Managed folders

This page provides an overview of managed folders in Cloud Storage, which exist as a resource and are different from simulated folders.

You can apply Identity and Access Management (IAM) policies to managed folders to grant principles access only to the objects within the managed folder, which lets you more finely control access for specific data sets and tables within a bucket. You can nest managed folders up to 7 levels deep, including the parent managed folder.

Managed folders can only be created in buckets that have uniform bucket-level access enabled.

IAM for managed folders

When you apply an IAM policy on a managed folder, the access granted in the policy also applies to any object within that bucket that has the managed folder's name as a prefix. For example, if you grant a principal the Storage Object Viewer (roles/storage.objectViewer) role on a managed folder named example-bucket/example-managed-folder/, the principal can view any object within example-managed-folder (such as example-bucket/example-managed-folder/example-object.txt). When you nest managed folders, the permissions granted through IAM policies are applied additively.

Read the following pages for more information about managed folders:

Managed folder names

The name you give to a managed folder must meet the following requirements:

  • Managed folder names can contain any sequence of valid Unicode characters, of length 1-700 bytes when UTF-8 encoded.

  • Managed folder names cannot contain Carriage Return or Line Feed characters.

  • Managed folder names must end with /. At most, a managed folder name can have 7 /s. In other words, you can nest up to 7 managed folders.

  • Managed folder names cannot start with .well-known/acme-challenge/.

  • Managed folders cannot be named . or ...

It is strongly recommended that you avoid the following in your managed folder names:

  • Control characters that are illegal in XML 1.0 (#x7F–#x84 and #x86–#x9F): these characters cause XML listing issues when you try to list your managed folders.

  • The [, ], *, or ? characters: the Google Cloud CLI interprets these characters as wildcards, so including them in managed folder names can make it difficult or impossible to perform wildcard operations with the tool. Additionally, * and ? are not valid characters for file names in Windows.

  • Sensitive or personally identifiable information (PII): managed folder names are more broadly visible than object data. For example, managed folder names appear in URLs for the object and when listing objects in a bucket.


When working with managed folders, note the following considerations:

  • Managed folders can be created in place of simulated folders, which means that you can create a managed folder and name it after an object's prefix, as long as there isn't already a managed folder using that name. For example, you can create a managed folder named my-folder/, even if you have an existing object named my-folder/object.txt. Note that the IAM policy on the managed folder my-folder/ will then apply to all objects that has my-folder/ as a name prefix.

  • You can create "child" managed folders before the "parent" folder is created. For example, you can create a managed folder named my-folder-A/my-folder-B/ without first creating a managed folder named my-folder-A/.

What's next