete basic Cloud IAM tasks on buckets.
Adding a member to a bucket-level policy
For a list of roles associated with Cloud Storage, see Cloud IAM Roles. For information on entities to which you grant Cloud IAM roles, see Member Types.
Console
- Open the Cloud Storage browser in the Google Cloud Console.
Open the Cloud Storage browser Click the drop-down menu associated with the bucket to which you want to grant a member a role.
The drop-down menu appears as three vertical dots to the far right of the bucket's row.
Choose Edit bucket permissions.
In the Add members field, enter one or more identities that need access to your bucket.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Add.
gsutil
Use the gsutil iam ch
command:
gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE] gs://[BUCKET_NAME]
Where:
[MEMBER_TYPE]
is the type of member to which you are granting bucket access. For example,user
.[MEMBER_NAME]
is the name of the member to which you are granting bucket access. For example,jane@gmail.com
.[IAM_ROLE]
is the IAM role you are granting to the member. For example,roles/storage.objectCreator
.[BUCKET_NAME]
is the name of the bucket you are granting the member access to. For example,my-bucket
.
For more examples of how to format [MEMBER_TYPE]:[MEMBER_NAME]:[IAM_ROLE]
,
see the gsutil iam ch
reference page.
Code samples
For more information, see the
Cloud Storage C++ API reference documentation
.
For more information, see the
Cloud Storage C# API reference documentation
.
For more information, see the
Cloud Storage Go API reference documentation
.
For more information, see the
Cloud Storage Java API reference documentation
.
For more information, see the
Cloud Storage Node.js API reference documentation
.
For more information, see the
Cloud Storage PHP API reference documentation
.
For more information, see the
Cloud Storage Python API reference documentation
.
For more information, see the
Cloud Storage Ruby API reference documentation
.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a .json file that contains the following information:
{ "bindings":[ { "role": "[IAM_ROLE]", "members":[ "[MEMBER_NAME]" ] } ] }
Where:
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @[JSON_FILE_NAME].json \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"
Where:
[JSON_FILE_NAME]
is the name of the file you created in Step 2.[OAUTH2_TOKEN]
is the access token you generated in Step 1.[BUCKET_NAME]
is the name of the bucket to which you want to give the member access. For example,my-bucket
.
Viewing the Cloud IAM policy for a bucket
Console
- Open the Cloud Storage browser in the Google Cloud Console.
Open the Cloud Storage browser Click the drop-down menu associated with the bucket to which you want to view role members.
The drop-down menu appears as three vertical dots to the far right of the bucket name.
Choose Edit bucket permissions.
Expand the desired role to view the members who have been assigned to it.
(Optional) Use the search bar to filter your results by role or member.
If you search by member, your results display each role that the member is assigned to.
gsutil
Use the gsutil iam get
command:
gsutil iam get gs://[BUCKET_NAME]
Where [BUCKET_NAME]
is the name of the bucket whose Cloud IAM
policy you want to view. For example, my-bucket
.
Code samples
For more information, see the
Cloud Storage C++ API reference documentation
.
For more information, see the
Cloud Storage C# API reference documentation
.
For more information, see the
Cloud Storage Go API reference documentation
.
For more information, see the
Cloud Storage Java API reference documentation
.
For more information, see the
Cloud Storage Node.js API reference documentation
.
For more information, see the
Cloud Storage PHP API reference documentation
.
For more information, see the
Cloud Storage Python API reference documentation
.
For more information, see the
Cloud Storage Ruby API reference documentation
.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"
Where:
[OAUTH2_TOKEN]
is the access token you generated in Step 1.[BUCKET_NAME]
is the name of the bucket whose Cloud IAM policy you want to view. For example,my-bucket
.
Removing a member from a bucket-level policy
Console
- Open the Cloud Storage browser in the Google Cloud Console.
Open the Cloud Storage browser Click the drop-down menu associated with the bucket from which you want to remove a member's role.
The drop-down menu appears as three vertical dots to the far right of the bucket name.
Choose Edit bucket permissions.
Expand the role that contains the member you are removing.
Hover over the member and click on the trash icon that appears.
In the overlay window that appears, click Remove.
gsutil
Use the gsutil iam ch
command with a -d
flag:
gsutil iam ch -d [MEMBER_TYPE]:[MEMBER_NAME] gs://[BUCKET_NAME]
Where:
[MEMBER_TYPE]
is the type of the member you are removing from the policy. For example,user
.[MEMBER_NAME]
is the name of the member you are removing from the policy. For example,jane@gmail.com
.[BUCKET_NAME]
is the name of the bucket from which you are removing member access. For example,my-bucket
.
For more examples of how to format [MEMBER_TYPE]:[MEMBER_NAME]
, see the
gsutil iam ch
reference page.
Code samples
For more information, see the
Cloud Storage C++ API reference documentation
.
For more information, see the
Cloud Storage C# API reference documentation
.
For more information, see the
Cloud Storage Go API reference documentation
.
For more information, see the
Cloud Storage Java API reference documentation
.
For more information, see the
Cloud Storage Node.js API reference documentation
.
For more information, see the
Cloud Storage PHP API reference documentation
.
For more information, see the
Cloud Storage Python API reference documentation
.
For more information, see the
Cloud Storage Ruby API reference documentation
.
C++
C#
Go
Java
Node.js
PHP
Python
Ruby
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Get the existing policy applied to your project. To do so, use
cURL
to call the JSON API with aGET getIamPolicy
request:curl -X GET \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"
Where:
[OAUTH2_TOKEN]
is the access token you generated in Step 1.[BUCKET_NAME]
is the name of the bucket whose Cloud IAM policy you want to view. For example,my-bucket
.
Create a .json file that contains the policy you retrieved in the previous step.
Edit the .json file to remove the member from the policy.
Use
cURL
to call the JSON API with aPUT setIamPolicy
request:curl -X PUT --data-binary @[JSON_FILE_NAME].json \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Type: application/json" \ "https://storage.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"
Where:
[JSON_FILE_NAME]
is the name of the file you created in Step 3.[OAUTH2_TOKEN]
is the access token you generated in Step 1.[BUCKET_NAME]
is the name of the bucket from which you want to remove member access. For example,my-bucket
.
Using Cloud IAM with projects
The following sections show how to complete basic Cloud IAM tasks on
projects. Note that these tasks use a separate command line command, gcloud
,
and a separate endpoint, cloudresourcemanager.googleapis.com
, compared to most
Cloud Storage tasks.
Adding a member to a project-level policy
For a list of roles associated with Cloud Storage, see Cloud IAM Roles. For information on entities to which you grant Cloud IAM roles, see Member Types.
Console
- Open the IAM & Admin browser in the Google Cloud Console.
Open the IAM & Admin browser Select the project to which you want to add a member.
In the Add members dialog, specify the name of the entity you are granting access.
In the Select a role drop down, set the appropriate permissions for the team member.
Roles that affect Cloud Storage buckets and objects are found in the Project and Storage submenus.
Click Add.
gsutil
Project-level Cloud IAM policies are managed through the gcloud
command, which is part of the Google Cloud SDK. To add a project-level
policy, use gcloud beta projects add-iam-policy-binding
.
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a .json file that contains the following information:
{ "policy": { "version": "0", "bindings": { "role": "[IAM_ROLE]", "members": "[MEMBER_NAME]" }, } }
Where:
[IAM_ROLE]
is the IAM role you are granting the member. For example,roles/storage.objectCreator
.[MEMBER_NAME]
is the type and name of the member to which you are granting project access. For example,user:jane@gmail.com
.
Use
cURL
to call the Resource Manager API with aPOST setIamPolicy
request:curl -X POST --data-binary @[JSON_FILE_NAME].json \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Type: application/json" \ "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"
Where:
[JSON_FILE_NAME]
is the name of the file you created in Step 2.[OAUTH2_TOKEN]
is the access token you generated in Step 1.[PROJECT_NAME]
is the name of the project to which you are granting member access. For example,my-project
.
Viewing the Cloud IAM policy for a project
Console
- Open the IAM & Admin browser in the Google Cloud Console.
Open the IAM & Admin browser Select the project whose policy you want to view.
Use the drop-down associated with individual roles to see which members have the role, or use the Search members dialog to filter your results.
gsutil
Project-level Cloud IAM policies are managed through the gcloud
command, which is part of the Google Cloud SDK. To view the
Cloud IAM policy of a project, use gcloud beta projects get-iam-policy
command.
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Use
cURL
to call the Resource Manager API with aPOST getIamPolicy
request:curl -X POST \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Length: 0" \ "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"
Where:
[OAUTH2_TOKEN]
is the access token you generated in Step 1.[PROJECT_NAME]
is the name of the project to which you are granting member access. For example,my-project
.
Removing a member from a project-level policy
Console
- Open the IAM & Admin browser in the Google Cloud Console.
Open the IAM & Admin browser Select the project from which you want to remove a member.
In the Search members dialog, specify the name of the member whose access you are removing.
In the results below the search, hover over the member you are removing and click on the trash icon that appears.
In the overlay window that appears, click Remove.
gsutil
Project-level Cloud IAM policies are managed through the gcloud
command, which
is part of the Google Cloud SDK. To remove a project-level policy, use
gcloud beta projects remove-iam-policy-binding
.
JSON
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Get the existing policy applied to your project. To do so, use
cURL
to call the Resource Manager API with aPOST getIamPolicy
request:curl -X POST \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Length: 0" \ "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"
Where:
[OAUTH2_TOKEN]
is the access token you generated in Step 1.[PROJECT_NAME]
is the name of the project to which you want to add member access. For example,my-project
.
Create a .json file that contains the policy you retrieved in the previous step.
Edit the .json file to remove the member from the policy.
Use
cURL
to call the Resource Manager API with aPOST setIamPolicy
request:curl -X POST --data-binary @[JSON_FILE_NAME].json \ -H "Authorization: Bearer [OAUTH2_TOKEN]" \ -H "Content-Type: application/json" \ "https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"
Where:
[JSON_FILE_NAME]
is the name of the file you created in Step 2.[OAUTH2_TOKEN]
is the access token you generated in Step 1.[PROJECT_NAME]
is the name of the project to which you want to grant member access. For example,my-project
.
What's next
- Learn how to publicly share your data.
- Learn more about Cloud IAM in Cloud Storage.
- Learn about options to control access to your data.