Buckets: getIamPolicy

Returns an Identity and Access Management (IAM) policy for the specified bucket. Try it now.

The authenticated user must have sufficient permission to use this method.

Request

HTTP request

GET https://storage.googleapis.com/storage/v1/b/bucket/iam

In addition to standard query parameters, the following query parameters apply to this method:

Parameters

Parameter name	Value	Description
Path parameters
`bucket`	`string`	Name of a bucket.
`optionsRequestedPolicyVersion`	`int`	The IAM policy version to be returned. If the optionsRequestedPolicyVersion is for an older version that doesn't support part of the requested IAM policy, the request fails. Required to be 3 or greater for buckets with IAM Conditions.

Request body

Do not supply a request body with this method.

Response

If successful, this method returns a response body with the following structure:

{
  "version": int,
  "kind": "storage#policy",
  "resourceId": string,
  "bindings": [
    {
      "role": string,
      "members": [
        string
      ],
      "condition": {
        "title": string,
        "description": string,
        "expression": RFC 3339 format string
      }
    }
  ],
  "etag": bytes
}

Property name	Value	Description	Notes
`version`	`int`	The IAM policy version.
`kind`	`string`	The kind of item this is. For policies, this field is ignored in a request and is `storage#policy` in a response.
`resourceId`	`string`	The ID of the resource to which this policy belongs. The response for this field is of the form `projects/_/buckets/bucket`. This field is ignored in a request.
`bindings[]`	`list`	An association between a role, which comes with a set of permissions, and members who may assume that role.
`bindings[].role`	`string`	The role to which members belong. Two types of roles are supported: standard IAM roles, which grant permissions that do not map directly to those provided by ACLs, and legacy IAM roles, which do map directly to ACL permissions. All roles are of the format `roles/storage.specificRole`. See Cloud Storage IAM Roles for a list of available roles.
`bindings[].members[]`	`list`	A collection of identifiers for members who may assume the provided role. Recognized identifiers are as follows: `allUsers` — A special identifier that represents anyone on the internet; with or without a Google account. `allAuthenticatedUsers` — A special identifier that represents anyone who is authenticated with a Google account or a service account. `user:emailid` — An email address that represents a specific account. For example, `user:alice@gmail.com` or `user:joe@example.com`. `serviceAccount:emailid` — An email address that represents a service account. For example, `serviceAccount:my-other-app@appspot.gserviceaccount.com`. `group:emailid` — An email address that represents a Google group. For example, `group:admins@example.com`. `domain:domain` — A G Suite domain name that represents all the users of that domain. For example, `domain:google.com` or `domain:example.com`. `projectOwner:projectid` — Owners of the given project. For example, `projectOwner:my-example-project` `projectEditor:projectid` — Editors of the given project. For example, `projectEditor:my-example-project` `projectViewer:projectid` — Viewers of the given project. For example, `projectViewer:my-example-project`
`bindings[].condition`	`object`	A condition object associated with this binding. Each role binding can only contain one condition.	optional
`bindings[].condition.title`	`string`	Title of the condition. For example, `"expires_end_of_2018"`.
`bindings[].condition.description`	`string`	Optional description of the condition. For example, `"Expires at midnight on 2018-12-31"`.	optional
`bindings[].condition.expression`	`string`	Attribute-based logic expression using a subset of the Common Expression Language (CEL). For example, `"request.time < timestamp('2019-01-01T00:00:00Z')"`.
`etag`	`bytes`	HTTP 1.1 Entity tag for the policy.	writable

Try it!

Use the APIs Explorer below to call this method on live data and see the response.